StarlingX Public Keys and Certs
0e6c37b9ef
Correct description about the pub key for mmx64.efi. Story: 2009221 Task: 47358 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I2f77413050b031a80c7ff1adf9198dbccfbd4443 |
||
---|---|---|
.gitreview | ||
.zuul.yaml | ||
boot_pub_key | ||
README | ||
test-requirements.txt | ||
TiBoot.crt | ||
tis-boot.crt | ||
tis-shim.der | ||
tox.ini |
The keys under this directory are the public keys used in the verification process of secure boot process for StarlingX debian. Keys Introduction: tis-boot.crt: it is the public key flashed into UEFI to verify bootx64.efi (signed shim image shimx64.efi); tis-shim.der: it is the public key used by shim to verify grubx64.efi (signed grub image) and mmx64.efi (signed shim tool image); boot_pub_key: it is the public key used by grub to verify signed kernel image and initramfs image and efitools image and so on. TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a der format. It is installed as /CERTS/TiBoot.crt in the efi.img which is in the iso image. The following ways can be used to create substitute keys: (1)example to create tis-boot.crt/TiBoot.crt openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes openssl x509 -inform der -in BOOT.der -out BOOT.pem cp BOOT.pem tis-boot.crt cp BOOT.priv tis-boot.key cp BOOT.der TiBoot.crt The tis-boot.crt and tis-boot.key are used to sign images mentioned above. The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way. (2)example to create boot_pub_key ************ #!/bin/bash key_dir="./" priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore" pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore" name_real="SecureBootCore" pw="PASSWORD" USE_PW="Passphrase: PASSWORD" cat >"${key_dir}/gen_keyring" <<EOF Key-Type: RSA Key-Length: 4096 Name-Real: ${name_real} Name-Comment: EXAMPLE Name-Email: a@b.com Expire-Date: 0 ${USE_PW} %commit %echo keyring ${name_real} created EOF gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring" gpg --homedir "${key_dir}" -k gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}" gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}" gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key ************ The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.