Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / meta-phosphor / 1a623ef43232b1d713a0b6d52a24ace4719714de^! / . / common / recipes-phosphor / flash / phosphor-image-signing.bb
commit1a623ef43232b1d713a0b6d52a24ace4719714de[log] [tgz]
authorEddie James <eajames@us.ibm.com>Fri Feb 09 11:59:18 2018 -0600
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Fri Mar 30 17:31:20 2018 +0000
tree0c921f007cbe9f3b90d3e0eba102cbe8f8c6af77
parent0f4408deab4644577128065585ce0c8443ef08a1 [diff] [blame]
Add image signing framework and open keys

In order to secure the BMC, we need to sign all the images and include a
public key in the package with which to verify future update images.
This commit adds a framework to sign the image files with an open
private key and generates a corresponding public key added to the image.
This isn't secure by itself (since the private key is available), but
additional changes can easily provide their own private key, creating a
secure BMC.

To use a secure private key:
  export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE SIGNING_KEY"
  SIGNING_KEY=/path/to/secure/key bitbake obmc-phosphor-image

Resolves openbmc/openbmc#2835
Resolves openbmc/openbmc#2836
Resolves openbmc/openbmc#2837

Change-Id: I28919b7de54e3a32e5efcbb4522fb39731e68384
Signed-off-by: Eddie James <eajames@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/common/recipes-phosphor/flash/phosphor-image-signing.bb b/common/recipes-phosphor/flash/phosphor-image-signing.bb
new file mode 100644
index 0000000..897bfde
--- /dev/null
+++ b/common/recipes-phosphor/flash/phosphor-image-signing.bb

@@ -0,0 +1,29 @@
+SUMMARY = "OpenBMC image signing public key"
+DESCRIPTION = "Public key information to be included in images for image verification."
+PR = "r1"
+
+inherit allarch
+inherit obmc-phosphor-license
+
+INSECURE_KEY = "${@'${SIGNING_KEY}' == '${STAGING_DIR_NATIVE}${datadir}/OpenBMC.priv'}"
+
+DEPENDS += "openssl-native"
+DEPENDS += "${@oe.utils.conditional('INSECURE_KEY', 'True', 'phosphor-insecure-signing-key-native', '', d)}"
+
+FILES_${PN} += "${sysconfdir}/activationdata/"
+
+SIGNING_KEY ?= "${STAGING_DIR_NATIVE}${datadir}/OpenBMC.priv"
+SIGNING_KEY_TYPE = "${@os.path.splitext(os.path.basename('${SIGNING_KEY}'))[0]}"
+
+do_install() {
+	openssl pkey -in "${SIGNING_KEY}" -pubout -out ${WORKDIR}/publickey
+	echo HashType=RSA-SHA256 > "${WORKDIR}/hashfunc"
+
+	idir="${D}${sysconfdir}/activationdata/${SIGNING_KEY_TYPE}"
+
+	install -d ${idir}
+	install -m 644 ${WORKDIR}/publickey ${idir}
+	install -m 644 ${WORKDIR}/hashfunc ${idir}
+}
+
+SYSROOT_DIRS_append = " ${sysconfdir}"