starlingx/public-keys
Code Issues Proposed changes
public-keys/README
Li Zhou 0e6c37b9ef README: correct error description 
Correct description about the pub key for mmx64.efi.

Story: 2009221
Task: 47358

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2f77413050b031a80c7ff1adf9198dbccfbd4443
2023-02-23 03:29:26 -05:00

57 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

The keys under this directory are the public keys used in
the verification process of secure boot process for StarlingX
debian.
Keys Introduction:
tis-boot.crt: it is the public key flashed into UEFI to verify
bootx64.efi (signed shim image shimx64.efi);
tis-shim.der: it is the public key used by shim to verify
grubx64.efi (signed grub image) and mmx64.efi
(signed shim tool image);
boot_pub_key: it is the public key used by grub to verify signed
kernel image and initramfs image and efitools image and so on.
TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a
der format. It is installed as /CERTS/TiBoot.crt in the efi.img
which is in the iso image.
The following ways can be used to create substitute keys:
(1)example to create tis-boot.crt/TiBoot.crt
openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes
openssl x509 -inform der -in BOOT.der -out BOOT.pem
cp BOOT.pem tis-boot.crt
cp BOOT.priv tis-boot.key
cp BOOT.der TiBoot.crt
The tis-boot.crt and tis-boot.key are used to sign images mentioned above.
The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way.
(2)example to create boot_pub_key
************
#!/bin/bash
key_dir="./"
priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore"
pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore"
name_real="SecureBootCore"
pw="PASSWORD"
USE_PW="Passphrase: PASSWORD"
cat >"${key_dir}/gen_keyring" <<EOF
Key-Type: RSA
Key-Length: 4096
Name-Real: ${name_real}
Name-Comment: EXAMPLE
Name-Email: a@b.com
Expire-Date: 0
${USE_PW}
%commit
%echo keyring ${name_real} created
EOF
gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring"
gpg --homedir "${key_dir}" -k
gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}"
gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}"
gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key
************
The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.
View Git Blame Copy Permalink