secure boot: move pub keys to this git repo
New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves below keys to this git repo:
boot_pub_key
tis-boot.crt
tis-shim.der
TiBoot.crt
Please pay attention to that tis-boot.crt(pem) and TiBoot.crt(der)
are the same pub key with different formats in fact, which are used
in different user cases.
Test plan:
The tests are done with all the changes which involve
public-keys/integ/root repos for this enhancement about pub keys.
- PASS: rebuild gurb-efi/efitools/shim packages;
- PASS: follow the process to build iso image for secure boot;
- PASS: installation test on AIO-DX lab with secure boot enabled;
- PASS: check that the CERTS/TiBoot.crt in the disk mounted from
the efi.img in the iso image is same with the one in
this git repo.
Story: 2009221
Task: 47358
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I540875293548d4b3e191ea50445ad4dfc5d53a51
This commit is contained in:
Li Zhou
Scott Little
parent
11a071fac6
commit
d5754cbe76
56
README
Normal file
56
README
Normal file
@ -0,0 +1,56 @@
|
||||
The keys under this directory are the public keys used in
|
||||
the verification process of secure boot process for StarlingX
|
||||
debian.
|
||||
|
||||
Keys Introduction:
|
||||
tis-boot.crt: it is the public key flashed into BIOS to verify
|
||||
bootx64.efi (signed shim image shimx64.efi) and mmx64.efi
|
||||
(signed shim tool image);
|
||||
tis-shim.der: it is the public key used by shim to verify
|
||||
grubx64.efi (signed grub image);
|
||||
boot_pub_key: it is the public key used by grub to verify signed
|
||||
kernel image and initramfs image and efitools image and so on.
|
||||
TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a
|
||||
der format. It is installed as /CERTS/TiBoot.crt in the efi.img
|
||||
which is in the iso image.
|
||||
|
||||
The following ways can be used to create substitute keys:
|
||||
(1)example to create tis-boot.crt/TiBoot.crt
|
||||
openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes
|
||||
openssl x509 -inform der -in BOOT.der -out BOOT.pem
|
||||
cp BOOT.pem tis-boot.crt
|
||||
cp BOOT.priv tis-boot.key
|
||||
cp BOOT.der TiBoot.crt
|
||||
The tis-boot.crt and tis-boot.key are used to sign images mentioned above.
|
||||
|
||||
The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way.
|
||||
|
||||
(2)example to create boot_pub_key
|
||||
************
|
||||
#!/bin/bash
|
||||
key_dir="./"
|
||||
priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore"
|
||||
pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore"
|
||||
name_real="SecureBootCore"
|
||||
pw="PASSWORD"
|
||||
USE_PW="Passphrase: PASSWORD"
|
||||
|
||||
cat >"${key_dir}/gen_keyring" <<EOF
|
||||
Key-Type: RSA
|
||||
Key-Length: 4096
|
||||
Name-Real: ${name_real}
|
||||
Name-Comment: EXAMPLE
|
||||
Name-Email: a@b.com
|
||||
Expire-Date: 0
|
||||
${USE_PW}
|
||||
%commit
|
||||
%echo keyring ${name_real} created
|
||||
EOF
|
||||
|
||||
gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring"
|
||||
gpg --homedir "${key_dir}" -k
|
||||
gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}"
|
||||
gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}"
|
||||
gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key
|
||||
************
|
||||
The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.
|
||||
BIN
TiBoot.crt
Normal file
BIN
TiBoot.crt
Normal file
Binary file not shown.
BIN
boot_pub_key
Normal file
BIN
boot_pub_key
Normal file
Binary file not shown.
20
tis-boot.crt
Normal file
20
tis-boot.crt
Normal file
@ -0,0 +1,20 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDOjCCAiICCQCndPpvXmatAzANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJD
|
||||
QTEQMA4GA1UECAwHT250YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZX
|
||||
aW5kIFJpdmVyIFN5c3RlbXMgSW5jMQwwCgYDVQQDDANUaVMwHhcNMTYxMjAxMTc1
|
||||
OTMwWhcNMjYxMTI5MTc1OTMwWjBfMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250
|
||||
YXJpbzEPMA0GA1UEBwwGT3R0YXdhMR8wHQYDVQQKDBZXaW5kIFJpdmVyIFN5c3Rl
|
||||
bXMgSW5jMQwwCgYDVQQDDANUaVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
||||
AoIBAQDGBF2js8+W952j9b9bPQKme51pepk9zV56dHWlYHwHT6OxRwnIUaa6z4Hb
|
||||
qGBBfKc6VqYY5K/PmDb41TXgIwmjDgxn8Nz4Vr8odKz8IsPUl5PzRN1LFKx7S+Bl
|
||||
s7LiOw8ZEGYT68VdYp+hwGhas7r2/jFd8K7od/fcmQkPUQyqeZAA+F9gcQNuXlh8
|
||||
wFID0d3ek4jmiCj4AcOHCiFeg/gz21dKHdpl0/WQ3NiDASghuvE22lZGz6SrQGFX
|
||||
xhC3UFkDQ83MlT1vS4ESfNS7o8Cq5Itnhe8MgI6nfPQrp3pgRNSGu8YU9HSCX5SD
|
||||
d/rwaOpVzQtsmI1hj7BouTuwVrhNAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAAkZ
|
||||
Mwub8wHuY7hfpw+q3YjksYQvWVErgH3I5Bs6GQpGhat1t1XnFrD17vrif9ri7sbd
|
||||
beaISeyk5YCdTJCejXEbpL6GBppaSghtP9wAKtKLzlAz6Ta1GhSzKSVXdHl/JUVG
|
||||
7n7gwiP3Sik2ZRVEdKZiODrVb7c8ga1SaiT/dexyKf+Qt3LmMe6QRKGXgsQVSgoI
|
||||
0O1WTzpAJRZa1Z6lMOlzpho7rYdAlSIA0tydxx8rOykIPHRItnW/p79WsoQp646F
|
||||
cS1ZaZ5XXRtgaO6AAZ+BKJGnie/xl1sNYah7quASYGwADzUpnN4QeiS92YN26eis
|
||||
a16FUsgrac0uAQa55IQ=
|
||||
-----END CERTIFICATE-----
|
||||
BIN
tis-shim.der
Normal file
BIN
tis-shim.der
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user