Add image signing framework and open keys
In order to secure the BMC, we need to sign all the images and include a
public key in the package with which to verify future update images.
This commit adds a framework to sign the image files with an open
private key and generates a corresponding public key added to the image.
This isn't secure by itself (since the private key is available), but
additional changes can easily provide their own private key, creating a
secure BMC.
To use a secure private key:
export BB_ENV_EXTRAWHITE="$BB_ENV_EXTRAWHITE SIGNING_KEY"
SIGNING_KEY=/path/to/secure/key bitbake obmc-phosphor-image
Resolves openbmc/openbmc#2835
Resolves openbmc/openbmc#2836
Resolves openbmc/openbmc#2837
Change-Id: I28919b7de54e3a32e5efcbb4522fb39731e68384
Signed-off-by: Eddie James <eajames@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bb b/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bb
index 11cfe34..e7fe370 100644
--- a/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bb
+++ b/meta-phosphor/common/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bb
@@ -89,7 +89,9 @@
obmc-mgr-download \
"
-${PN}-software-extras_df-obmc-ubi-fs = ""
+${PN}-software-extras_df-obmc-ubi-fs = " \
+ phosphor-image-signing \
+ "
SUMMARY_${PN}-software = "Software applications"
RDEPENDS_${PN}-software = " \