From d5754cbe76d63f07b19daa50640c0fe6af3fb08f Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Fri, 10 Feb 2023 10:56:36 +0800
Subject: [PATCH] secure boot: move pub keys to this git repo

New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves below keys to this git repo:
  boot_pub_key
  tis-boot.crt
  tis-shim.der
  TiBoot.crt

Please pay attention to that tis-boot.crt(pem) and TiBoot.crt(der)
are the same pub key with different formats in fact, which are used
in different user cases.

Test plan:
 The tests are done with all the changes which involve
 public-keys/integ/root repos for this enhancement about pub keys.
 - PASS: rebuild gurb-efi/efitools/shim packages;
 - PASS: follow the process to build iso image for secure boot;
 - PASS: installation test on AIO-DX lab with secure boot enabled;
 - PASS: check that the CERTS/TiBoot.crt in the disk mounted from
         the efi.img in the iso image is same with the one in
         this git repo.


Story: 2009221
Task: 47358

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I540875293548d4b3e191ea50445ad4dfc5d53a51
---
 README       |  56 +++++++++++++++++++++++++++++++++++++++++++++++++++
 TiBoot.crt   | Bin 0 -> 830 bytes
 boot_pub_key | Bin 0 -> 1172 bytes
 tis-boot.crt |  20 ++++++++++++++++++
 tis-shim.der | Bin 0 -> 865 bytes
 5 files changed, 76 insertions(+)
 create mode 100644 README
 create mode 100644 TiBoot.crt
 create mode 100644 boot_pub_key
 create mode 100644 tis-boot.crt
 create mode 100644 tis-shim.der

diff --git a/README b/README
new file mode 100644
index 0000000..47011c0
--- /dev/null
+++ b/README
@@ -0,0 +1,56 @@
+  The keys under this directory are the public keys used in
+the verification process of secure boot process for StarlingX
+debian.
+
+Keys Introduction:
+  tis-boot.crt: it is the public key flashed into BIOS to verify
+    bootx64.efi (signed shim image shimx64.efi) and mmx64.efi
+    (signed shim tool image);
+  tis-shim.der: it is the public key used by shim to verify
+    grubx64.efi (signed grub image);
+  boot_pub_key: it is the public key used by grub to verify signed
+    kernel image and initramfs image and efitools image and so on.
+  TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a
+    der format. It is installed as /CERTS/TiBoot.crt in the efi.img
+    which is in the iso image.
+
+The following ways can be used to create substitute keys:
+(1)example to create tis-boot.crt/TiBoot.crt
+openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes
+openssl x509 -inform der -in BOOT.der -out BOOT.pem
+cp BOOT.pem tis-boot.crt
+cp BOOT.priv tis-boot.key
+cp BOOT.der TiBoot.crt
+The tis-boot.crt and tis-boot.key are used to sign images mentioned above.
+
+The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way.
+
+(2)example to create boot_pub_key
+************
+#!/bin/bash
+key_dir="./"
+priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore"
+pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore"
+name_real="SecureBootCore"
+pw="PASSWORD"
+USE_PW="Passphrase: PASSWORD"
+
+cat >"${key_dir}/gen_keyring" <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: ${name_real}
+Name-Comment: EXAMPLE
+Name-Email: a@b.com
+Expire-Date: 0
+${USE_PW}
+%commit
+%echo keyring ${name_real} created
+EOF
+
+gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring"
+gpg --homedir "${key_dir}" -k
+gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}"
+gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}"
+gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key
+************
+The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.
diff --git a/TiBoot.crt b/TiBoot.crt
new file mode 100644
index 0000000000000000000000000000000000000000..2b30d2daa4ae4cc1f2c1369c7a3ef96dfab7d09e
GIT binary patch
literal 830
zcmXqLVzx49Vp3w_WLRGED?cu6EwceH8>d#AN85K^Mn+av27`D*ZUas>=1>+kVJ2rs
zLjeOm5Ql?@-9N7+u_!a&kRPZ6D8kOe=3i2hSe|GoZy*a2;NlSr&&*3v2+Ax=Em8=s
zEG|jSEmrW%OE%;&-~uUN=3x%W3^tGx=QT7lG%_$WG&i+0Hi#1EH8L|aG_r(pY43n0
zMkQoVGqN%;H!<=v7&I|*F*PwVG8|)xUA+1HwC{5lf88H#%e1U|Zf4a?+p}?1C8bLf
zYS{f3Z*=E85x8vE`NrET5*%xmTZJu?c(VTd46`3sO&=(8F6QG&|8VC=*nW+YHGh;2
zUztAnv&&s?ku}xc4^lU8dSuNnDUc@o`e<y@{DlWHqBigP_Rlc(!@3vc-|x)i<PYRo
zRXKs-M|?sdb6#9T&4D21i+Ar$?s(Rr@q_VjJC|Zy^AF?O;a;-0QZIj<aOXxdqlV(H
zk7l>R+|Dmq?T{FLOkjIJB(w9`GgEEzy&HvUuIyfXVAYfE^w#%04SmaNzGyG6N^rT-
zw)>dKmy)LVDb3}-K4iQKJ<FXlqc^dCL&i?)4PiTcnV1<F7?DE=m@I%H#K^!YY0N$Q
zGvmAD9r4TgSKaM+vav-!GElpr_QVruD@iW5*43rkL!XOn`1<bGqxxHq-W|J}`>ezB
z&61}LbA2Yv>n)UCvagM8R+JY<uKgVbtxMhK0*qgpZIu$)tf?AaQdzI+>h`Yg!6D`E
zUYcg9qAn%Nk}RyQ=5M!YTpN_7^1t*=k>>vi+l!tVzMJ5(aC*}bQ7<lz3va{xtsGRv
zqOQ(cYVfjnnUwX~c894-443ZAJua_pt;u0i;<2rC|MLA|n_4tq_q7)4MrO_nkCjfy
zc-O!<zfoi2^3L}kr$_T9uBcx1Kqw)Hf!|bf&OL!DmAyBc%U-@%lO5L@bV57xtR5rV
H&L=GZhxI=`

literal 0
HcmV?d00001

diff --git a/boot_pub_key b/boot_pub_key
new file mode 100644
index 0000000000000000000000000000000000000000..f9e50a6261dac4569e146bf6ac2579ccd1171667
GIT binary patch
literal 1172
zcmV;F1Z(@50u2ORvKpBI5CGCae)L|SWamGk`?i_#9R0wznWdQqsR<W}9lAz!E3bBt
zk*g9vBIOTb-%QuvKQb)aocTBrCz|Bnj>IpWI)?+))z|fn6?~5H!sQ+_FECHM_+Pd(
zC{6+{%UTfROND({H|kdpJsGh#-!=CPZVOz*8i!v1mNXm@-gE43y`I+p;T3GnOTai{
zVy#a2=_%#k=&|`+nCL*cwjgz@F9xBUa>Vh(Hl+@E{>0bGl7=;FORhJ)O8b8ML|*nV
zXm$$9I_2MFhh-8l_bC+yxu!$8a@#&l?7t!3-VDy53KqFdruS}RK92$O{dS)bH<qmL
zKHV3hi-+dLY#^W2bfP-;G&!?;l?vV&z4M4{LfimJkjKWR77y=@Ozm{WP`1QRkHee`
z(obQiBs`pzTjLzvvm3^Rdox2bJCnxEno~3NVx+DEvfwK|i`@``8oDf2V>=4rrU?U9
zxUk<rp)Nx{BF<Q-Kh0i?YI3*C@4=ldS;8@<oy$Z%i?8ArI2bOBj+@hGxHU$ZDZ3;%
z`$Wem*mho|eP3^Y7oyYZp81h3?NLBDK#R!7R{gpT1Ae{i+bzM#t8QsP37gDzYQ~pj
zOm(rtbXh6u+eUkL+uOS(h)!WmJ#xon-fKdIT)W6m3!gX+Ih|K=1z^9hm0JumI6WR5
zwZ#e+Ts<Fgta$(t0RRECF;it@b#i4wZ*O!%Z*pZIC{t-?ZfS03AWLO=DIh#kWn*=6
zWkYXrWk6<cZ!TkRZ9a(tP6QJH3II43Ap{(L$)~2CmGb>aiC&&ChWT#p%rpf8U9uXP
z0vj&{3ke7Z0tOWd2?z@U1Qr4V0RkQY0vCV)3JDONFoyYV?#whaSr7oNA!(IEtY=S|
zfMYi$wAIz03H*b(SfY%rA^|wICE^Jn-j4C_HH<AU=x*tJUYF{I!-BKw+V0adTo+XI
z<@b!_`{yA2j2ve;$m;qrL|>AmFY-(Gvjs~t+FzEBystdgcx!@M+B>C+Q^k*A+tE8o
zoQcGF-kbL)#dzKP0_7XIj96(URNeL8V#>_O61`nrw9{mdtncpHb`R?jMc?(xKDi1#
z8G)i$eV#sKyXx^bk2`T_?O0h}|FD>c*&uO^-u#PLWJPgaNNztQuGyz{JU$0AskQLF
z)FQUAzkr4w@+d}VMZk7VCd2U))gbus`>XRJjMReeB6j0dsagz2f=peeOEwF*=Bbq~
z1D%oP?%N3QJ_&Uqg_}pS9oMNT2a2mmcG`5^p53oN{{Wddqp|9}O38V3hBtxDmj3@T
zoIZJYs|=}$_rRDEo?u`SVnP-(K6I0~zjR`%IGunrxq_3+bjpt-a@ZU>sg*@w$rWvE
zZXdlIceo1=$k);ZI~)$19R0@57H|t9uPkOYt5HjDO0kV|s39x>pKb9rzT?PpjRS&~
z$d5vN`+Zz=lUQPkSNX$I*s9pu<r}`S7jOfoETFsg(N(A51k>`;(vMMP+R!_BMWm%4
m_s`iFw1Pp#3Gb}qR}3Ni>D4SibV3zS&>6{Lj!&(Dse)>aE-)wn

literal 0
HcmV?d00001

diff --git a/tis-boot.crt b/tis-boot.crt
new file mode 100644
index 0000000..2bb80ca
--- /dev/null
+++ b/tis-boot.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQCndPpvXmatAzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJD
+QTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZX
+aW5kIFJpdmVyIFN5c3RlbXMgSW5jMQwwCgYDVQQDDANUaVMwHhcNMTYxMjAxMTc1
+OTMwWhcNMjYxMTI5MTc1OTMwWjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250
+YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZXaW5kIFJpdmVyIFN5c3Rl
+bXMgSW5jMQwwCgYDVQQDDANUaVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDGBF2js8+W952j9b9bPQKme51pepk9zV56dHWlYHwHT6OxRwnIUaa6z4Hb
+qGBBfKc6VqYY5K/PmDb41TXgIwmjDgxn8Nz4Vr8odKz8IsPUl5PzRN1LFKx7S+Bl
+s7LiOw8ZEGYT68VdYp+hwGhas7r2/jFd8K7od/fcmQkPUQyqeZAA+F9gcQNuXlh8
+wFID0d3ek4jmiCj4AcOHCiFeg/gz21dKHdpl0/WQ3NiDASghuvE22lZGz6SrQGFX
+xhC3UFkDQ83MlT1vS4ESfNS7o8Cq5Itnhe8MgI6nfPQrp3pgRNSGu8YU9HSCX5SD
+d/rwaOpVzQtsmI1hj7BouTuwVrhNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAkZ
+Mwub8wHuY7hfpw+q3YjksYQvWVErgH3I5Bs6GQpGhat1t1XnFrD17vrif9ri7sbd
+beaISeyk5YCdTJCejXEbpL6GBppaSghtP9wAKtKLzlAz6Ta1GhSzKSVXdHl/JUVG
+7n7gwiP3Sik2ZRVEdKZiODrVb7c8ga1SaiT/dexyKf+Qt3LmMe6QRKGXgsQVSgoI
+0O1WTzpAJRZa1Z6lMOlzpho7rYdAlSIA0tydxx8rOykIPHRItnW/p79WsoQp646F
+cS1ZaZ5XXRtgaO6AAZ+BKJGnie/xl1sNYah7quASYGwADzUpnN4QeiS92YN26eis
+a16FUsgrac0uAQa55IQ=
+-----END CERTIFICATE-----
diff --git a/tis-shim.der b/tis-shim.der
new file mode 100644
index 0000000000000000000000000000000000000000..b29ee11b6a17d85aa32f00a3507b5e31b75806fd
GIT binary patch
literal 865
zcmXqLVvaRvVsc%;%*4pV#L2LB?zEa&>?(W)ylk9WZ60mkc^MhGSs4sm4Y>_C*_cCF
z*o2v!9SwyI1VJ1Q9<Jd0+*IA*lEji!Lq!95kRTV2glAq!YEfQli9&d0N_u8Vu|hye
zrGigMih-Osuc5htv4Nq1p|Po{K@^Z{fyAYjHBF34$R1#1WngY%<YzEwV&r0KVq|3a
zShS;8jrsf61wrrh(&x(Cm86KyoUeWM_X4%z#y3wbWiH-7SX#IB-(8N6W*rI79`V|r
ztaz6CQs4yhtvhc-l6NgVn0el)-+)`qW)2_k#u>R;-@XdWy*;BwAtm9dR6}p(H(~E9
z%h_k<^{0n@Fx~f3sQ0O%RpZSW+`=rO^RGLet2LhMR8*~a@U-2v-+4>@k4@hgs-yiZ
z=<+9p&0U8?dx~7X<X>Ciso1zp%J?{Mc8FR^kmt^gr<GP_@7{aW<Lz9fD>h#?9qj%c
zeUtU_`L~8`%&PpSiwm3it5oKAv-^EX6>O5$imJ?=bD_@t;{lh&i<So*cT;C+5MC&p
zZE<TsLCU|~lbM(q85kD_82A~;0%J^;k420{<Wafo<rhcJnciD`X0ni=WbsVyk~824
zl~rbuFc53Nu7C%mUzml}fSHl;KXRA@6AduT85xR0C%%dhF`m5qeEKZruenSI)x9#_
zOxu?!^EYJY3b~9O8~xIxR-CN<v7%inBPYe;jIew8)E)P7muG&vC(&maAI4MSc>1{9
zBm0WRoWI|fsTSM_+VxH4Q;&GmI`3vFE%jyZqui^yH=N+PeeO@teU8%X6|-*d)LZr0
zXm#HAPj2`7QUm6mW&ZlQ;F;UBMGwvdocI}?w&BRJQ!GK}XU*!7iq!Mw)APD;X<A0l
zx?L7m&7aJYt7hCLZogx9-m=gCPA+#|CRuWvHSwn7JKv6q-&MSU`~Dl7&6~)$XzHW?
tlf}*@ZaE^-(xtOEsehTLMcrNL>sxyqXXQxd@6lIZuweP!-W`06LI8|pSDF9-

literal 0
HcmV?d00001