57 lines
2.1 KiB
Plaintext
57 lines
2.1 KiB
Plaintext
The keys under this directory are the public keys used in
|
|
the verification process of secure boot process for StarlingX
|
|
debian.
|
|
|
|
Keys Introduction:
|
|
tis-boot.crt: it is the public key flashed into UEFI to verify
|
|
bootx64.efi (signed shim image shimx64.efi);
|
|
tis-shim.der: it is the public key used by shim to verify
|
|
grubx64.efi (signed grub image) and mmx64.efi
|
|
(signed shim tool image);
|
|
boot_pub_key: it is the public key used by grub to verify signed
|
|
kernel image and initramfs image and efitools image and so on.
|
|
TiBoot.crt: it is the same pub key with tis-boot.crt (pem) as a
|
|
der format. It is installed as /CERTS/TiBoot.crt in the efi.img
|
|
which is in the iso image.
|
|
|
|
The following ways can be used to create substitute keys:
|
|
(1)example to create tis-boot.crt/TiBoot.crt
|
|
openssl req -new -x509 -newkey rsa:2048 -keyout BOOT.priv -outform DER -out BOOT.der -days 36500 -subj "/CN=My Boot/" -nodes
|
|
openssl x509 -inform der -in BOOT.der -out BOOT.pem
|
|
cp BOOT.pem tis-boot.crt
|
|
cp BOOT.priv tis-boot.key
|
|
cp BOOT.der TiBoot.crt
|
|
The tis-boot.crt and tis-boot.key are used to sign images mentioned above.
|
|
|
|
The tis-shim.crt/tis-shim.der/tis-shim.key can be created in the same way.
|
|
|
|
(2)example to create boot_pub_key
|
|
************
|
|
#!/bin/bash
|
|
key_dir="./"
|
|
priv_key="${key_dir}/BOOT-GPG-PRIVKEY-SecureBootCore"
|
|
pub_key="${key_dir}/BOOT-GPG-KEY-SecureBootCore"
|
|
name_real="SecureBootCore"
|
|
pw="PASSWORD"
|
|
USE_PW="Passphrase: PASSWORD"
|
|
|
|
cat >"${key_dir}/gen_keyring" <<EOF
|
|
Key-Type: RSA
|
|
Key-Length: 4096
|
|
Name-Real: ${name_real}
|
|
Name-Comment: EXAMPLE
|
|
Name-Email: a@b.com
|
|
Expire-Date: 0
|
|
${USE_PW}
|
|
%commit
|
|
%echo keyring ${name_real} created
|
|
EOF
|
|
|
|
gpg --homedir "${key_dir}" --batch --yes --gen-key "${key_dir}/gen_keyring"
|
|
gpg --homedir "${key_dir}" -k
|
|
gpg --homedir "${key_dir}" --export --armor "${name_real}" > "${pub_key}"
|
|
gpg --homedir "${key_dir}" --export-secret-keys --pinentry-mode=loopback --passphrase "${pw}" --armor "${name_real}" > "${priv_key}"
|
|
gpg --homedir "${key_dir}" --export "${name_real}" > ${key_dir}/boot_pub_key
|
|
************
|
|
The BOOT-GPG-PRIVKEY-SecureBootCore is used to sign images mentioned above.
|