From b42e3ad58b10ec99e06daf02254c8792e383d98c Mon Sep 17 00:00:00 2001 From: Sayan Chowdhury Date: Fri, 24 Nov 2023 04:41:17 +0530 Subject: [PATCH] sys-boot/shim: Update shim to include signing keys, and build mm.efi Signed-off-by: Sayan Chowdhury --- .../coreos-base/coreos-sb-keys/README.md | 18 ++++++++++++++++++ ....0.2.ebuild => coreos-sb-keys-0.0.3.ebuild} | 9 +++++---- .../sys-boot/shim/shim-9999.ebuild | 10 ++++++++-- 3 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/{coreos-sb-keys-0.0.2.ebuild => coreos-sb-keys-0.0.3.ebuild} (77%) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md new file mode 100644 index 0000000000..0231aa542e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md @@ -0,0 +1,18 @@ +## Keys & Certificates + +- PK (Platform Key): The Platform Key is the key to the platform. +- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database. +- DB (Signature Database): The signature database is used to validate signed EFI binaries. +- Shim Certificates: Our set of certificates + + +## Generation of Keys & Certificates + + +Generate the our shim certificates: + +``` +openssl genrsa -out "shim.key" 2048 +openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300 +openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER +``` diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild index 14af7b694a..db4dc4b974 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild @@ -1,14 +1,15 @@ # Copyright (c) 2015 CoreOS Inc. +# Copyright (c) 2024 The Flatcar Maintainers. # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 DESCRIPTION="Flatcar Secure Boot keys" HOMEPAGE="" SRC_URI="" LICENSE="BSD" SLOT="0" -KEYWORDS="amd64 arm arm64 x86" +KEYWORDS="amd64 arm64" IUSE="" S="${WORKDIR}" @@ -24,6 +25,6 @@ src_install() { # shim keys newins "${FILESDIR}/shim.key" shim.key - newins "${FILESDIR}/shim.der" shim.der - newins "${FILESDIR}/shim.pem" shim.pem + newins "${FILESDIR}/shim.der" shim.der + newins "${FILESDIR}/shim.pem" shim.pem } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild index 81f69f36cd..cc18a91ffb 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild @@ -26,7 +26,10 @@ RDEPEND="" # currently the shim insists on using the bundled copy. This will need # to be addressed by patching this check out after making sure that # our copy of gnu-efi is as usable as the bundled one. -DEPEND="dev-libs/openssl" +DEPEND=" + dev-libs/openssl + coreos-base/coreos-sb-keys +" src_unpack() { cros-workon_src_unpack @@ -47,6 +50,8 @@ src_compile() { elif use arm64; then emake_args+=( ARCH=aarch64 ) fi + emake_args+=( ENABLE_SBSIGN=1 ) + emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" ) emake "${emake_args[@]}" || die } @@ -60,4 +65,5 @@ src_install() { fi insinto /usr/lib/shim newins "shim${suffix}.efi" 'shim.efi' -} + newins "mm${suffix}.efi" "mm${suffix}.efi" +} \ No newline at end of file