From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7180261367669063680
X-Received: by 2002:a2e:b055:0:b0:279:dfe:897a with SMTP id d21-20020a2eb055000000b002790dfe897amr617972ljl.365.1671784909131;
        Fri, 23 Dec 2022 00:41:49 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:ac2:4e8a:0:b0:4c8:8384:83f3 with SMTP id o10-20020ac24e8a000000b004c8838483f3ls127115lfr.3.-pod-prod-gmail;
 Fri, 23 Dec 2022 00:41:47 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtXktNwq4pnvhxrKJBibMPE78najEDF0nPOIhsiGf1rqgS2jxCbYGGdI30GYVoASa8Rn5ng
X-Received: by 2002:ac2:5335:0:b0:4c2:fcbc:efa2 with SMTP id f21-20020ac25335000000b004c2fcbcefa2mr2901978lfh.44.1671784907736;
        Fri, 23 Dec 2022 00:41:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671784907; cv=none;
        d=google.com; s=arc-20160816;
        b=VcksmpbK4R31Ep1Wy72BqaOoO5yNEhl66ZQxNP83Z867LJclbpSpQEpupEPMGckxqB
         k9uXk6hubiJTv2mOImIGOETMoLGngqzmfhzD2uMvQPwf+ZH1xD2tNPGFqONvNr4zehDf
         Ne5iOkBkZGTPKhCyZYWsJ1LQ3MGWKPBiREofId6X0doigIvGcLXYkNRWNR0UUt4GAPi4
         5efMCrRcljuzwKnU/+p8AcJMbWQJnwUCU3lV+0DWiWUOMhaQFIdJgedZWemdn4ohE3K+
         o1IWQorSSpcqxqsOjPtfg0JDWQHLAcDLmAdZMbUP8CDak46gPhpTeoUsSKtoSy3Q67tF
         WkzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=2xoa75wBxuf6CC069hkYsv19lKmFNsrz27JhxHiCl4w=;
        b=sxuDBotRfDidYH48+sAekkA95mV5SMy80LcTaO+ZEk16ClrYu4HdY5DEepYBssGS8s
         0DAb16+OuiIStUlVt8wpgGO94N5cix+ZyXuUi/8FTCexO4qCxHsYA8MTy+Qvyssit2O2
         2y4nU9mZGVKS74v3qw/+1oBMw85yvolVdwS/2IExX+gqRTs/xLWFMcZ4rgxYZ82cNcKT
         aAOHufCEfSsZZw+kxnSyLAVtIopvu10MpLgaG6/rUBEZvmWYkmDZbCFTsVawRYqanq6E
         0lCsrQhI20e5Rg3jKiWFCpApQmBt/NZcsCo1UBaSvXdhjeByJ4p4YHDlgAA3G+dCUoBo
         sHMQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=dp5VxvnT;
       spf=pass (google.com: domain of fm-72506-20221223084147ff25a388857a61bb4f-ekhkai@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-20221223084147ff25a388857a61bb4f-EkHkAI@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <fm-72506-20221223084147ff25a388857a61bb4f-EkHkAI@rts-flowmailer.siemens.com>
Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227])
        by gmr-mx.google.com with ESMTPS id s4-20020a056512202400b004abdb5d1128si136461lfs.2.2022.12.23.00.41.47
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 23 Dec 2022 00:41:47 -0800 (PST)
Received-SPF: pass (google.com: domain of fm-72506-20221223084147ff25a388857a61bb4f-ekhkai@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm1 header.b=dp5VxvnT;
       spf=pass (google.com: domain of fm-72506-20221223084147ff25a388857a61bb4f-ekhkai@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-72506-20221223084147ff25a388857a61bb4f-EkHkAI@rts-flowmailer.siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20221223084147ff25a388857a61bb4f
        for <isar-users@googlegroups.com>;
        Fri, 23 Dec 2022 09:41:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1;
 d=siemens.com; i=felix.moessbauer@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=2xoa75wBxuf6CC069hkYsv19lKmFNsrz27JhxHiCl4w=;
 b=dp5VxvnT5gkXyoD3OmX5K3TYMjs5S15UthuNhFnnt56+VNG8ezwQcJgRh9N2oXTdNf0SKr
 qIBbgli1/oJMEPKmtyB+yzsv7gPP35pbxCnGjgV7j8RqaSStw5rldjd2rVzCcgw9U/qGh+KG
 IB8IgVwGxO0brzkyFMPp9zeIsCN6w=;
From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com,
	christian.storm@siemens.com,
	Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH 06/10] add example to generated and distribute MOK data
Date: Fri, 23 Dec 2022 08:40:54 +0000
Message-Id: <20221223084058.1899957-7-felix.moessbauer@siemens.com>
In-Reply-To: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
References: <20221223084058.1899957-1-felix.moessbauer@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-72506:519-21489:flowmailer
X-TUID: F/kOo0TNxowO

This patch adds two recipes to easily handle a Machine Owner Key (MOK)
that can be used to sign kernel modules or other components.

The sb-mok-keys package generates a x509 certificate at build time and
adds both the certificate and the private key to a binary package.
This is implemented in a way that the source package does not contain
any keys, but only the binary package does. While this breaks
reproducability, this ensures that the keys never end up in a src
repository.

A second package sb-mok-public is provided to distribute the generated
key into the target image (to inject into EFI at runtime). This package
build-depends on the sb-mok-keys, but conflicts at runtime to make sure
that the private key cannot be installed into the target image (given
that the -public package is installed).

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 .../sb-mok-keys/files/Makefile.tmpl           | 27 +++++++++++++++++++
 .../sb-mok-keys/sb-mok-keys.bb                | 23 ++++++++++++++++
 .../sb-mok-public/files/rules                 | 12 +++++++++
 .../sb-mok-public/sb-mok-public.bb            | 17 ++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules
 create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb

diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
new file mode 100644
index 0000000..b377c51
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
@@ -0,0 +1,27 @@
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+CN=${COMMON_NAME}
+
+all: create_key
+
+create_key:
+	mkdir MOK
+	openssl req -new -x509 -newkey rsa:2048 -keyout MOK/MOK.priv -outform DER -out MOK/MOK.der -nodes -days 36500 -subj "/CN=$(CN)/"
+	chmod 600 MOK/MOK.priv
+
+install:
+	install -d $(DESTDIR)/etc/sb-mok-keys/MOK
+	# note that this will later be changed by dh_fixperms
+	# this is also required so that the non-privileged sbuild
+	# user can read the file
+	install -m 644 MOK/MOK.priv $(DESTDIR)/etc/sb-mok-keys/MOK/
+	install -m 644 MOK/MOK.der  $(DESTDIR)/etc/sb-mok-keys/MOK/
+
+clean:
+ifneq (,$(wildcard ./MOK/MOK.priv))
+	shred MOK/MOK.priv
+endif
+	rm -rf MOK
diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
new file mode 100644
index 0000000..6137834
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
@@ -0,0 +1,23 @@
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+inherit dpkg
+
+
+SRC_URI = "file://Makefile.tmpl"
+S = "${WORKDIR}/src"
+
+TEMPLATE_VARS = "COMMON_NAME"
+TEMPLATE_FILES = "Makefile.tmpl"
+
+DEBIAN_BUILD_DEPENDS .= ",openssl"
+# common name of x509 certificate used for signing
+COMMON_NAME = "ISAR Builder"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    cp ${WORKDIR}/Makefile ${S}
+    deb_debianize
+}
diff --git a/meta-isar/recipes-secureboot/sb-mok-public/files/rules b/meta-isar/recipes-secureboot/sb-mok-public/files/rules
new file mode 100644
index 0000000..305b443
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-public/files/rules
@@ -0,0 +1,12 @@
+#!/usr/bin/make -f
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+%:
+	dh $@
+
+override_dh_install:
+	install -d debian/sb-mok-public/etc/sb-mok-keys/MOK/
+	install -m 644 /etc/sb-mok-keys/MOK/MOK.der debian/sb-mok-public/etc/sb-mok-keys/MOK/MOK.der
diff --git a/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
new file mode 100644
index 0000000..46fdeed
--- /dev/null
+++ b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
@@ -0,0 +1,17 @@
+# Base image recipe for ISAR
+#
+# This software is a part of ISAR.
+# Copyright (C) 2022 Siemens AG
+
+inherit dpkg
+
+DEPENDS += "sb-mok-keys"
+DEBIAN_BUILD_DEPENDS .= ",sb-mok-keys"
+DEBIAN_CONFLICTS .= ",sb-mok-keys"
+
+SRC_URI = "file://rules"
+
+do_prepare_build[cleandirs] += "${S}/debian"
+do_prepare_build() {
+    deb_debianize
+}
-- 
2.34.1