Add image signing framework and open keys
In order to secure the BMC, we need to sign all the images and include a
public key in the package with which to verify future update images.
This commit adds a framework to sign the image files with an open
private key and generates a corresponding public key added to the image.
This isn't secure by itself (since the private key is available), but
additional changes can easily provide their own private key, creating a
secure BMC.
To use a secure private key:
export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE SIGNING_KEY"
SIGNING_KEY=/path/to/secure/key bitbake obmc-phosphor-image
Resolves openbmc/openbmc#2835
Resolves openbmc/openbmc#2836
Resolves openbmc/openbmc#2837
Change-Id: I28919b7de54e3a32e5efcbb4522fb39731e68384
Signed-off-by: Eddie James <eajames@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-phosphor/common/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb b/meta-phosphor/common/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb
new file mode 100644
index 0000000..55ebe57
--- /dev/null
+++ b/meta-phosphor/common/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Insecure private key for testing and development"
+DESCRIPTION = "Do not use this key to sign images."
+PR = "r1"
+
+inherit allarch
+inherit native
+inherit obmc-phosphor-license
+
+SRC_URI += "file://OpenBMC.priv"
+
+do_install() {
+ bbplain "Using an insecure image signing key!"
+ install -d ${D}${datadir}
+ install -m 400 ${WORKDIR}/OpenBMC.priv ${D}${datadir}
+}