From: Jan Kiszka <jan.kiszka@siemens.com>
To: Felix Moessbauer <felix.moessbauer@siemens.com>,
isar-users@googlegroups.com
Cc: tobias.preclik@siemens.com, christian.storm@siemens.com
Subject: Re: [PATCH 06/10] add example to generated and distribute MOK data
Date: Fri, 3 Feb 2023 07:05:50 +0100 [thread overview]
Message-ID: <64b13300-e0d8-b362-e1d4-f90f91d7b84d@siemens.com> (raw)
In-Reply-To: <20221223084058.1899957-7-felix.moessbauer@siemens.com>
On 23.12.22 09:40, Felix Moessbauer wrote:
> This patch adds two recipes to easily handle a Machine Owner Key (MOK)
> that can be used to sign kernel modules or other components.
>
> The sb-mok-keys package generates a x509 certificate at build time and
> adds both the certificate and the private key to a binary package.
> This is implemented in a way that the source package does not contain
> any keys, but only the binary package does. While this breaks
> reproducability, this ensures that the keys never end up in a src
> repository.
It's still not usable in case of externally managed keys (security
tokens, trust centers etc.). This should be made clear, and we still
need to invent a pattern for such cases which are more common in production.
Jan
>
> A second package sb-mok-public is provided to distribute the generated
> key into the target image (to inject into EFI at runtime). This package
> build-depends on the sb-mok-keys, but conflicts at runtime to make sure
> that the private key cannot be installed into the target image (given
> that the -public package is installed).
>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
> .../sb-mok-keys/files/Makefile.tmpl | 27 +++++++++++++++++++
> .../sb-mok-keys/sb-mok-keys.bb | 23 ++++++++++++++++
> .../sb-mok-public/files/rules | 12 +++++++++
> .../sb-mok-public/sb-mok-public.bb | 17 ++++++++++++
> 4 files changed, 79 insertions(+)
> create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
> create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
> create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules
> create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
>
> diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
> new file mode 100644
> index 0000000..b377c51
> --- /dev/null
> +++ b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl
> @@ -0,0 +1,27 @@
> +# Base image recipe for ISAR
> +#
> +# This software is a part of ISAR.
> +# Copyright (C) 2022 Siemens AG
> +
> +CN=${COMMON_NAME}
> +
> +all: create_key
> +
> +create_key:
> + mkdir MOK
> + openssl req -new -x509 -newkey rsa:2048 -keyout MOK/MOK.priv -outform DER -out MOK/MOK.der -nodes -days 36500 -subj "/CN=$(CN)/"
> + chmod 600 MOK/MOK.priv
> +
> +install:
> + install -d $(DESTDIR)/etc/sb-mok-keys/MOK
> + # note that this will later be changed by dh_fixperms
> + # this is also required so that the non-privileged sbuild
> + # user can read the file
> + install -m 644 MOK/MOK.priv $(DESTDIR)/etc/sb-mok-keys/MOK/
> + install -m 644 MOK/MOK.der $(DESTDIR)/etc/sb-mok-keys/MOK/
> +
> +clean:
> +ifneq (,$(wildcard ./MOK/MOK.priv))
> + shred MOK/MOK.priv
> +endif
> + rm -rf MOK
> diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
> new file mode 100644
> index 0000000..6137834
> --- /dev/null
> +++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb
> @@ -0,0 +1,23 @@
> +# Base image recipe for ISAR
> +#
> +# This software is a part of ISAR.
> +# Copyright (C) 2022 Siemens AG
> +
> +inherit dpkg
> +
> +
> +SRC_URI = "file://Makefile.tmpl"
> +S = "${WORKDIR}/src"
> +
> +TEMPLATE_VARS = "COMMON_NAME"
> +TEMPLATE_FILES = "Makefile.tmpl"
> +
> +DEBIAN_BUILD_DEPENDS .= ",openssl"
> +# common name of x509 certificate used for signing
> +COMMON_NAME = "ISAR Builder"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> + cp ${WORKDIR}/Makefile ${S}
> + deb_debianize
> +}
> diff --git a/meta-isar/recipes-secureboot/sb-mok-public/files/rules b/meta-isar/recipes-secureboot/sb-mok-public/files/rules
> new file mode 100644
> index 0000000..305b443
> --- /dev/null
> +++ b/meta-isar/recipes-secureboot/sb-mok-public/files/rules
> @@ -0,0 +1,12 @@
> +#!/usr/bin/make -f
> +# Base image recipe for ISAR
> +#
> +# This software is a part of ISAR.
> +# Copyright (C) 2022 Siemens AG
> +
> +%:
> + dh $@
> +
> +override_dh_install:
> + install -d debian/sb-mok-public/etc/sb-mok-keys/MOK/
> + install -m 644 /etc/sb-mok-keys/MOK/MOK.der debian/sb-mok-public/etc/sb-mok-keys/MOK/MOK.der
> diff --git a/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
> new file mode 100644
> index 0000000..46fdeed
> --- /dev/null
> +++ b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb
> @@ -0,0 +1,17 @@
> +# Base image recipe for ISAR
> +#
> +# This software is a part of ISAR.
> +# Copyright (C) 2022 Siemens AG
> +
> +inherit dpkg
> +
> +DEPENDS += "sb-mok-keys"
> +DEBIAN_BUILD_DEPENDS .= ",sb-mok-keys"
> +DEBIAN_CONFLICTS .= ",sb-mok-keys"
> +
> +SRC_URI = "file://rules"
> +
> +do_prepare_build[cleandirs] += "${S}/debian"
> +do_prepare_build() {
> + deb_debianize
> +}
--
Siemens AG, Technology
Competence Center Embedded Linux
next prev parent reply other threads:[~2023-02-03 6:05 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-23 8:40 [PATCH 00/10] Add support for secureboot using Debian boot chain Felix Moessbauer
2022-12-23 8:40 ` [PATCH 01/10] wic: add option to use debian EFI shim Felix Moessbauer
2022-12-23 8:40 ` [PATCH 02/10] add debian sb chain bootloader dependencies Felix Moessbauer
2022-12-23 8:40 ` [PATCH 03/10] add example wic file for sb debian boot chain Felix Moessbauer
2022-12-23 8:40 ` [PATCH 04/10] style: split overlong line in module.inc Felix Moessbauer
2022-12-23 8:40 ` [PATCH 05/10] add support to sign kernel modules Felix Moessbauer
2022-12-23 8:40 ` [PATCH 06/10] add example to generated and distribute MOK data Felix Moessbauer
2023-02-03 6:05 ` Jan Kiszka [this message]
2022-12-23 8:40 ` [PATCH 07/10] add signed variant of example-module Felix Moessbauer
2022-12-23 8:40 ` [PATCH 08/10] add new machine qemuamd64-sb and corresponding mc Felix Moessbauer
2022-12-23 8:40 ` [PATCH 09/10] fix: only append kargs and extra_kargs if set Felix Moessbauer
2022-12-23 8:40 ` [PATCH 10/10] start_vm: add support for secureboot Felix Moessbauer
2023-01-27 5:07 ` Uladzimir Bely
2023-01-27 8:11 ` Moessbauer, Felix
2023-01-27 8:41 ` Florian Bezdeka
2023-01-27 9:10 ` Uladzimir Bely
2023-01-25 7:17 ` [PATCH 00/10] Add support for secureboot using Debian boot chain Uladzimir Bely
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64b13300-e0d8-b362-e1d4-f90f91d7b84d@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=christian.storm@siemens.com \
--cc=felix.moessbauer@siemens.com \
--cc=isar-users@googlegroups.com \
--cc=tobias.preclik@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox