From 7549a93e9985da8453e683265ad0c65694765be0 Mon Sep 17 00:00:00 2001 From: California Sullivan Date: Mon, 28 Aug 2017 15:19:00 -0700 Subject: recipes-selftest: add images for use in secureboot selftests This patch adds two image recipes and several keys for use in secureboot selftests. One image is an unsigned comboapp with a startup.nsh file calling bootx64.efi. The other is a comboapp image signed with the refkit keys by default. These are the same keys enrolled in the ovmf firmware. Also included is another set of keys to sign the image with that do not match the ovmf firmware's enrolled keys. Signed-off-by: California Sullivan Signed-off-by: Saul Wold --- common/recipes-selftest/images/files/incorrect.crt | 19 +++++++++++++++ common/recipes-selftest/images/files/incorrect.key | 27 +++++++++++++++++++++ common/recipes-selftest/images/files/refkit-db.crt | 18 ++++++++++++++ common/recipes-selftest/images/files/refkit-db.key | 28 ++++++++++++++++++++++ .../images/secureboot-selftest-image-signed.bb | 6 +++++ .../images/secureboot-selftest-image-unsigned.bb | 20 ++++++++++++++++ 6 files changed, 118 insertions(+) create mode 100644 common/recipes-selftest/images/files/incorrect.crt create mode 100644 common/recipes-selftest/images/files/incorrect.key create mode 100644 common/recipes-selftest/images/files/refkit-db.crt create mode 100644 common/recipes-selftest/images/files/refkit-db.key create mode 100644 common/recipes-selftest/images/secureboot-selftest-image-signed.bb create mode 100644 common/recipes-selftest/images/secureboot-selftest-image-unsigned.bb (limited to 'common') diff --git a/common/recipes-selftest/images/files/incorrect.crt b/common/recipes-selftest/images/files/incorrect.crt new file mode 100644 index 00000000..3a2411ab --- /dev/null +++ b/common/recipes-selftest/images/files/incorrect.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAfGgAwIBAgIJAIYXAHv3cQNjMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV +BAMMEFRlc3QgWW9jdG8gdGhpbmcwHhcNMTcwMTI1MjI1MjI3WhcNMTgwMTI1MjI1 +MjI3WjAbMRkwFwYDVQQDDBBUZXN0IFlvY3RvIHRoaW5nMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXD +SwDVXNWfiKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoeh +T51gkuTfv7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE +31hLOkCFb+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk +/6q5kqNhyrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4 +GqpqeFOPqxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABo1AwTjAdBgNV +HQ4EFgQURA8KbgpiGfS2+7MT0H5AvpxeYLowHwYDVR0jBBgwFoAURA8KbgpiGfS2 ++7MT0H5AvpxeYLowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAK9n+ +9T+hlM2kEpsUgtyihEJbGHzbw+Pj11b0ICntCVuPKewtBMveYp8lejrQwMFNGRMt +ZQe1LFb9HcLeM3MLUz9Lm4BJIjkey3Jfq1AskROYk/bJnFIJIx6P3U9gBa20P46X +LH3g6yub1HR7KZC9nfBsak3FPoJR/SYTJs0HsMeL4878+2IbETA4BL0kbKW48FFW +jF4f6don0eiaF8b4KkfbWKrCaEm+LMxbyBEQ6fIb1cmGY8A9A5houjmgi6YWSkoi +SLpOC9TZ2R51fO9rRsv7XwLK0V9o9YaEYPBg6V/TeJl5nxAZBeVTKVTQbBGZY+l2 +nzN0pKsl7RXLf3SRYA== +-----END CERTIFICATE----- diff --git a/common/recipes-selftest/images/files/incorrect.key b/common/recipes-selftest/images/files/incorrect.key new file mode 100644 index 00000000..d05475b6 --- /dev/null +++ b/common/recipes-selftest/images/files/incorrect.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXDSwDVXNWf +iKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoehT51gkuTf +v7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE31hLOkCF +b+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk/6q5kqNh +yrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4GqpqeFOP +qxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABAoIBAQCEtAox86s9N6d2 +164z3998Zmj3UyL+7K9x6JI2YvMabBSYGOeaLOLRj6fjQxdC63H8brBM958p4di7 +Z82XMco4Dok6yoOeJ+hMLYv+gfGvTJxy7DhyVXsSwok99axg9vUsV3TYw3wSdpNF +EKLkcUldpu0W2ADBHUr4sLI85xctHH3Kt0sNDzhgADFa5rDYACXTKHtFOhEqBIwN +FmbuRQirnErUkI3Pczgl2Xy1MlaozH9CB+bLAb5q2FYu4DKgjl4UorC+w2HV41KH +XoL7L36XXqLRHBfEAwOWb8yro+TK8T7gW7aagTI1wgsbbQkjQmOHxclmJACdMOiJ +DjPeR0GBAoGBAO7i2eaEoKa9QlKokN+93uOJD/F6DBi6jF0vGOqWlF8AVTj3kGL3 +X8fY/avrSlg7hKZWdei+Q5PyZViKxqmHjq781ZisKck52Tqz4s7ylqRXSgStinZr +UqrkShCqZ3g1W91gIeVPQz0/b+gBskoHzQ5WQHfV5v9S1PaxjzcYtCrRAoGBAMea +LcA2jjuEjqxa5v5fh8ygcHasJMRKJxW1OCKiQ94DjjzPsdVqZ1sJZChLW/N3nxe7 +wHlNJmsGbJ2w1zD5+qkkPjLq5Q4B5KAd62NNrWaEHFdEc/PPkn4xP7Zkfuu5K+m2 +7z/MF4ibvVh9PvD3HY8FWKEtkqB4rfD8AoUOVd4ZAoGAXxXAsfa8k2Hl0kzyTXyg +CWV3CSERS46FbFngyw9gw2e4hFJWEG5ym3ONlS60iuY16JelmxyQfYUQPewPI0+n +xZMx2fE9OLFj+++6KbF5sLRl6/K/mF8jqo3vxS5uvPRQOo+XLlUcaHalrm1ub/Um +87v1MT3dEmgACKmoXb/hhuECgYAZluiapePiOYJZEmZe4jx0vXTtofAswhz0qYEC +3663vdj0buQrqjKJ91BB4jdtpT5eOpHYe02blv1B0jQkcUfze1QGDxtCineXF37g +Aktiwzkm7v22mjv7tbCnX4buDZVVp0BQ+4dg2iaSO6xgFC5T8amFMGSF8jLKnGRu +ToIvsQKBgADBTse2vnI85NRsYq48ztQuIU2zlGXIAcoPSvGb8Vhty/joc0jWcI5P +raGXBARbuVlcEapK3mDRfO0CQjDaTPK4EYYJwGp8k33Hkkcbgs4kfm308jRsclMr +YeMwQsYyOv45x4iPCwrqZEhpPDvACBi7DB6QvZ0++vJbobTt1jyi +-----END RSA PRIVATE KEY----- diff --git a/common/recipes-selftest/images/files/refkit-db.crt b/common/recipes-selftest/images/files/refkit-db.crt new file mode 100644 index 00000000..22ad6a89 --- /dev/null +++ b/common/recipes-selftest/images/files/refkit-db.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC+zCCAeOgAwIBAgIJANT2SMJoGZGsMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCXJlZmtpdC1kYjAeFw0xNzA0MjAxMjA2MzJaFw0xODA0MjAxMjA2MzJaMBQx +EjAQBgNVBAMMCXJlZmtpdC1kYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALQcIqYiAVfN8U+vcuPZAYBQVe8CXuuZNct/Knn/tT7sXZIGMCDnla2khC4/ ++tdG3Umo6ON5SfaPCx3+Y6jRY6PWDU5sZlzWZibRJpjUT3bJZUhYEwgxvOVHJWWV +OYlfAvHFBhdYygn99h7Fl9qjThpIvs+WJwRLt21ntlAYBHNR0mot3zur8i2V16i4 +qDChq4uSK2A+OuWGQHHBPy0ukOfW7MzCC3mDcW32o6lMzUaB3O/sUb6BKvF4c0Hb +VM58zqLjkE9FGvk9iPwO7dNpIkz6CmnRSMCqqTqzjxA6dqgMej3Yec4clmL0Bu5H +6OBpka7qNM/aqLQ5XvN60IhIR2kCAwEAAaNQME4wHQYDVR0OBBYEFGhgESWFFHgb +Gp9GEuYh5O/7O6rdMB8GA1UdIwQYMBaAFGhgESWFFHgbGp9GEuYh5O/7O6rdMAwG +A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ShHxDR8pr/YeD0O910yBS +cxiqMnH7pfTJEaNoTbed5tlGJNzHwjv5sJj87jRuEJs9RG4zCRG4KdYtBs9nj5aF +nWNyv2RfDePJYxlx1H1MnHdG2iCXbbzdwh/zQDge58xVBXK6JE+zipMMMGDan281 +9vuwH7MA3cSmvOI3waPv2aGG+eukpUU4/06HSkHPbml+l74tIryNoBohj0tykAFc +uqWcLdclJPz/XFgURjAJfFVkgwu5388l7uz3y9vRW5OTyIoQRriwNRxsDY8Dao8b +NmjzU4k2WyGA3uOSUpSXnUmJfT7eKVG6Efe6Afer6sGnLqNNZf1AcfHiP2woy9M= +-----END CERTIFICATE----- diff --git a/common/recipes-selftest/images/files/refkit-db.key b/common/recipes-selftest/images/files/refkit-db.key new file mode 100644 index 00000000..4b54587e --- /dev/null +++ b/common/recipes-selftest/images/files/refkit-db.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0HCKmIgFXzfFP +r3Lj2QGAUFXvAl7rmTXLfyp5/7U+7F2SBjAg55WtpIQuP/rXRt1JqOjjeUn2jwsd +/mOo0WOj1g1ObGZc1mYm0SaY1E92yWVIWBMIMbzlRyVllTmJXwLxxQYXWMoJ/fYe +xZfao04aSL7PlicES7dtZ7ZQGARzUdJqLd87q/ItldeouKgwoauLkitgPjrlhkBx +wT8tLpDn1uzMwgt5g3Ft9qOpTM1Ggdzv7FG+gSrxeHNB21TOfM6i45BPRRr5PYj8 +Du3TaSJM+gpp0UjAqqk6s48QOnaoDHo92HnOHJZi9AbuR+jgaZGu6jTP2qi0OV7z +etCISEdpAgMBAAECggEAbtXplKbUgL4hQ9JKN2Cxhc7qMv0YgI92BVaqQw1S8ffu +1Q+tynH5MDRPi06gBJ59SvkA6AsZsvrv8nM7zQWd9ZKh+aLHk1X04upOgDoW9JiX +FV/txlslTUrs/ohIMfsgCrweNXvUSTXZobIi8s8QHyipE4HpXMFjjZYHIV7GTlgA +PRgGu3NygbWfR8hcx5JtzVz/jka7FFFSbk/pMr0TeJHXP55VfqWLeeSBQmWwooj2 +QcRfqMXgLKgu6uEggaP5HMcfTuWgWNhbke/596CgsUtQ5Gg64Q6v7cKcPy0/lgn1 +PnvfT9uhgEFDLNFkSBxV3ImrNYo73Nqmbp3w5tK9SQKBgQDs/HW7pNnB0LD51qok +pkX0SBvyKxDT1QuU4z0FY9GT7OKOg8Xa0ZGyErt+ZbyFiyUGF5Axc3rJ3DyGslgu +5O+AqcpCQOlOyovGQ6ST9x/gEeVcRnZn1MV4vMxwaOSXtY7u0IGyaDlFn1QWHWCN +imv8OR6YuhivwBIXGzJ16oEqDwKBgQDCj3ls7tlPrLvUQIh8gfjCoInU8fRAqtAe +Ab/OximLsKQPKLDma6xd+X2Fk8Dowdb88GNT99x3VZjHqVJM9URDkiOGKAXA/rBp +jAXhnQwahT8YCzOUHqDYNMMQrXHvbiHqLodGrrO2WjYNmH69prQAk8WYAIwl+hdx +BS70LGLPBwKBgQDU9RinAkBcFjiyieBjBreeCJ50Q5bfhHbf2EOhcE2IbDo6bteB +Bwmxx3uM3cdHCf6/NrVweqFAfBQ3xlPP8BH4wJrsZoBBOWnZRDfEbzHJnMtK3FbS +fzTkhmQAL4Ibgh9rIxspQtcUZVSees+k4VqgUIPaIoDEjgizktEJfS2MqQKBgQDA +rOFtVaRz2PYyHq6LzxMRe3bEIdDn8cEk1kqjdW9TXV07feqiZmNOtXLvRAG4/63u +1Akp8L6ul2Az6qUMfaBa4nC3vQ7lr9P40qhIZATGhsqS/xTXTPWw55999qZsnL6N +cgKZpw1mOzRohmqNWnfMUotOGsywF1n7nUyAlyxLJQKBgElTaNTFYF3MbGfhl1He +fnDXlf8OCOK1i5oIzMLqverb2UN/qp6p0b3SAtcw5cUXcaPlajHrfYgacF/0Qyua +Cerey9GLEdJ7saDWhz0GyJ8yyEXy8CVs0svVaLPWI0s2B7/obzP9+gTb/WE9qZqu +bNoVEpJ/wZhk+IL4+KPmqphu +-----END PRIVATE KEY----- diff --git a/common/recipes-selftest/images/secureboot-selftest-image-signed.bb b/common/recipes-selftest/images/secureboot-selftest-image-signed.bb new file mode 100644 index 00000000..3ce11f32 --- /dev/null +++ b/common/recipes-selftest/images/secureboot-selftest-image-signed.bb @@ -0,0 +1,6 @@ +require secureboot-selftest-image-unsigned.bb + +IMAGE_FEATURES += "secureboot" + +SECURE_BOOT_SIGNING_KEY ?= "${THISDIR}/files/refkit-db.key" +SECURE_BOOT_SIGNING_CERT ?= "${THISDIR}/files/refkit-db.crt" diff --git a/common/recipes-selftest/images/secureboot-selftest-image-unsigned.bb b/common/recipes-selftest/images/secureboot-selftest-image-unsigned.bb new file mode 100644 index 00000000..e03e7b47 --- /dev/null +++ b/common/recipes-selftest/images/secureboot-selftest-image-unsigned.bb @@ -0,0 +1,20 @@ +require recipes-core/images/core-image-minimal.bb + +DEPENDS_remove = "grub-efi" + +inherit uefi-comboapp + +WKS_FILE = "generic-bootdisk.wks.in" + +do_uefiapp_deploy_append() { + for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do + target=`basename $i` + target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'` + + cat > ${IMAGE_ROOTFS}/boot/startup.nsh << EOF +$target +reset +EOF + break + done +} -- cgit v1.2.3-54-g00ecf