feat(certificates-and-keys-native): add developer keys and certificates

The certificates and keys are stored in a repository and taken from there. It is a neative repository that puts the keys into the sysroot where other recipes can take them All the key related scripts where deleted or put in the development-keys repository. Basic simplifications where done, there is yet still room for improvement.
2024-01-17 16:40:52 +01:00 · 2024-01-17 16:40:52 +01:00 · 5b23df1199
parent b819d0746d
commit 5b23df1199
9 changed files with 73 additions and 279 deletions
--- a/15
+++ b/15
@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
 # stdout is redirected to reduce the amount of output but not stderr
 #
 #Note: if a final build is detected all the dev keys are deleted
-
-if [ "$CreateFinal" = "true" ]; then
-    echo "\nFinal build detected delete dev keys and dont use or generate them" >&2
-    rm -rf "${BUILDDIR}/keys"
-else
-    echo "\nNo final build detected use development keys" >&2
-    coreos-get-dev-keys > /dev/null || {
-        echo "The coreos-get-dev-keys script has failed" >&2
-    }
-
-    coreos-keygen > /dev/null || {
-        echo "The coreos-keygen script has failed" >&2
-        return 1
-    }
-fi
--- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
+++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
@ -3,7 +3,7 @@
 # UEFI Secure boot configuration
 # ==============================================================================

-COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
+COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"

 # UEFI Secure boot helpers
@ -16,7 +16,7 @@ HOSTTOOLS += "sbsign"

 # Ensure that the public keys are always deployed to the deploy directory
 # before running wic
-do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
+do_image_wic[depends] += "certificates-and-keys-native:do_deploy"

 COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):

 IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"

-def get_coreos_secureboot_keydir_hash(d):
-    """
-        Generate a space separate list, with a value for each file inside of 
-        keydir. Fromat: <filename>:md5:<md5sum>
-    """
-    import hashlib

-    keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
-    value = ""
-    
-    for keyname in os.listdir(keydir):
-        filepath = os.path.join(keydir, keyname)
-        if os.path.isfile(filepath): 
-            md5 = bb.utils.md5_file(filepath)
-            value += f"{keyname}:md5:{md5} "
-
-    return value
-
-# The build system should detect if someone change one of the key inside
-# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
-# depends on this directory
-COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
-COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"
--- a/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
+++ b/layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
@ -5,7 +5,7 @@ SRC_URI += " \
    file://uefi-secureboot.cfg \
 "

-DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native"
+DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native certificates-and-keys-native"

 # Generate a ubootefi.var file inside the build directory
 #
--- a/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb
+++ b/layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb
@ -1,33 +0,0 @@
-SUMMARY = "A recipe to deploy UEFI public keys update files"
-LICENSE = "CLOSED"
-
-
-INHIBIT_DEFAULT_DEPS = "1"
-inherit nopackages
-
-inherit deploy
-inherit coreos-efi-secureboot
-
-# Public key needed by firmware very depending on the implementation
-# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
-addtask deploy after do_compile
-do_deploy() {
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
-    
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
-
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
-    install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
-
-    # !SECURITY WARNING! 
-    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
-}
--- a/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat
 # Add signature support
 # ==============================================================================

+DEPENDS:append = " certificates-and-keys-native"
+
 inherit coreos-efi-sbsign
 require conf/image-uefi.conf

--- a/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb
+++ b/layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb
@ -0,0 +1,65 @@
+SUMMARY = "Installs certificates and keys"
+DESCRIPTION = "Installs certificates and keys that are used during the build"
+AUTHOR = "Patrick Vogelaar"
+LICENSE = "CLOSED"
+
+SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
+SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
+
+S = "${WORKDIR}/git"
+
+inherit deploy native
+
+CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
+
+#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
+
+
+do_install() {
+    install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
+    install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
+    install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
+    install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
+    install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
+    install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
+    install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
+    install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
+    install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
+    install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
+    install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
+    install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
+    install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
+    install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
+    install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
+    install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
+    install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
+    install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
+
+    bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
+}
+
+
+# Public key needed by firmware very depending on the implementation
+# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
+
+addtask deploy after do_compile
+do_deploy() {
+    install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
+    install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
+    install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
+
+    install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
+    install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
+    install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
+
+    install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
+    install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
+    install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
+
+    install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
+    install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
+    install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
+
+    # !SECURITY WARNING!
+    # .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
+}
--- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
+++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate"
 # same file in meta-swupdate
 FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"

+DEPENDS += "certificates-and-keys-native"
+
 SRC_URI += "\
    file://50-webserver-config.sh \
    file://25-sw-collections-config.sh \
--- a/scripts/coreos-get-dev-keys
+++ b/scripts/coreos-get-dev-keys
@ -1,88 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will get development keys needed by the UEFI secure boot
-# implementation from the k-stufen web share and put the under $BUILDDIR/keys
-#
-# The reason for every developer to have the same keys is that image/update
-# filest are interchangable.
-# Those developer keys are used for all builds except the ones that are marked
-# as final. Here the official keys will be used.
-#
-# Following keys will be downloaded
-# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
-# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
-
-# This script is used every time the build environment of CoreOS is sourced
-# Note: in the build environment stdout is redirected to /dev/null but not
-# stderr.
-
-set -e
-
-# Logging helper
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# Ensure that BUILDDIR is defined
-# ==============================================================================
-# This is usually done inside the coreos-init-build-env script
-
-
-if [ -z "$BUILDDIR" ]; then 
-    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
-    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
-    exit 1
-fi
-
-# We need the KEYDIR directory to exist
-# ==============================================================================
-
-KEYDIR="${BUILDDIR}/keys"
-mkdir -p "${KEYDIR}"
-cd "${KEYDIR}"
-
-# we need wget and tar
-# ==============================================================================
-
-assert_command_in_path() {
-    if command -v "$1" >/dev/null 2>&1; then
-        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
-    else
-        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
-        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
-        exit 1
-    fi
-}
-
-assert_command_in_path wget
-assert_command_in_path tar
-
-
-# Generate all they keys, as needed
-# ==============================================================================
-# Only generate the file if it's missing and don't fail if the file already
-# exist
-
-check_files_exist() {
-    RET=0
-    for file in "$@"; do
-        if [ ! -e "$file" ]; then
-            echo -e "𐄂 File ${RED}${file}${RESET} missing"
-            RET=1
-        else
-            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
-        fi
-    done
-    return $RET
-}
-
-check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \
-                  KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \
-{
-    echo -e "${RED}Incosistent or no keys.${RESET}"
-    echo "Downloading Keys"
-    wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \
-    tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \
-    rm coreos_developer_signing.keys.tar.gz
-}
--- a/scripts/coreos-keygen
+++ b/scripts/coreos-keygen
@ -1,117 +0,0 @@
-#!/usr/bin/env bash
-
-# This script will generate key needed by the UEFI secure boot implementation
-# under $BUILDDIR/keys
-# db.auth  db.der  db.key    KEK.crt  KEK.esl  PK.auth  PK.der  PK.key
-# db.crt   db.esl  KEK.auth  KEK.der  KEK.key  PK.crt   PK.esl
-
-# This script is used every time the build environment of CoreOS is sourced
-# Note: in the build environment stdout is redirected to /dev/null but not
-# stderr.
-
-set -e
-
-# Logging helper
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-BOLD='\033[1m'
-RESET='\033[0m'
-
-# Ensure that BUILDDIR is defined
-# ==============================================================================
-# This is usually done inside the coreos-init-build-env script
-
-
-if [ -z "$BUILDDIR" ]; then 
-    echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
-    echo -e "Have you run the coreos-init-buildenv script?" 2>&1
-    exit 1
-fi
-
-# We need the KEYDIR directory to exist
-# ==============================================================================
-
-KEYDIR="${BUILDDIR}/keys"
-mkdir -p "${KEYDIR}"
-cd "${KEYDIR}"
-
-# we need openssl, cert-to-efi-sig-list and sign-efi-sig-list 
-# ==============================================================================
-
-assert_command_in_path() {
-    if command -v "$1" >/dev/null 2>&1; then
-        echo -e "✓ Command ${GREEN}${1}${RESET} was found"
-    else
-        echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 
-        echo -e "Please check the coreos-documentation for the list of required packages" >&2 
-        exit 1
-    fi
-}
-
-assert_command_in_path openssl
-assert_command_in_path cert-to-efi-sig-list
-assert_command_in_path sign-efi-sig-list
-
-# Generate all they keys, as needed
-# ==============================================================================
-# Only generate the file if it's missing and don't fail if the file already
-# exist
-
-check_files_exist() {
-    RET=0
-    for file in "$@"; do
-        if [ ! -e "$file" ]; then
-            echo -e "𐄂 File ${RED}${file}${RESET} missing"
-            RET=1
-        else
-            echo -e "✓ File ${GREEN}${file}${RESET} already exist"
-        fi
-    done
-    return $RET
-}
-
-echo "Generating private/public keys in .key/.crt format for PK, KEK et db"
-
-check_files_exist PK.key PK.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
-        -keyout PK.key -out PK.crt -nodes -days 365
-
-check_files_exist KEK.key KEK.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \
-        -keyout KEK.key -out KEK.crt -nodes -days 365
-
-check_files_exist db.key db.crt || \
-openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \
-		-keyout db.key -out db.crt -nodes -days 365
-
-
-echo "Generatic EFI signature list file with PK, KEK et db public key"
-
-check_files_exist PK.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        PK.crt PK.esl;
-
-check_files_exist KEK.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        KEK.crt KEK.esl
-
-check_files_exist db.esl || \
-cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
-        db.crt db.esl
-
-echo "Generatic EFI AUTH file with PK, KEK et db public key"
-
-check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
-check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
-check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
-
-echo "Generatic DER files with PK, KEK et db public key"
-
-# der certificate are need for OVMF based firmware (virtual machine)
-check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
-check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
-check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
-
-# keys needed to sign and verify SWUpdate
-check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
-    -out swupdate.crt -subj "/O=SWUpdate /CN=target"