diff --git a/coreos-init-build-env b/coreos-init-build-env index 6841e38..63f6f38 100755 --- a/coreos-init-build-env +++ b/coreos-init-build-env @@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers" # stdout is redirected to reduce the amount of output but not stderr # #Note: if a final build is detected all the dev keys are deleted - -if [ "$CreateFinal" = "true" ]; then - echo "\nFinal build detected delete dev keys and dont use or generate them" >&2 - rm -rf "${BUILDDIR}/keys" -else - echo "\nNo final build detected use development keys" >&2 - coreos-get-dev-keys > /dev/null || { - echo "The coreos-get-dev-keys script has failed" >&2 - } - - coreos-keygen > /dev/null || { - echo "The coreos-keygen script has failed" >&2 - return 1 - } -fi diff --git a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass index cd54553..23718e5 100644 --- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass +++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass @@ -3,7 +3,7 @@ # UEFI Secure boot configuration # ============================================================================== -COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys" +COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys" COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0" # UEFI Secure boot helpers @@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign" # Ensure that the public keys are always deployed to the deploy directory # before running wic -do_image_wic[depends] += "efi-secureboot-keys:do_deploy" +do_image_wic[depends] += "certificates-and-keys-native:do_deploy" COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0" def get_coreos_secureboot_efi_boot_files(d): """ - Return the list of pubkey file inside deploy if + Return the list of pubkey file inside deploy if COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string otherwise """ @@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d): IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}" -def get_coreos_secureboot_keydir_hash(d): - """ - Generate a space separate list, with a value for each file inside of - keydir. Fromat: :md5: - """ - import hashlib - keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR') - value = "" - - for keyname in os.listdir(keydir): - filepath = os.path.join(keydir, keyname) - if os.path.isfile(filepath): - md5 = bb.utils.md5_file(filepath) - value += f"{keyname}:md5:{md5} " - - return value - -# The build system should detect if someone change one of the key inside -# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that -# depends on this directory -COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}" -COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH" diff --git a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc index 8b66e47..dd25c8e 100644 --- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc +++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc @@ -5,7 +5,7 @@ SRC_URI += " \ file://uefi-secureboot.cfg \ " -DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native" +DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native certificates-and-keys-native" # Generate a ubootefi.var file inside the build directory # diff --git a/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb b/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb deleted file mode 100644 index 7cde776..0000000 --- a/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb +++ /dev/null @@ -1,33 +0,0 @@ -SUMMARY = "A recipe to deploy UEFI public keys update files" -LICENSE = "CLOSED" - - -INHIBIT_DEFAULT_DEPS = "1" -inherit nopackages - -inherit deploy -inherit coreos-efi-secureboot - -# Public key needed by firmware very depending on the implementation -# So we copy all type of public key (*.auth, *.esl, *.crt, *der) -addtask deploy after do_compile -do_deploy() { - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth - - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl - - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt - - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der - install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der - - # !SECURITY WARNING! - # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys -} \ No newline at end of file diff --git a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend index 2a5b34b..d79a4d6 100644 --- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend +++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend @@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat # Add signature support # ============================================================================== +DEPENDS:append = " certificates-and-keys-native" + inherit coreos-efi-sbsign require conf/image-uefi.conf diff --git a/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb b/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb new file mode 100644 index 0000000..bded77d --- /dev/null +++ b/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb @@ -0,0 +1,65 @@ +SUMMARY = "Installs certificates and keys" +DESCRIPTION = "Installs certificates and keys that are used during the build" +AUTHOR = "Patrick Vogelaar" +LICENSE = "CLOSED" + +SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master" +SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7" + +S = "${WORKDIR}/git" + +inherit deploy native + +CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/" + +#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*" + + +do_install() { + install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}" + install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth + install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt + install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der + install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl + install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key + install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth + install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt + install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der + install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl + install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key + install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth + install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt + install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der + install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl + install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key + install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt + install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key + + bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!" +} + + +# Public key needed by firmware very depending on the implementation +# So we copy all type of public key (*.auth, *.esl, *.crt, *der) + +addtask deploy after do_compile +do_deploy() { + install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth + install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth + install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth + + install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl + install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl + install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl + + install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt + install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt + install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt + + install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der + install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der + install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der + + # !SECURITY WARNING! + # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys +} \ No newline at end of file diff --git a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend index 3e76bd8..8cdd848 100644 --- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend +++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend @@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate" # same file in meta-swupdate FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:" +DEPENDS += "certificates-and-keys-native" + SRC_URI += "\ file://50-webserver-config.sh \ file://25-sw-collections-config.sh \ diff --git a/scripts/coreos-get-dev-keys b/scripts/coreos-get-dev-keys deleted file mode 100755 index 8673797..0000000 --- a/scripts/coreos-get-dev-keys +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/env bash - -# This script will get development keys needed by the UEFI secure boot -# implementation from the k-stufen web share and put the under $BUILDDIR/keys -# -# The reason for every developer to have the same keys is that image/update -# filest are interchangable. -# Those developer keys are used for all builds except the ones that are marked -# as final. Here the official keys will be used. -# -# Following keys will be downloaded -# db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key -# db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl - -# This script is used every time the build environment of CoreOS is sourced -# Note: in the build environment stdout is redirected to /dev/null but not -# stderr. - -set -e - -# Logging helper -RED='\033[0;31m' -GREEN='\033[0;32m' -BOLD='\033[1m' -RESET='\033[0m' - -# Ensure that BUILDDIR is defined -# ============================================================================== -# This is usually done inside the coreos-init-build-env script - - -if [ -z "$BUILDDIR" ]; then - echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1 - echo -e "Have you run the coreos-init-buildenv script?" 2>&1 - exit 1 -fi - -# We need the KEYDIR directory to exist -# ============================================================================== - -KEYDIR="${BUILDDIR}/keys" -mkdir -p "${KEYDIR}" -cd "${KEYDIR}" - -# we need wget and tar -# ============================================================================== - -assert_command_in_path() { - if command -v "$1" >/dev/null 2>&1; then - echo -e "✓ Command ${GREEN}${1}${RESET} was found" - else - echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 - echo -e "Please check the coreos-documentation for the list of required packages" >&2 - exit 1 - fi -} - -assert_command_in_path wget -assert_command_in_path tar - - -# Generate all they keys, as needed -# ============================================================================== -# Only generate the file if it's missing and don't fail if the file already -# exist - -check_files_exist() { - RET=0 - for file in "$@"; do - if [ ! -e "$file" ]; then - echo -e "𐄂 File ${RED}${file}${RESET} missing" - RET=1 - else - echo -e "✓ File ${GREEN}${file}${RESET} already exist" - fi - done - return $RET -} - -check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \ - KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \ -{ - echo -e "${RED}Incosistent or no keys.${RESET}" - echo "Downloading Keys" - wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \ - tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \ - rm coreos_developer_signing.keys.tar.gz -} diff --git a/scripts/coreos-keygen b/scripts/coreos-keygen deleted file mode 100755 index c3dc725..0000000 --- a/scripts/coreos-keygen +++ /dev/null @@ -1,117 +0,0 @@ -#!/usr/bin/env bash - -# This script will generate key needed by the UEFI secure boot implementation -# under $BUILDDIR/keys -# db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key -# db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl - -# This script is used every time the build environment of CoreOS is sourced -# Note: in the build environment stdout is redirected to /dev/null but not -# stderr. - -set -e - -# Logging helper -RED='\033[0;31m' -GREEN='\033[0;32m' -BOLD='\033[1m' -RESET='\033[0m' - -# Ensure that BUILDDIR is defined -# ============================================================================== -# This is usually done inside the coreos-init-build-env script - - -if [ -z "$BUILDDIR" ]; then - echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1 - echo -e "Have you run the coreos-init-buildenv script?" 2>&1 - exit 1 -fi - -# We need the KEYDIR directory to exist -# ============================================================================== - -KEYDIR="${BUILDDIR}/keys" -mkdir -p "${KEYDIR}" -cd "${KEYDIR}" - -# we need openssl, cert-to-efi-sig-list and sign-efi-sig-list -# ============================================================================== - -assert_command_in_path() { - if command -v "$1" >/dev/null 2>&1; then - echo -e "✓ Command ${GREEN}${1}${RESET} was found" - else - echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 - echo -e "Please check the coreos-documentation for the list of required packages" >&2 - exit 1 - fi -} - -assert_command_in_path openssl -assert_command_in_path cert-to-efi-sig-list -assert_command_in_path sign-efi-sig-list - -# Generate all they keys, as needed -# ============================================================================== -# Only generate the file if it's missing and don't fail if the file already -# exist - -check_files_exist() { - RET=0 - for file in "$@"; do - if [ ! -e "$file" ]; then - echo -e "𐄂 File ${RED}${file}${RESET} missing" - RET=1 - else - echo -e "✓ File ${GREEN}${file}${RESET} already exist" - fi - done - return $RET -} - -echo "Generating private/public keys in .key/.crt format for PK, KEK et db" - -check_files_exist PK.key PK.crt || \ -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \ - -keyout PK.key -out PK.crt -nodes -days 365 - -check_files_exist KEK.key KEK.crt || \ -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \ - -keyout KEK.key -out KEK.crt -nodes -days 365 - -check_files_exist db.key db.crt || \ -openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \ - -keyout db.key -out db.crt -nodes -days 365 - - -echo "Generatic EFI signature list file with PK, KEK et db public key" - -check_files_exist PK.esl || \ -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ - PK.crt PK.esl; - -check_files_exist KEK.esl || \ -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ - KEK.crt KEK.esl - -check_files_exist db.esl || \ -cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ - db.crt db.esl - -echo "Generatic EFI AUTH file with PK, KEK et db public key" - -check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth -check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth -check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth - -echo "Generatic DER files with PK, KEK et db public key" - -# der certificate are need for OVMF based firmware (virtual machine) -check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der -check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der -check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der - -# keys needed to sign and verify SWUpdate -check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \ - -out swupdate.crt -subj "/O=SWUpdate /CN=target"