@@ -43,24 +43,22 @@ executable or script with the following interface:
Supply the script name and path to wic by adding
`signwith=<path and name of the script to sign>"` to sourceparams of the partition.
-### Existing packages to sign an image
+### Existing key packages for signing an image
-#### ebg-secure-boot-snakeoil
+#### secure-boot-snakeoil
This package uses the snakeoil key and certificate from the ovmf package(0.0~20200229-2)
-backported from Debian bullseye and signs the image.
+backported from Debian bullseye for signing the image.
-#### ebg-secure-boot-secrets
-This package takes a user-generated certificate and adds it to the build system.
+#### secure-boot-key
+
+This package takes a user-generated certificate and key adds them to the build system.
The following variable and steps are necessary to build a secure boot capable image:
- Set certification information to sign and verify the image with:
- - SB_CERTDB: The directory containing the certificate database create with certutil
- - SB_VERIFY_CERT: The certificate to verify the signing process
- - SB_KEY_NAME: Name of the key in the certificate database
-- if necessary change the script to select the boot partition after an update
- - recipes-support/initramfs-config/files/initramfs.selectrootfs.script
+ - SB_CERT: The certificate to verify the signing process
+ - SB_KEY: The private key of for the certificate
-The files referred by SB_CERTDB and SB_VERIFY_CERT must be store in `recipes-devtools/ebg-secure-boot-secrets/files/`
+The files referred by SB_CERT and SB_KEY must be store in `recipes-devtools/secure-boot-secrets/files/`.
## Running in QEMU
@@ -96,7 +94,7 @@ scripts/generate-sb-db-from-existing-certificate.sh
```
This will create the directory `SB_KEYDIR` and will store the `${SB_NAME}certdb` with the given name.
-Copy the used certificate and database to `recipes-devtools/ebg-secure-boot-secrets/files/`
+Copy the used certificate and private key to `recipes-devtools/secure-boot-secrets/files/`
#### Generate keys
@@ -28,6 +28,7 @@ local_conf_header:
INITRAMFS_INSTALL_append = " initramfs-verity-hook"
secure-boot: |
- # Add snakeoil binaries for qemu
- IMAGER_BUILD_DEPS += "ebg-secure-boot-snakeoil"
- IMAGER_INSTALL += "ebg-secure-boot-snakeoil"
+ IMAGER_BUILD_DEPS += "ebg-secure-boot-signer"
+ IMAGER_INSTALL += "ebg-secure-boot-signer"
+ # Use snakeoil keys
+ PREFERRED_PROVIDER_secure-boot-secrets = "secure-boot-snakeoil"
deleted file mode 100644
@@ -1,51 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit dpkg-raw
-
-DESCRIPTION = "Add user defined secureboot certifcates to the buildchroot and the script to \
- sign an image with the given keys"
-
-# variables
-SB_CERT_PATH = "/usr/share/ebg-secure-boot"
-SB_CERTDB ??= ""
-SB_VERIFY_CERT ??= ""
-SB_KEY_NAME ??= "demoDB"
-
-# used to sign the image
-DEBIAN_DEPENDS = "pesign, sbsigntool"
-
-# this package cannot be install together with:
-DEBIAN_CONFLICTS = "ebg-secure-boot-snakeoil"
-
-SRC_URI = " \
- file://sign_secure_image.sh.tmpl \
- file://control.tmpl"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERTDB') if d.getVar('SB_CERTDB') else '' }"
-SRC_URI_append = " ${@ "file://"+d.getVar('SB_VERIFY_CERT') if d.getVar('SB_VERIFY_CERT') else '' }"
-TEMPLATE_FILES = "sign_secure_image.sh.tmpl"
-TEMPLATE_VARS += "SB_CERT_PATH SB_CERTDB SB_VERIFY_CERT SB_KEY_NAME"
-
-TEMPLATE_FILES += "control.tmpl"
-TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
-
-do_install() {
- TARGET=${D}${SB_CERT_PATH}
- install -m 0700 -d ${TARGET}
- cp -a ${WORKDIR}/${SB_CERTDB} ${TARGET}/${SB_CERTDB}
- chmod 700 ${TARGET}/${SB_CERTDB}
- install -m 0600 ${WORKDIR}/${SB_VERIFY_CERT} ${TARGET}/${SB_VERIFY_CERT}
- TARGET=${D}/usr/bin
- install -d ${TARGET}
- install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
-}
-
-addtask do_install after do_transform_template
deleted file mode 100644
@@ -1 +0,0 @@
-For a secure boot image this directory needs to contain the certdb directory and the db.crt file.
deleted file mode 100644
@@ -1,12 +0,0 @@
-Source: ${PN}
-Section: misc
-Priority: optional
-Standards-Version: 3.9.6
-Maintainer: ${MAINTAINER}
-Build-Depends: debhelper (>= 9)
-
-Package: ${PN}
-Architecture: ${DPKG_ARCH}
-Depends: ${DEBIAN_DEPENDS}
-Description: ${DESCRIPTION}
-Conflicts: ${DEBIAN_CONFLICTS}
deleted file mode 100644
@@ -1,22 +0,0 @@
-#!/bin/sh
-set -e
-set -x
-signee=$1
-signed=$2
-
-usage(){
- echo "sign with debian snakeoil"
- echo "$0 signee signed"
- echo "signee: path to the image to be signed"
- echo "signed: path to store the signed image"
-}
-
-
-if [ -z "$signee" ] || [ -z "$signed" ]; then
- usage
- exit 1
-fi
-
-pesign --force --verbose --padding -n ${SB_CERT_PATH}/${SB_CERTDB} -c "${SB_KEY_NAME}" -s -i $signee -o $signed
-sbverify --cert ${SB_CERT_PATH}/${SB_VERIFY_CERT} $signed
-exit 0
new file mode 100644
@@ -0,0 +1,26 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "Signing script for EFI Boot Guard setups"
+
+DEPENDS = "secure-boot-secrets"
+DEBIAN_DEPENDS = "sbsigntool, secure-boot-secrets"
+
+SRC_URI = "file://sign_secure_image.sh"
+
+do_install() {
+ TARGET=${D}/usr/bin
+ install -d ${TARGET}
+ install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
+}
new file mode 100644
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2020-2022
+#
+# Authors:
+# Quirin Gylstorff <quirin.gylstorff@siemens.com>
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+set -e
+
+signee=$1
+signed=$2
+
+usage(){
+ echo "sign with image keys"
+ echo "$0 signee signed"
+ echo "signee: path to the image to be signed"
+ echo "signed: path to store the signed image"
+}
+
+if [ -z "$signee" ] || [ -z "$signed" ]; then
+ usage
+ exit 1
+fi
+
+keydir=/usr/share/secure-boot-secrets
+
+sbsign --key ${keydir}/secure-boot.key --cert ${keydir}/secure-boot.pem --output $signed $signee
deleted file mode 100644
@@ -1,34 +0,0 @@
-#
-# CIP Core, generic profile
-#
-# Copyright (c) Siemens AG, 2020
-#
-# Authors:
-# Quirin Gylstorff <quirin.gylstorff@siemens.com>
-#
-# SPDX-License-Identifier: MIT
-#
-
-inherit dpkg-raw
-
-DESCRIPTION = "Add script to sign for secure boot with the debian snakeoil keys"
-# used to sign the image
-DEBIAN_DEPENDS = "pesign, sbsigntool, ovmf, openssl, libnss3-tools"
-
-
-# this package cannot be install together with:
-DEBIAN_CONFLICTS = "ebg-secure-boot-secrets"
-
-SRC_URI = "file://sign_secure_image.sh \
- file://control.tmpl"
-
-TEMPLATE_FILES = "control.tmpl"
-TEMPLATE_VARS += "PN MAINTAINER DPKG_ARCH DEBIAN_DEPENDS DESCRIPTION DEBIAN_CONFLICTS"
-
-do_install() {
- TARGET=${D}/usr/bin
- install -d ${TARGET}
- install -m 755 ${WORKDIR}/sign_secure_image.sh ${TARGET}/sign_secure_image.sh
-}
-
-addtask do_install after do_transform_template
deleted file mode 100644
@@ -1,12 +0,0 @@
-Source: ${PN}
-Section: misc
-Priority: optional
-Standards-Version: 3.9.6
-Maintainer: ${MAINTAINER}
-Build-Depends: debhelper (>= 9)
-
-Package: ${PN}
-Architecture: ${DPKG_ARCH}
-Depends: ${DEBIAN_DEPENDS}
-Description: ${DESCRIPTION}
-Conflicts: ${DEBIAN_CONFLICTS}
deleted file mode 100644
@@ -1,36 +0,0 @@
-#!/bin/sh
-set -e
-set -x
-signee=$1
-signed=$2
-
-usage(){
- echo "sign with debian snakeoil"
- echo "$0 signee signed"
- echo "signee: path to the image to be signed"
- echo "signed: path to store the signed image"
-}
-
-
-if [ -z "$signee" ] || [ -z "$signed" ]; then
- usage
- exit 1
-fi
-
-name=snakeoil
-keydir=$(mktemp -d)
-inkey=/usr/share/ovmf/PkKek-1-snakeoil.key
-incert=/usr/share/ovmf/PkKek-1-snakeoil.pem
-nick_name=snakeoil
-TMP=$(mktemp -d)
-mkdir -p ${keydir}/${name}certdb
-certutil -N --empty-password -d ${keydir}/${name}certdb
-openssl pkcs12 -export -passin pass:"snakeoil" -passout pass: -out ${TMP}/foo_key.p12 -inkey $inkey -in $incert -name $nick_name
-pk12util -W "" -i ${TMP}/foo_key.p12 -d ${keydir}/${name}certdb
-cp $incert ${keydir}/$(basename $incert)
-rm -rf $TMP
-
-pesign --force --verbose --padding -n ${keydir}/${name}certdb -c "$nick_name" -s -i $signee -o $signed
-sbverify --cert $incert $signed
-rm -rf $keydir
-exit 0
new file mode 100644
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyIuuXei5qIw+UvavLxPyyNhx0G6Ijuf9SqxVXOpKcQ+l3ZCc
+KQaCLWCH0pbPQj587zVjgMUd4SHgXdVP6awDz8b0NcLgyzF31pHBmmB3z55nv2Jb
+gI56bix9TEHLpoDs4+cWAb2WZPkW8rV/6YR+xVuE8fi9aAWJ7H4dwUhPzU7RBB1d
+Z1wF6Wv3b8nn1jJa5W8I3zOd+tpWczOsqyRnDnFhMiOulGAiFTtmIXv2VReQf7Tx
+rXdqAAs9dcS3qizzNVgY5XpABtmYu1AjyLwwqXZ+blZ2tmUUJicgw3YdCWtlTAtf
+XZDHf+ZzgCNtTvhb2DzpAVmF/H+A8w8lUJZiBQIDAQABAoIBABET/BRZNj5JOyF7
+im2a6Ej8TazvTMfGr8ZFKLvR4+b+6yQUJYhE2p8colRnrVy5z4/bXw7fOm0qol27
+RaPjlyuBiNhvMQ98tfTa0r7fyjQvDCy7JomrGHf7Z+wvijUys3mw+ynIyF7u62pd
+1HfBZb5OzeKBSTfriNRP5R7JlqooDl+O9JVlnvlJIaFe1rX2sQxZ7F8gVINKIJDv
+n7ZZ0o351uIMjKLqwmliULPTjZ2ZeeJqnkB0pFcWZzEf2wAnrrglYRdnn10oNzhB
+6cXMHJeuEOedXECLZtmynRw1dWZK9+Xku1jEAqTWAoI0OIjrfYYzntwe/kab8w/R
+T7ojFGECgYEA9rGhtmSQiim2h+3iGyXNTEQiEOFFL7E8/1ibfWi3vzDhoLARrnH1
+p45DPgnL664xLHXIUl6/wto79Ij/2qA9mp054nVJ4X4AQgq3xCT/57nL0QHfQLaa
+VdzNIoz4jJT3cO0gYcBAK4Bg+dGGQ6ZUrRRt6VkHG/W6fW0D1e7PnEkCgYEA0Bxj
+Jr4ShNXb7J4YDQ24uSwmc2E1IgX5FjHu/JMKCiyIDWQkrxtVdIL9v6+kmYecyxFJ
+S3Qyr3ZqOHqwN1svYuB/CHyKg6dHrzJyZFTj8cr8h0ZKLDu2xZNFxfBIjn5vitSX
+W9q3477oFG/30Ew12Yee4NhDQkaEuB/Ic9+yv90CgYB2y00rLrwnvDSIunXiSs7U
+xg59gG03rSrJb5rYxj+NkvVj0sWA8qGwASLCUidfo69MUJ+ZgsTnCP5MIFjMp9Ni
+jAne0ko0it+G7fBWRNbyeJb8W+FtIUGqzTv/QlFCKU4KlDW+vLxp9lU8l7gHBabK
+/gZ7kwKIZUlbss5hC7Hv+QKBgQCsQBLBKmlhkTEqs9/sTgMrISPiM/8qXg9BE6tf
+WsTgjuM9UjoaxWEBwroMQnDWsqxQV8p2rYKWQEjC3qmj59Fc4bvDZnGvbnGizPpp
+mOniY8SIouEZo4MwHSmPH8auSnBAVJ3C5VF3K7gj0lknCy03E02phNaGsJ+BVq0v
+W2Qz8QKBgEB5RKiwJhgGQA2o+NJKKUUCDM9iBsO1Yy3QwtDWioKKcdAkxdTg3xR+
+XtJdXq6MkCMWM5em3v6GHPceexn81FZTxGBbIMBYNp0Sp4qs/3lK64ln8m5Qttxe
+70HVtrp9HhG5oFJ3fUuLPcYpE2GMgPM9fIbAWh9GZ4GpTLuPRtWg
+-----END RSA PRIVATE KEY-----
new file mode 100644
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL
+BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG
+b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY
+DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh
+ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ
+boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1
+wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx
++L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy
+I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u
+Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB
+AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW
+gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE
+sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac
+HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS
+JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M
+3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h
+pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY
+-----END CERTIFICATE-----
new file mode 100644
@@ -0,0 +1,14 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require secure-boot-secrets.inc
+
+DEBIAN_CONFLICTS = "secure-boot-snakeoil"
new file mode 100644
@@ -0,0 +1,34 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+PROVIDES += "secure-boot-secrets"
+
+SB_KEY ??= ""
+SB_CERT ??= ""
+
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_KEY') if d.getVar('SB_KEY') else '' }"
+SRC_URI_append = " ${@ "file://"+d.getVar('SB_CERT') if d.getVar('SB_CERT') else '' }"
+
+do_install() {
+ if [ -z ${SB_KEY} ] || [ -z ${SB_CERT} ]; then
+ bbfatal "You must set SB_KEY and SB_CERT and provide the required files as artifacts to this recipe"
+ fi
+ TARGET=${D}/usr/share/secure-boot-secrets
+ install -d -m 0700 ${TARGET}
+ install -m 0700 ${WORKDIR}/${SB_KEY} ${TARGET}/secure-boot.key
+ install -m 0700 ${WORKDIR}/${SB_CERT} ${TARGET}/secure-boot.pem
+}
+
+do_prepare_build_append() {
+ echo "Provides: secure-boot-secrets" >> ${S}/debian/control
+}
new file mode 100644
@@ -0,0 +1,17 @@
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2022
+#
+# Authors:
+# Jan Kiszka <jan.kiszka@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+
+require secure-boot-secrets.inc
+
+SB_KEY = "PkKek-1-snakeoil.key"
+SB_CERT = "PkKek-1-snakeoil.pem"
+
+DEBIAN_CONFLICTS = "secure-boot-key"