diff options
| author | Jason Wessel <jason.wessel@windriver.com> | 2019-10-25 13:42:13 -0700 |
|---|---|---|
| committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2019-11-08 13:27:23 +0800 |
| commit | d63b6d273b78f557ad829b05c7286b8c24d2e511 (patch) | |
| tree | 78d6f4a48d8285cfcbab3be0b202970342d9b01d | |
| parent | 31d2105b7a4b8535f8ddb252857af483e4ab32fd (diff) | |
| download | meta-secure-core-d63b6d273b78f557ad829b05c7286b8c24d2e511.tar.gz | |
layer.conf gpg boot key sample: Add the gpg boot key sample files
Sample keys are required in order for the signing to succeed when
using grub boot verification. The keys are only used when
GRUB_SIGN_VERIFY = "1", and it is intended that and user would
generate new keys with the create-user-key-store.sh.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
| -rw-r--r-- | meta-signing-key/conf/layer.conf | 8 | ||||
| -rw-r--r-- | meta-signing-key/files/boot_keys/BOOT-GPG-KEY-SecureBootCore | 29 | ||||
| -rw-r--r-- | meta-signing-key/files/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore | 57 | ||||
| -rw-r--r-- | meta-signing-key/files/boot_keys/boot_cfg_pw | 1 | ||||
| -rw-r--r-- | meta-signing-key/files/boot_keys/boot_pub_key | bin | 0 -> 1172 bytes |
5 files changed, 95 insertions, 0 deletions
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 84b06a2..8818e7a 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf | |||
| @@ -23,6 +23,7 @@ SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys" | |||
| 23 | SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys" | 23 | SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys" |
| 24 | SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" | 24 | SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" |
| 25 | SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" | 25 | SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" |
| 26 | SAMPLE_BOOT_KEYS_DIR = "${LAYERDIR}/files/boot_keys" | ||
| 26 | 27 | ||
| 27 | # Microsoft certificates | 28 | # Microsoft certificates |
| 28 | MSFT_DB_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-DB.crt" | 29 | MSFT_DB_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-DB.crt" |
| @@ -37,6 +38,9 @@ UEFI_SELOADER ??= "1" | |||
| 37 | # Use gpg key to protect and verify all files used by grub | 38 | # Use gpg key to protect and verify all files used by grub |
| 38 | GRUB_SIGN_VERIFY ??= "0" | 39 | GRUB_SIGN_VERIFY ??= "0" |
| 39 | 40 | ||
| 41 | # Signing file extension | ||
| 42 | SB_FILE_EXT = "${@'.p7b' if d.getVar('UEFI_SELOADER', True) == "1" else '.sig'}" | ||
| 43 | |||
| 40 | # By default the sample keys are used | 44 | # By default the sample keys are used |
| 41 | MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" | 45 | MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" |
| 42 | UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" | 46 | UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" |
| @@ -45,6 +49,8 @@ SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}" | |||
| 45 | MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}" | 49 | MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}" |
| 46 | IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" | 50 | IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" |
| 47 | RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" | 51 | RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" |
| 52 | BOOT_KEYS_DIR ??= "${SAMPLE_BOOT_KEYS_DIR}" | ||
| 53 | GRUB_PUB_KEY ??= "${BOOT_KEYS_DIR}/boot_pub_key" | ||
| 48 | 54 | ||
| 49 | # Define the identification of vendor | 55 | # Define the identification of vendor |
| 50 | VENDOR_UUID = "1f7b9654-2107-4697-8f1c-0cbc38874588" | 56 | VENDOR_UUID = "1f7b9654-2107-4697-8f1c-0cbc38874588" |
| @@ -55,6 +61,8 @@ UEFI_SIG_OWNER_GUID ??= "${VENDOR_UUID}" | |||
| 55 | SAMPLE_RPM_KEYNAME ??= "SecureCore" | 61 | SAMPLE_RPM_KEYNAME ??= "SecureCore" |
| 56 | RPM_GPG_NAME ??= "${SAMPLE_RPM_KEYNAME}" | 62 | RPM_GPG_NAME ??= "${SAMPLE_RPM_KEYNAME}" |
| 57 | RPM_GPG_PASSPHRASE ??= "SecureCore" | 63 | RPM_GPG_PASSPHRASE ??= "SecureCore" |
| 64 | BOOT_GPG_NAME ??= "SecureBootCore" | ||
| 65 | BOOT_GPG_PASSPHRASE ??= "SecureCore" | ||
| 58 | 66 | ||
| 59 | BB_HASHBASE_WHITELIST_append += "\ | 67 | BB_HASHBASE_WHITELIST_append += "\ |
| 60 | SYSTEM_TRUSTED_KEYS_DIR \ | 68 | SYSTEM_TRUSTED_KEYS_DIR \ |
diff --git a/meta-signing-key/files/boot_keys/BOOT-GPG-KEY-SecureBootCore b/meta-signing-key/files/boot_keys/BOOT-GPG-KEY-SecureBootCore new file mode 100644 index 0000000..90744e2 --- /dev/null +++ b/meta-signing-key/files/boot_keys/BOOT-GPG-KEY-SecureBootCore | |||
| @@ -0,0 +1,29 @@ | |||
| 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- | ||
| 2 | |||
| 3 | mQINBF2yGpkBEADSQX70Xp9k5z+i+7aZ8hz9wLeZpZkGqQkXiR26RnUrr3aQkasS | ||
| 4 | PyLlD2PfTNffPzIs25z5OBEnmuTfjsQvnTqHA9TV1/WNFXyO8MLlHjMvME+8+F+2 | ||
| 5 | NChOAi7LWhDkS4V9WDfqVw89GbE33zX3DG4LXMQah18AljQcEd5z7G69ntb/4RVs | ||
| 6 | zUvAOGJirU746Snl3+ix+VyY6EC5tiB1qy8GoZxyxPHENqUOef7E18mShjVrS643 | ||
| 7 | vUr7fvtEXvYwaHYKyjrl32SHZRIw9ykVBrmmQ7ly2z5N7L8h394MzqAKFrlNpvdu | ||
| 8 | Yz6PAfP9dp8RN5as7z7dF6KLh+bFbCCf1XSiOvY0ObN8lQreGb3ziGxC3ABJkMfG | ||
| 9 | phYP741M7XTGULbET4/DnAvST2GoJDyclVvjHN2zG8aFezNDMzuTxs2aUzP1YqSu | ||
| 10 | A7LgKz6L3RCBGrosVmM7CuGmCQNWuLDfQaEuQz4izlioP81ei2pyt8zvwZ0tWcIx | ||
| 11 | pp3LRD6Lr+IXOBgujI6b02e4NUaZKbskOPtExyjYdl6kfV9vgBei0+qe+ZEu7VFA | ||
| 12 | OECLyMdW/boOA3697NstwcmrbmlACZvMdmrGl2RMdbHDdFkp69tGe3fb27sliE5h | ||
| 13 | TT1yx2Tea0KFXLvITwufOA45nVdxBWC/sJVbDDM4PR4ctcUKFlw9H3GseQARAQAB | ||
| 14 | tDFTZWN1cmVCb290Q29yZSAoU2lnbmluZyBLZXkpIDxTZWN1cmVDb3JlQGZvby5j | ||
| 15 | b20+iQJOBBMBCgA4FiEEHH7Jp6aelfL9SIlenjCG+W7uzDQFAl2yGpkCGy8FCwkI | ||
| 16 | BwIGFQoJCAsCBBYCAwECHgECF4AACgkQnjCG+W7uzDQ0WRAArSFplUOsZ0+ZgGM3 | ||
| 17 | JbTV1Z8J/IO5WKKMrSIBOLYl4gkg3o7x7zWMLS/obul8XpfqhsOCs+ra7tM0XBdU | ||
| 18 | 9OX3jOT75yD9jBxnOMjq+jFEX5KkL/JL97MFSzPaX5aPvK881nhrglraO6WKU8WP | ||
| 19 | YdvRO0mcicR53pv3J8V43fwC5Ru5jFhpJVTd9d9iyszIEr1dXbTTZI+s7+7adg/r | ||
| 20 | EUXf9co+uQo9GYGiWH2ePmS76vE3jztxaO1YWV7/sJiH2SBxjd78i1hkRXFeSG4/ | ||
| 21 | JK7Zp3Y8PgczqbXwvtQitrG/gIYe8ihGaEXAdk0mw/ET1SD48fur8yKM1ILuInbj | ||
| 22 | ValaDEeCTF2mSzYLuOaplS4DnZHm7tsI8T4JdSKFm0ezHdepKQeKq0h22nTdnt2v | ||
| 23 | QP8AmTijseq9Ssl5dYY3gc2W/v8ynD55eKsMqYn3wJgSnmBgEmJCFjM+dJO4v3Ri | ||
| 24 | qjidgDS5gpPLdMqPI3LYHDmplUVgyRVtbG4fvRx3uAsPyNfSBTscDpsc/cbOFnAL | ||
| 25 | Iq8sZjWrUUtvSrGNc6ghLACfbfE2vuPIco0DgpbIj0J8+31cdJNYYopX+cNS2KrY | ||
| 26 | 2+UbvrEXcAOnLKC79tFVp+AE0/LS0o9RZdrQO3lFpKUf98/ZGLSCQcYJ76zjVwwh | ||
| 27 | /OnVLEB0QhVQ0BnJYY5PrYGpgmo= | ||
| 28 | =LD8N | ||
| 29 | -----END PGP PUBLIC KEY BLOCK----- | ||
diff --git a/meta-signing-key/files/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore b/meta-signing-key/files/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore new file mode 100644 index 0000000..f78f653 --- /dev/null +++ b/meta-signing-key/files/boot_keys/BOOT-GPG-PRIVKEY-SecureBootCore | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | -----BEGIN PGP PRIVATE KEY BLOCK----- | ||
| 2 | |||
| 3 | lQdGBF2yGpkBEADSQX70Xp9k5z+i+7aZ8hz9wLeZpZkGqQkXiR26RnUrr3aQkasS | ||
| 4 | PyLlD2PfTNffPzIs25z5OBEnmuTfjsQvnTqHA9TV1/WNFXyO8MLlHjMvME+8+F+2 | ||
| 5 | NChOAi7LWhDkS4V9WDfqVw89GbE33zX3DG4LXMQah18AljQcEd5z7G69ntb/4RVs | ||
| 6 | zUvAOGJirU746Snl3+ix+VyY6EC5tiB1qy8GoZxyxPHENqUOef7E18mShjVrS643 | ||
| 7 | vUr7fvtEXvYwaHYKyjrl32SHZRIw9ykVBrmmQ7ly2z5N7L8h394MzqAKFrlNpvdu | ||
| 8 | Yz6PAfP9dp8RN5as7z7dF6KLh+bFbCCf1XSiOvY0ObN8lQreGb3ziGxC3ABJkMfG | ||
| 9 | phYP741M7XTGULbET4/DnAvST2GoJDyclVvjHN2zG8aFezNDMzuTxs2aUzP1YqSu | ||
| 10 | A7LgKz6L3RCBGrosVmM7CuGmCQNWuLDfQaEuQz4izlioP81ei2pyt8zvwZ0tWcIx | ||
| 11 | pp3LRD6Lr+IXOBgujI6b02e4NUaZKbskOPtExyjYdl6kfV9vgBei0+qe+ZEu7VFA | ||
| 12 | OECLyMdW/boOA3697NstwcmrbmlACZvMdmrGl2RMdbHDdFkp69tGe3fb27sliE5h | ||
| 13 | TT1yx2Tea0KFXLvITwufOA45nVdxBWC/sJVbDDM4PR4ctcUKFlw9H3GseQARAQAB | ||
| 14 | /gcDAhaWt8LBkr8B/01wlYh2JNPnMhu1b3guvOIw1klITLhxAlIm3YEs97bWcQ0t | ||
| 15 | T9sQlIsAGXQeJYgk/bzK8aXUo7Gv9HrRFP33HtROaXmWr9IK2ZFDLf5TByOD3TdV | ||
| 16 | iLkms4NkOEBwbMpcnXEYgRKtHaZWWXnsgVGicfski0c2EAzEGH6FLFVSeGud0D8Q | ||
| 17 | bXL/6FTbyHMomRAXgvRUu196j4vUlHntSUHX1heKspSlQbUvFXlSK1r2kEAle8qX | ||
| 18 | AECeROPWNeFsfWmg+I7iGtXwngovsvxr7hL/GEfdRZsMB6mGiQs9oJBxSzUju1DJ | ||
| 19 | jDf7lNhd9JRQHpY/kV9IVyXZOMVRRRGrz7pDUWjngecEeSC7YTHMeXM47MrCDU3P | ||
| 20 | l2mvtN0YO0cW+W40p79SzebgkKyZSFxeej0iSA7taNj/7mXyGAeUjbSeXzH5P2Rr | ||
| 21 | 5i61K7cu7kQWKI3TgmDmxK08yLgnQBiuhYwNsdnyqTLhfG3HnzBstvqt3FxzF/Mn | ||
| 22 | oJVrBe8g+oduadRr0GUChAYeGPePZiysMHspsFi5u4f9f6+qAzVhq5MAfS4cU48Q | ||
| 23 | 2wiCpT6cyOYdVrGx+yqDDFwqE4Eb4hruRu3+LCa3ssVA5e0COlfn19LjuuCgH2IE | ||
| 24 | EwNVtKMIiUGsd+8KmNPs+0CwPpaDrqubOC5Fb2Zl/jEGQ0zyfnVorNBjWUudSgno | ||
| 25 | 0Cp1oKPTohxct6Ng1jUExk3pny/ME9mePJxcn2bxZz4tOR9Cpx8EXUcUK4Iz8CSS | ||
| 26 | Ov/KseyqJd6vlV4xQ31/seyPMDpBuIjieqFFYlL2/dgWO1U9JDD4BrdjBCwW/bGT | ||
| 27 | OuAQBrB/dB8alZ/GQzQBO45juuEgeUYg7SQRJIDMuIZwl+kOmTjdLRexhoPsAz8E | ||
| 28 | Ysa8tW46xqC4tu0uBFGMhBUbHtFiV4PXgMo4Lq+7glkre/qQzBhXTqk9bEOlYF4C | ||
| 29 | X9VOAKyzuGoQi+Yme5yDTmzBu7tY8jErqyO5sgI4U9LgTJ8A/WDzZ62OZgazlK3p | ||
| 30 | CvjD8bSwSPwE8TDTZo8NpDmqM1mUtWNEoDsc34VyWrtmYviFAYL5OLVHce24J4Za | ||
| 31 | 8sQOIv0oESfO1VePWvD1n523K0kxU0Onqk4shb9RCvGpJMfGLnw6y/DAACTQxaC1 | ||
| 32 | FCg6pLp451L4M91LkO8bP8YYNMGymqoTqLQwnPUm1oU7fI6YK6Mym+Yb6sUx4uLa | ||
| 33 | V9Z5ZZ/mPE9Ds0Pyjwn48oz1G6dwnOnURu22fhCmJoic8YMNhwW/ZCjpmq/mtn9G | ||
| 34 | 9ipmLEcwv22eHFhSJFFmVEZxUJD7m0hK66YL/estPPNbz7s0YorQGMIocNUvp+fD | ||
| 35 | aQ0ijP01S9FOaYUVfxy/bG1gWY7ANejB16hzgDM2OBwA0+lfILGIP3g3i7m1+6Pb | ||
| 36 | Y4z003cfhiDPRrfYvw3aGuyNiYPDZQvdjYC4SQlS7fNCGqczZcfNcV8yjLKaHfRX | ||
| 37 | 8Lka3jpIWvmGRz+OfpML3XcX52HdABNfyW5WuuxJf9ULeSKvNNZBOXKXBL3/lwHV | ||
| 38 | 8rgv5YSqP9VFQOHqfaaBuj6VPUmaXjaTJVzeLY7DrpoPtdwPUX9BJioA7gWGFPD+ | ||
| 39 | CZ6QXYClkqyUTAYKqQQNbGSoXrqoYatCmS6Ct6WFjzXTvRSDes5+y2OfujpRYTvl | ||
| 40 | 7R88asZ79w2NlrU0qCybb/0cgUEpLaMBYRPdzeh95YjbLxGKmqIHhlFuNXPyOFnR | ||
| 41 | QU1ZkbbW6HS4GedQkKxnL/G2n+VCQ4O6g9g4HPSvP8CVfjnl6+VtFGa0MVNlY3Vy | ||
| 42 | ZUJvb3RDb3JlIChTaWduaW5nIEtleSkgPFNlY3VyZUNvcmVAZm9vLmNvbT6JAk4E | ||
| 43 | EwEKADgWIQQcfsmnpp6V8v1IiV6eMIb5bu7MNAUCXbIamQIbLwULCQgHAgYVCgkI | ||
| 44 | CwIEFgIDAQIeAQIXgAAKCRCeMIb5bu7MNDRZEACtIWmVQ6xnT5mAYzcltNXVnwn8 | ||
| 45 | g7lYooytIgE4tiXiCSDejvHvNYwtL+hu6Xxel+qGw4Kz6tru0zRcF1T05feM5Pvn | ||
| 46 | IP2MHGc4yOr6MURfkqQv8kv3swVLM9pflo+8rzzWeGuCWto7pYpTxY9h29E7SZyJ | ||
| 47 | xHnem/cnxXjd/ALlG7mMWGklVN3132LKzMgSvV1dtNNkj6zv7tp2D+sRRd/1yj65 | ||
| 48 | Cj0ZgaJYfZ4+ZLvq8TePO3Fo7VhZXv+wmIfZIHGN3vyLWGRFcV5Ibj8krtmndjw+ | ||
| 49 | BzOptfC+1CK2sb+Ahh7yKEZoRcB2TSbD8RPVIPjx+6vzIozUgu4iduNVqVoMR4JM | ||
| 50 | XaZLNgu45qmVLgOdkebu2wjxPgl1IoWbR7Md16kpB4qrSHbadN2e3a9A/wCZOKOx | ||
| 51 | 6r1KyXl1hjeBzZb+/zKcPnl4qwypiffAmBKeYGASYkIWMz50k7i/dGKqOJ2ANLmC | ||
| 52 | k8t0yo8jctgcOamVRWDJFW1sbh+9HHe4Cw/I19IFOxwOmxz9xs4WcAsiryxmNatR | ||
| 53 | S29KsY1zqCEsAJ9t8Ta+48hyjQOClsiPQnz7fVx0k1hiilf5w1LYqtjb5Ru+sRdw | ||
| 54 | A6csoLv20VWn4ATT8tLSj1Fl2tA7eUWkpR/3z9kYtIJBxgnvrONXDCH86dUsQHRC | ||
| 55 | FVDQGclhjk+tgamCag== | ||
| 56 | =vO+l | ||
| 57 | -----END PGP PRIVATE KEY BLOCK----- | ||
diff --git a/meta-signing-key/files/boot_keys/boot_cfg_pw b/meta-signing-key/files/boot_keys/boot_cfg_pw new file mode 100644 index 0000000..7dadb2e --- /dev/null +++ b/meta-signing-key/files/boot_keys/boot_cfg_pw | |||
| @@ -0,0 +1 @@ | |||
| grub.pbkdf2.sha512.10000.2ACE2378DE516E00A6722F4277A8D2573E252FE6EC2B768922849AFDDEC0AB87D0CA25951E572A0754540339EB4F45A6F7CD5C6F20823F75F268C823B3997237.9A9EB552ABB428FB82CE7351787FC225BCB13B1542C82B582D40424FF1BF4B292B547EE51F7495C9D3BEC51BAA008D7F2D1B8F533F7337B98DE74FD510948F04 | |||
diff --git a/meta-signing-key/files/boot_keys/boot_pub_key b/meta-signing-key/files/boot_keys/boot_pub_key new file mode 100644 index 0000000..f9e50a6 --- /dev/null +++ b/meta-signing-key/files/boot_keys/boot_pub_key | |||
| Binary files differ | |||