[PATCH 06/10] add example to generated and distribute MOK data

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com, christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 06/10] add example to generated and distribute MOK data
Date: Fri, 23 Dec 2022 08:40:54 +0000	[thread overview]
Message-ID: <20221223084058.1899957-7-felix.moessbauer@siemens.com> (raw)
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>

This patch adds two recipes to easily handle a Machine Owner Key (MOK)
that can be used to sign kernel modules or other components.

The sb-mok-keys package generates a x509 certificate at build time and
adds both the certificate and the private key to a binary package.
This is implemented in a way that the source package does not contain
any keys, but only the binary package does. While this breaks
reproducability, this ensures that the keys never end up in a src
repository.

A second package sb-mok-public is provided to distribute the generated
key into the target image (to inject into EFI at runtime). This package
build-depends on the sb-mok-keys, but conflicts at runtime to make sure
that the private key cannot be installed into the target image (given
that the -public package is installed).

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 .../sb-mok-keys/files/Makefile.tmpl           | 27 +++++++++++++++++++
 .../sb-mok-keys/sb-mok-keys.bb                | 23 ++++++++++++++++
 .../sb-mok-public/files/rules                 | 12 +++++++++
 .../sb-mok-public/sb-mok-public.bb            | 17 ++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb

diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
new file mode 100644
index 0000000..b377c51
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
@@ -0,0 +1,27 @@
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+CN=${COMMON_NAME}
+
+all: create_key
+
+create_key:
+	mkdir MOK
+	openssl req -new -x509 -newkey rsa:2048 -keyout MOK/MOK.priv -outform DER -out MOK/MOK.der -nodes -days 36500 -subj "/CN=$(CN)/"
+	chmod 600 MOK/MOK.priv
+
+install:
+	install -d $(DESTDIR)/etc/sb-mok-keys/MOK
+	# note that this will later be changed by dh_fixperms
+	# this is also required so that the non-privileged sbuild
+	# user can read the file
+	install -m 644 MOK/MOK.priv $(DESTDIR)/etc/sb-mok-keys/MOK/
+	install -m 644 MOK/MOK.der  $(DESTDIR)/etc/sb-mok-keys/MOK/
+
+clean:
+ifneq (,$(wildcard ./MOK/MOK.priv))
+	shred MOK/MOK.priv
+endif
+	rm -rf MOK
diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
new file mode 100644
index 0000000..6137834
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
@@ -0,0 +1,23 @@
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+inherit dpkg
+
+
+SRC_URI = "file://Makefile.tmpl"
+S = "${WORKDIR}/src"
+
+TEMPLATE_VARS = "COMMON_NAME"
+TEMPLATE_FILES = "Makefile.tmpl"
+
+DEBIAN_BUILD_DEPENDS .= ",openssl"
+# common name of x509 certificate used for signing
+COMMON_NAME = "ISAR Builder"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp ${WORKDIR}/Makefile ${S}
+    deb_debianize
+}
diff --git a/meta-isar/recipes-secureboot/sb-mok-public/files/rules b/meta-isar/recipes-secureboot/sb-mok-public/files/rules
new file mode 100644
index 0000000..305b443
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-public/files/rules
@@ -0,0 +1,12 @@
+#!/usr/bin/make -f
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+%:
+	dh $@
+
+override_dh_install:
+	install -d debian/sb-mok-public/etc/sb-mok-keys/MOK/
+	install -m 644 /etc/sb-mok-keys/MOK/MOK.der debian/sb-mok-public/etc/sb-mok-keys/MOK/MOK.der
diff --git a/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
new file mode 100644
index 0000000..46fdeed
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
@@ -0,0 +1,17 @@
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+inherit dpkg
+
+DEPENDS += "sb-mok-keys"
+DEBIAN_BUILD_DEPENDS .= ",sb-mok-keys"
+DEBIAN_CONFLICTS .= ",sb-mok-keys"
+
+SRC_URI = "file://rules"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
-- 
2.34.1

next prev parent reply	other threads:[~2022-12-23  8:41 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-23  8:40 [PATCH 00/10] Add support for secureboot using Debian boot chain Felix Moessbauer
2022-12-23  8:40 ` [PATCH 01/10] wic: add option to use debian EFI shim Felix Moessbauer
2022-12-23  8:40 ` [PATCH 02/10] add debian sb chain bootloader dependencies Felix Moessbauer
2022-12-23  8:40 ` [PATCH 03/10] add example wic file for sb debian boot chain Felix Moessbauer
2022-12-23  8:40 ` [PATCH 04/10] style: split overlong line in module.inc Felix Moessbauer
2022-12-23  8:40 ` [PATCH 05/10] add support to sign kernel modules Felix Moessbauer
2022-12-23  8:40 ` Felix Moessbauer [this message]
2023-02-03  6:05   ` [PATCH 06/10] add example to generated and distribute MOK data Jan Kiszka
2022-12-23  8:40 ` [PATCH 07/10] add signed variant of example-module Felix Moessbauer
2022-12-23  8:40 ` [PATCH 08/10] add new machine qemuamd64-sb and corresponding mc Felix Moessbauer
2022-12-23  8:40 ` [PATCH 09/10] fix: only append kargs and extra_kargs if set Felix Moessbauer
2022-12-23  8:40 ` [PATCH 10/10] start_vm: add support for secureboot Felix Moessbauer
2023-01-27  5:07   ` Uladzimir Bely
2023-01-27  8:11     ` Moessbauer, Felix
2023-01-27  8:41       ` Florian Bezdeka
2023-01-27  9:10         ` Uladzimir Bely
2023-01-25  7:17 ` [PATCH 00/10] Add support for secureboot using Debian boot chain Uladzimir Bely

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221223084058.1899957-7-felix.moessbauer@siemens.com \
    --to=felix.moessbauer@siemens.com \
    --cc=christian.storm@siemens.com \
    --cc=isar-users@googlegroups.com \
    --cc=tobias.preclik@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox