StarlingX Public Keys and Certs
Go to file
Li Zhou 0e6c37b9ef README: correct error description
Correct description about the pub key for mmx64.efi.

Story: 2009221
Task: 47358

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2f77413050b031a80c7ff1adf9198dbccfbd4443
2023-02-23 03:29:26 -05:00
.gitreview Added .gitreview 2023-02-07 17:01:54 +00:00
.zuul.yaml Initial Tox/Zuul setup 2023-02-15 14:04:23 -05:00
boot_pub_key secure boot: move pub keys to this git repo 2023-02-15 20:59:23 +00:00
README README: correct error description 2023-02-23 03:29:26 -05:00
test-requirements.txt Initial Tox/Zuul setup 2023-02-15 14:04:23 -05:00
TiBoot.crt secure boot: move pub keys to this git repo 2023-02-15 20:59:23 +00:00
tis-boot.crt secure boot: move pub keys to this git repo 2023-02-15 20:59:23 +00:00
tis-shim.der secure boot: move pub keys to this git repo 2023-02-15 20:59:23 +00:00
tox.ini Initial Tox/Zuul setup 2023-02-15 14:04:23 -05:00

  The keys under this directory are the public keys used in
the verification process of secure boot process for StarlingX
debian.

Keys Introduction:
  tis-boot.crt: it is the public key flashed into UEFI to verify
    bootx64.efi (signed shim image shimx64.efi);
  tis-shim.der: it is the public key used by shim to verify
    grubx64.efi (signed grub image) and mmx64.efi
    (signed shim tool image);
  boot_pub_key: it is the public key used by grub to verify signed
    kernel image and initramfs image and efitools image and so on.
  TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a
    der format. It is installed as /CERTS/TiBoot.crt in the efi.img
    which is in the iso image.

The following ways can be used to create substitute keys:
(1)example to create tis-boot.crt/TiBoot.crt
openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes
openssl x509 -inform der -in BOOT.der -out BOOT.pem
cp BOOT.pem tis-boot.crt
cp BOOT.priv tis-boot.key
cp BOOT.der TiBoot.crt
The tis-boot.crt and tis-boot.key are used to sign images mentioned above.

The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way.

(2)example to create boot_pub_key
************
#!/bin/bash
key_dir="./"
priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore"
pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore"
name_real="SecureBootCore"
pw="PASSWORD"
USE_PW="Passphrase: PASSWORD"

cat >"${key_dir}/gen_keyring" <<EOF
Key-Type: RSA
Key-Length: 4096
Name-Real: ${name_real}
Name-Comment: EXAMPLE
Name-Email: a@b.com
Expire-Date: 0
${USE_PW}
%commit
%echo keyring ${name_real} created
EOF

gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring"
gpg --homedir "${key_dir}" -k
gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}"
gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}"
gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key
************
The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.