secure-boot: use keys from meta-nwl-distro/files/keys by default

instead of using the keys generated inside build/key by coreos-init-buildenv, we use a fixed set of keys by default so that we can share the sstate output that use thoses keys to share binaries between the CI state server and developers local installation.
2023-08-03 16:37:02 +02:00 · 2023-08-03 16:37:02 +02:00 · d43ba7a6e3
parent 3765bba60a
commit d43ba7a6e3
17 changed files with 152 additions and 0 deletions
--- a/layers/meta-nwl-distro/conf/distro/nwl.conf
+++ b/layers/meta-nwl-distro/conf/distro/nwl.conf
@ -13,6 +13,14 @@ MAINTAINER = "Netmodule Software Teams"
 DISTRO_VERSION = "2023.03"
 DISTRO_CODENAME = "NWL 2023 Edition (DRAFT)"
 # Use by default the in-tree developers set of keys for Secure Boot
 COREOS_EFI_SECUREBOOT_KEYDIR ?= "${NWL_ROOT}/layers/meta-nwl-distro/files/keys"
 # CoreOS ensure that COREOS_EFI_SECUREBOOT_KEYDIR has a vardep on the
 # hash of each used keys. We don't have to depends on the full path
 # to NWL_ROOT in the hash of COREOS_EFI_SECUREBOOT_KEYDIR
 COREOS_EFI_SECUREBOOT_KEYDIR[vardepsexclude] = "NWL_ROOT"
 # Here you can override settings from the CoreOS distro or from
 # OpenEmbedded-core. But keep in mind that the CoreOS team doesn't support
 # all the features of OpenEmbedded-Core. We have added some checks for some
--- a/layers/meta-nwl-distro/conf/layer.conf
+++ b/layers/meta-nwl-distro/conf/layer.conf
@ -11,3 +11,6 @@ BBFILE_PRIORITY_meta-nwl-distro = "6"
 LAYERDEPENDS_meta-nwl-distro = "core"
 LAYERSERIES_COMPAT_meta-nwl-distro = "kirkstone"
 # Set a variable to get to the top of the metadata location
 NWL_ROOT = '${@os.path.normpath("${LAYERDIR}/../../")}'
--- a/layers/meta-nwl-distro/files/keys/KEK.auth
+++ b/layers/meta-nwl-distro/files/keys/KEK.auth
--- a/layers/meta-nwl-distro/files/keys/KEK.crt
+++ b/layers/meta-nwl-distro/files/keys/KEK.crt
@ -0,0 +1,19 @@
 -----BEGIN CERTIFICATE-----
 MIIDBzCCAe+gAwIBAgIUMBZqg8KVjLqv+5xzlrr//O78ys0wDQYJKoZIhvcNAQEL
 BQAwEzERMA8GA1UEAwwIVEVTVF9LRUswHhcNMjMwNzI2MDg0MDU2WhcNMjQwNzI1
 MDg0MDU2WjATMREwDwYDVQQDDAhURVNUX0tFSzCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBALVZOmvAVYvmOjMITsZiGlKfeafohprnKyC/MEttlceBzwEu
 DSXbvXaGpoaT+SsDkutcJIMkfVte4EEM7m7tmzfJT10++++saG7wzFRfn4qCiz7s
 NVGp7lSQGwPKlqToHtEc3n62Ni9/t2opMbjAMh4MigYmmhgRb0EjubnxkQi02oXQ
 b6vAMsqxsWgHTHQIqMQrMpWP+rxwVB2/0u4GfUvyROIP77gUweINaiaZFNwg5j/M
 HbNpE/YIzvOO1iiut7fGuRq8nzKsRa6v/5sQxpQCiFhEeW+L2TBBLWcn38HkGhZQ
 HL1wrMwIFnxhts+c/iXX/04hX7XLaE2VP8WbZq8CAwEAAaNTMFEwHQYDVR0OBBYE
 FGd2nYmDABv3X2xX5ChFTBGAPT9NMB8GA1UdIwQYMBaAFGd2nYmDABv3X2xX5ChF
 TBGAPT9NMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAK+PrMYv
 /Riu59mNJBBg0IQ5Lg8njkZDJkTUNoPqfduxI8hShCVTazZTOUISrPCKvYWpti4r
 8OAuw/17vBcQzHa2ayJwaiKYL/xC94xxcMwZDsfIul/2TvMsUjh8Tbl6stVLhI5J
 Yga+ytHKkBvTw7whW7uqZAlynk1lkFlCuK5/rTD+WcZADat2kcXVw4ILUSP2QNIj
 HSW3q7YaerxUavPyUiYHTMmjMQtaqjvRv6AZaOFiPvl5/s0HIK2yfwGGyMbXgR/M
 70lqHtrgLORkAruWv35v16BBNaX1rQHholk+HIsjg1kTcjS5Tg9NAF1TAKH4G6LL
 YvNkqBtolbJKmjs=
 -----END CERTIFICATE-----
--- a/layers/meta-nwl-distro/files/keys/KEK.der
+++ b/layers/meta-nwl-distro/files/keys/KEK.der
--- a/layers/meta-nwl-distro/files/keys/KEK.esl
+++ b/layers/meta-nwl-distro/files/keys/KEK.esl
--- a/layers/meta-nwl-distro/files/keys/KEK.key
+++ b/layers/meta-nwl-distro/files/keys/KEK.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1WTprwFWL5joz
 CE7GYhpSn3mn6Iaa5ysgvzBLbZXHgc8BLg0l2712hqaGk/krA5LrXCSDJH1bXuBB
 DO5u7Zs3yU9dPvvvrGhu8MxUX5+Kgos+7DVRqe5UkBsDypak6B7RHN5+tjYvf7dq
 KTG4wDIeDIoGJpoYEW9BI7m58ZEItNqF0G+rwDLKsbFoB0x0CKjEKzKVj/q8cFQd
 v9LuBn1L8kTiD++4FMHiDWommRTcIOY/zB2zaRP2CM7zjtYorre3xrkavJ8yrEWu
 r/+bEMaUAohYRHlvi9kwQS1nJ9/B5BoWUBy9cKzMCBZ8YbbPnP4l1/9OIV+1y2hN
 lT/Fm2avAgMBAAECggEAT5LwnJlPsEx8myn5Dvm7HSgXBMN2VQA8n2jlMyPJxjpC
 b/0aDdOnBhw9c+34NpSh4h6TcuwPCYnPExwuf4RJSKhP59WcTOW1CYEl15wB8JAp
 s5mIJ+ZNytNU10wM4B1ucEmfo7AmhJ8hBzc+Nxg2pZLQ+bP0h70WuVmIxHuoLU4X
 f+V3x0jl5Dgeh0L+j61b6jDYcQmVZmldugj+HxoyJPXZ3z3VcCBHzcX+JdA1YQtz
 9YwH6njxFUs6sTIWpavIphWy7oiulGhRj+8sU6cDpO932T0oLrvFVIPCM1yVSw+k
 h23wb8I20CN/qdjc8nk9uQ1kJfGhbEFCYq+QoQ6F+QKBgQD26N/yhslAVUH+tYQK
 gaQwYJMowj32b77WHIxnTSxmrCZ+Hjelpx57fuBilgvAJtlwxZpd8PJM8fUQff4S
 ob8YGrOg7qLzmtWLnx5VREYekLl6aHsOIlnaQLnsGUHEj6NQfn/2U4BRLv9G1zI+
 Y1SzwfX8QRFOFP9Q6tZXSd7A2wKBgQC8BnB/BmN2jqEgDF3eud+L6mAC5o7Jv/8X
 Xi1/w6OImzhm/poVb9pU5cFAZdzqJ9oIg78YAKERFHjfdLHtASZ1RF7DR2ysVxFC
 R5xPYMttmyfTE/umgIRLwkljMZ5ZTRNvPDkpT0n0BkXxs7D45XB7cEYPzgvUAhwb
 ezEKSc2fvQKBgFHBIgXn41NN56Ay8hmYe4kZMSDZ0DJ9Ja83nLXHs9/7OHOiBcLv
 5wP1Ks7558IkGvNgOpDIazJXG1HupeX9cIzGqpuq6IHIztSAR0bsaFtOiFujpLs1
 XJMLw4QNiN1Qwj6w5CXn2CEJcrU+JADMWwt6Obzgvp4gDbn5SCd26i7pAoGABpcP
 MFSP/eLH4PCuBZVsMWI4lUFxdb7F+RKy84xu2eXe1zVLPz8ZXupimJg5Yvecm7nK
 Y9P50ThveB2F8vGcYHXSAHQraervTuxlnR6eYqwSfEJyCobsnB8mJVTi4Oxjpv1s
 X3dI90WVBACxTjf0dk8cFYe6QGcGhywNLvghPd0CgYEAwHu7S16k/+5JL81QrJMS
 lGUxdJ7xgPZp6G2lnzHKrumUXsE7u9efB3t5RauDX51dLOqaJGzoTVF403Cx/Xps
 kWkWiN8r7g22gHvYWO43mvVyGZ+VUsu5D50gndaDdoCfWoHRZ6UbBPdhAztI/ePU
 kUM2jC74IiCINRyszkcfEUw=
 -----END PRIVATE KEY-----
--- a/layers/meta-nwl-distro/files/keys/PK.auth
+++ b/layers/meta-nwl-distro/files/keys/PK.auth
--- a/layers/meta-nwl-distro/files/keys/PK.crt
+++ b/layers/meta-nwl-distro/files/keys/PK.crt
@ -0,0 +1,19 @@
 -----BEGIN CERTIFICATE-----
 MIIDBTCCAe2gAwIBAgIUaqd3t7MrDxsQCyBIp+ldFIexS+YwDQYJKoZIhvcNAQEL
 BQAwEjEQMA4GA1UEAwwHVEVTVF9QSzAeFw0yMzA3MjYwODQwNTZaFw0yNDA3MjUw
 ODQwNTZaMBIxEDAOBgNVBAMMB1RFU1RfUEswggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQDio1QgioSSx8tzr2YfYFxwxMZvONXTBgyEo1qH9eVnDhd/nN66
 odj0JOWQ6ZxZ1thAA94M0k9uNM60AYd4IPJfIok//MQbICzKbpSp8sTePBui2dxx
 /Su3lkNim9ZkQ5hjbJHhogzF31DfSRhUej9mr5yzDjD+liGtvRKbLZ4RCEx3WeDn
 taS3YojRNBXoNKumr/e6m+qACh9lOswAgAFw0FvS6v5j3y2AzBhL76pBNJ2+phzv
 uDk2xFGz5Hwa2JnjdwbjFJTGMpHRoI8m9PCM9fTAXmgwTaXgP3/6d4HgxHyIyNMK
 oPkPUp26CxpXeP+x6XfHlcUZdE3Agg4TTmaBAgMBAAGjUzBRMB0GA1UdDgQWBBSh
 s2prPUwajZ++I9D8NqQprrUlPTAfBgNVHSMEGDAWgBShs2prPUwajZ++I9D8NqQp
 rrUlPTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBBhsVJzuy2
 BMJft7nzLjplh5234R03/YMieMG3ryOclPaAj8nuEkIRzgE3uJdS/121T2A5wReW
 Pg6o21bPGljXHHGFS6Xh2bav3WLWtB8G2HXQ5xum0sXcj58cNc3DGEq/ECDT+wcX
 Y2RL3RHMZflSndXtcGnqT+9PrgCKaNaxtrIoIWk8SI6p2LEcHbidDiEJ5JHvUr4r
 BWhLsgKmoGCDQsOPAz6ZXZPR34VF56BAVBLAJPymFiV5O/GGL99UfHhEXBO5kPt3
 ha1iPedOfxge+nRuGYxlGF0bcA7gZhPPzuy5rZSTZtXaNMWf8/Hteo18muX3aDqr
 ekkVlpgnXEeJ
 -----END CERTIFICATE-----
--- a/layers/meta-nwl-distro/files/keys/PK.der
+++ b/layers/meta-nwl-distro/files/keys/PK.der
--- a/layers/meta-nwl-distro/files/keys/PK.esl
+++ b/layers/meta-nwl-distro/files/keys/PK.esl
--- a/layers/meta-nwl-distro/files/keys/PK.key
+++ b/layers/meta-nwl-distro/files/keys/PK.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDio1QgioSSx8tz
 r2YfYFxwxMZvONXTBgyEo1qH9eVnDhd/nN66odj0JOWQ6ZxZ1thAA94M0k9uNM60
 AYd4IPJfIok//MQbICzKbpSp8sTePBui2dxx/Su3lkNim9ZkQ5hjbJHhogzF31Df
 SRhUej9mr5yzDjD+liGtvRKbLZ4RCEx3WeDntaS3YojRNBXoNKumr/e6m+qACh9l
 OswAgAFw0FvS6v5j3y2AzBhL76pBNJ2+phzvuDk2xFGz5Hwa2JnjdwbjFJTGMpHR
 oI8m9PCM9fTAXmgwTaXgP3/6d4HgxHyIyNMKoPkPUp26CxpXeP+x6XfHlcUZdE3A
 gg4TTmaBAgMBAAECggEAKzOAC03sNICCPzSNjmiTZmmT+8qFM9sA0t3CmY0dY/YT
 M5+m80N7tBo+ak+lnphuE1HJZ39FZdgKGNT7ykHZgZn3OKvJg/QvpYzLqNOehFBH
 4lSOCWp9hVrO0IKtLOKXr0gYTL7TmXpWk6F+0keVQ1ExWQ5Y94aNt+0FGXBqI4uq
 ENDH3UfFIIZjtoyO4xLa3FBqj19lNsj/RIGAo/H2RgOUAIoG8N6uHBszROd48w1H
 CUgdtCCL1YE2zoDcAcmFTUFI1KA6y5t7n248ZRkRlDZVeeGDSCcH9zFkiy41Vpct
 Ej7BPdCU/t6F3axqXahtkDAAuRKfWjytoVa8iekX0wKBgQD2k0oee/4qaIv5M0Xx
 ZNRcptMCkmX354XfFcWMgLchK1oloZNtLjvntgXmiK6jAGCR8yG1NWFwOB2vhgE0
 UuqU+Ah4JMJHivYVlqhUzFVASYt1XLIrxglHDVq05gfkMjUwVUavB90KPHXwLTJE
 /5iMvyBO7NCJxGXtnwsKw5fKhwKBgQDrTPRbibb1BSCDSCTZHoyVYxTFX5Tyuas3
 Wu2bRmTWo/RsZHhAumemlOIjX/6gRMn2SYAvH4j7V9+V4SFprrajEDQaACwYbRP8
 31yaUAUPbx4b1VgCY0XVS6CCExQOVQdT9YsQueNcmhZ2HU/aELN0InMSwyf+9F90
 vEGU79ZgtwKBgBcw+0OqvdkXRDMIE4gEx8R/HFGdm2GZsQmuboosgQzpmuz3KXqX
 YqMEh8GLEYHbQzn2+DCm+KcpYAFmRS66rb2dJo7GRk+cTlDxfpubLFmDkU5UjZ14
 Xt8D7ogdKpjX8BC/tIo53xxbW2xfk97Re3OhdlR2CZcrlbqnvs4gX2J5AoGBALeM
 oTVi2SCLLlCaj3v7E6lY0BQjOnqZkVEuEhnFMNYqsXl4akH75u0QSNNVh7gX0P/Z
 WC/qRp3ib1xocPsSug+7jRkXN06akDP7PS5262udv3vw0aWTMR9wzjWJkmSXuY6q
 BSA4EX7kCE99EBRIYORgFyn0qJd+o5PZYsM+0BlDAoGBALCEcSsZYWAX+k6/6EsA
 kax0KscOFHji62PSLuWJX7PdLyGeAFnIKfm6X/RKXTInH+1dLJI/BXPuxrKIQFjB
 CUrhmcwdSZ690mQLogT1tFAAt4+FfdGn8cnlPn9r8je/+6AR4sHUkbDTUJgBE3YG
 /OVVo+MW242kcym893qgkPS/
 -----END PRIVATE KEY-----
--- a/layers/meta-nwl-distro/files/keys/db.auth
+++ b/layers/meta-nwl-distro/files/keys/db.auth
--- a/layers/meta-nwl-distro/files/keys/db.crt
+++ b/layers/meta-nwl-distro/files/keys/db.crt
@ -0,0 +1,19 @@
 -----BEGIN CERTIFICATE-----
 MIIDBTCCAe2gAwIBAgIUL8w6OMWe5milePbOVue9IyI4pG4wDQYJKoZIhvcNAQEL
 BQAwEjEQMA4GA1UEAwwHVEVTVF9kYjAeFw0yMzA3MjYwODQwNTZaFw0yNDA3MjUw
 ODQwNTZaMBIxEDAOBgNVBAMMB1RFU1RfZGIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
 DwAwggEKAoIBAQCbGXtPx/xRCDHqPkUSC/g08eH4IQHW2ku7IJwGd3MOfB+hMLVN
 YSMNNx2ltFguPm+bh1rDsT+6Lq+RiXf++KXjzpy7ShRyBQ6Xjy5hfz0hR6CtDonG
 RpBmndgwl2yUVhpdgD0BZzhqO5OzmONqZpP968yIRts7Xl1zF2Z63/EiWdOY5m6Y
 WaE3inRr2W0GttJ55eqVFeBRTX2tASyrh+b1NvWlo52phs/EAb2CCE+cUC82S68Q
 tMsyvIGGNRiBr9tQ5x9rRtPIens8AK9/H9K8rG+ldXcAsop8C4SvQg+hBW8ViHEu
 9EQ1c9N3vA+KE3IP91jvRMP3HONxDWok4pjXAgMBAAGjUzBRMB0GA1UdDgQWBBRl
 oRIc0AjAlJG4xzJAYA3RqoPVAzAfBgNVHSMEGDAWgBRloRIc0AjAlJG4xzJAYA3R
 qoPVAzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCnMDK+noa
 oYJZZ4H1dvqnjAk2C9Wy2UpeNbM6igFRQUgK6W/4WbUDeHktVB2/X5CqwYJxLC+Y
 S1qNVUiabS4MuuXfGCdvJIcPRUcnx1RIUQL2VpE7I9Z1LQ1qAvJt5Bx1eyKdy/+O
 wYMHQAAcd7lQuwnFLtOgHrOqHOtcp8jiltCoivEIyc+RyZrhq+w8xkZOvhIJ+Nxv
 lo41xQKcXHU1bVV7O0FEyFv7Sj+VRo/Os2Eesk1mEYDiqYfF2mEvFnY+tj8e7jxJ
 N9lRS7mb/5iBObZp6sv2y4afJfzAXDPEt7QVMDORjUqPHhIlkjCpE0/AIwbJVnvd
 5x4tiZjDcVZZ
 -----END CERTIFICATE-----
--- a/layers/meta-nwl-distro/files/keys/db.der
+++ b/layers/meta-nwl-distro/files/keys/db.der
--- a/layers/meta-nwl-distro/files/keys/db.esl
+++ b/layers/meta-nwl-distro/files/keys/db.esl
--- a/layers/meta-nwl-distro/files/keys/db.key
+++ b/layers/meta-nwl-distro/files/keys/db.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbGXtPx/xRCDHq
 PkUSC/g08eH4IQHW2ku7IJwGd3MOfB+hMLVNYSMNNx2ltFguPm+bh1rDsT+6Lq+R
 iXf++KXjzpy7ShRyBQ6Xjy5hfz0hR6CtDonGRpBmndgwl2yUVhpdgD0BZzhqO5Oz
 mONqZpP968yIRts7Xl1zF2Z63/EiWdOY5m6YWaE3inRr2W0GttJ55eqVFeBRTX2t
 ASyrh+b1NvWlo52phs/EAb2CCE+cUC82S68QtMsyvIGGNRiBr9tQ5x9rRtPIens8
 AK9/H9K8rG+ldXcAsop8C4SvQg+hBW8ViHEu9EQ1c9N3vA+KE3IP91jvRMP3HONx
 DWok4pjXAgMBAAECggEAORiyWnZmnnYD2hW+W5xobSU2aJ/OC4glJOgmSAMlKgnr
 ou1JcQj3XGAT2/J+G9gEQh8b/Lp9mU6id1NCB20FtM1UyWXGDQtricO98Upj+KJj
 thGKCqHjesNU2N6FrD3eStlwm9mh3Qm9n/oCjiLhDDMIAosDHeHpSPsuUMGsBVa0
 zDcmcpujgb/aHWw5Iy9yy2Po+M4X2faLljZWwwFvgBDhftlVRGyZOwuUc+TxL6/v
 HEmYGhsDiEle6XiqcV0hVt0obeic7yxQOPEahWbwLdLjrO+Wx1GaTsxbwfqLWU0g
 ut8Te8+8RJiZGdT2mbtbkGiXrN2CbcPfkCvuzDE/UQKBgQDaLtEus8s6tVo9lvh/
 phtb0mwY9dQ7gekrbjVmlHl1Yrtc4UTP4u1MwKu1B8t6Oe0s3i2iYtre2z1F6MmR
 cr1wweN4PNAZ5/6jwsTDDfUEAWPq+vriics5YmyCL9nLaBk4b7/3TZNpmBn/UuOu
 JpFeAhLC3QG9XubHF0mEcKPicwKBgQC1+4ng0jg3jQofTdx29yDND5q1ftbZHx5Q
 n9g4gR8Y9Gr8ETox3GVfiKTAIzaE53UfzEHpEmj756XdggxZIkNvHxWoIAsEEiwY
 nI3ztz9rIQfx+10FVY9VrgTZDDYlv9NMcUg6cEuGbH0lKiZoqRLyVcqGWgWTF2Qg
 gnll54RDDQKBgF3aK7M6Nd6gKhw6N9S5ACXEYyltfYjHfiRneOMSVRjQiqYOZMpD
 5C3S50ms+7Ms/cACJoEmot2gU0AiPaqqP6EkVhPfnOi36cpJutfoxg+eBXwL0CXo
 fhnGI8TwjnA37DlhoKLhpNqUSgKRhkzgXEGjBKz74oayLvVPKBmnVmfPAoGAditM
 MMzQ7GGNPR6WFjoK9p03XLtsT7jBOqFRCf/ubYnpHp0hKNdwjERylsFG2a5ig69i
 7TGjMlANiHS2B/sTxshsi6ui+5XBRIoEM0m+yJW+TwdmM9yHIp/JThd74a9aSb0V
 pbzdjgBMkyF3p2aCgxHqXKuACy+ZOPMAWYeoftECgYEAjKEUKfsZIZfgHicZYxbZ
 gVrIG/ifGKpzPdFYtR2Yq0F7/ECrKf4VRRpfVbs+KPOfaSYtlE400MecOgLsxK76
 LMaSsuJB/YURrUjjR7O5orupVAlIG8tblBiAwx5VAsFTfyw4WVcHP+AJ+kYUuCB0
 JriD7XK6yHORwPka9yD+SYg=
 -----END PRIVATE KEY-----