diff options
author | Dave Heller <hellerda@linux.vnet.ibm.com> | 2017-04-05 15:32:14 -0400 |
---|---|---|
committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2017-04-07 14:51:17 +1000 |
commit | 6e393c989a861cac2dac359c8e6ba1d5fc952279 (patch) | |
tree | 50e59adf27375ca6848181411145463cf3aa73af /libstb/sign-with-local-keys.sh | |
parent | 5e738d586828f9ac1c2421f46a8c883606088162 (diff) | |
download | talos-skiboot-6e393c989a861cac2dac359c8e6ba1d5fc952279.tar.gz talos-skiboot-6e393c989a861cac2dac359c8e6ba1d5fc952279.zip |
libstb/create-container: Add full container build and sign with imprint keys
This adds support for writing all the public key and signature fields to the
container header, and for dumping the prefix and software headers so they may
may be signed, and for signing those headers with the imprint keys.
Signed-off-by: Dave Heller <hellerda@linux.vnet.ibm.com>
[stewart@linux.vnet.ibm.com: fixup warnings&build, include openssl-devel in CI dockerfiles]
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Diffstat (limited to 'libstb/sign-with-local-keys.sh')
-rwxr-xr-x | libstb/sign-with-local-keys.sh | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/libstb/sign-with-local-keys.sh b/libstb/sign-with-local-keys.sh new file mode 100755 index 00000000..d9fed37a --- /dev/null +++ b/libstb/sign-with-local-keys.sh @@ -0,0 +1,36 @@ +#!/bin/bash -x + +PAYLOAD=$1 +OUTPUT=$2 + +if [ ! -f $PAYLOAD ]; then + echo "Can't read PAYLOAD"; + exit 1; +fi + +KEYLOC="/tmp/keys" +T=`mktemp -d` + +# Build enough of the container to create the Prefix and Software headers. +./create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \ + -p $KEYLOC/sw_key_a.key \ + --payload $PAYLOAD --imagefile $OUTPUT \ + --dumpPrefixHdr $T/prefix_hdr --dumpSwHdr $T/software_hdr + +# Sign the Prefix header. +openssl dgst -SHA512 -sign $KEYLOC/hw_key_a.key $T/prefix_hdr > $T/hw_key_a.sig +openssl dgst -SHA512 -sign $KEYLOC/hw_key_b.key $T/prefix_hdr > $T/hw_key_b.sig +openssl dgst -SHA512 -sign $KEYLOC/hw_key_c.key $T/prefix_hdr > $T/hw_key_c.sig + +# Sign the Software header. +# Only one SW key in Nick's repo, and it has a confusing name (should be "sw_key_p") +openssl dgst -SHA512 -sign $KEYLOC/sw_key_a.key $T/software_hdr > $T/sw_key_p.sig + +# Build the full container with signatures. +./create-container -a $KEYLOC/hw_key_a.key -b $KEYLOC/hw_key_b.key -c $KEYLOC/hw_key_c.key \ + -p $KEYLOC/sw_key_a.key \ + -A $T/hw_key_a.sig -B $T/hw_key_b.sig -C $T/hw_key_c.sig \ + -P $T/sw_key_p.sig \ + --payload $PAYLOAD --imagefile $OUTPUT + +rm -rf $T |