Pengutronix has published well known RSA and ECDSA keys for development purposes. This adds the public keys to the tree and adds CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS. By enabling this option these keys will be built into the barebox binary to allow for easy signing tests.
As these keys obviously should not show up in a production build this option selects HAS_INSECURE_DEFAULTS. The private keys for the well known development keys can be found at [1]. [1] https://git.pengutronix.de/cgit/ptx-code-signing-dev/ Signed-off-by: Sascha Hauer <[email protected]> --- Documentation/user/security.rst | 5 +++++ crypto/Kconfig | 4 ++++ crypto/Makefile | 9 +++++++++ crypto/fit-4096-development.crt | 33 +++++++++++++++++++++++++++++++++ crypto/fit-ecdsa-development.crt | 13 +++++++++++++ 5 files changed, 64 insertions(+) diff --git a/Documentation/user/security.rst b/Documentation/user/security.rst index cc15c8b512b277dc4480b67d5e378958ac916a1a..357ea86a1d9abcc49b0d01ad24981e90d1e3fc45 100644 --- a/Documentation/user/security.rst +++ b/Documentation/user/security.rst @@ -81,6 +81,11 @@ be allowed to boot any images that have not been signed by the correct key. This can be enforced by setting ``CONFIG_BOOTM_FORCE_SIGNED_IMAGES=y`` and disabling any ways that could use used to override this. +For development convenience ``CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS`` keys +can be used to compile in well known development keys into the barebox binary. +The private keys for these keys can be found +`[here] <https://git.pengutronix.de/cgit/ptx-code-signing-dev>`__ + Disabling the shell ^^^^^^^^^^^^^^^^^^^ diff --git a/crypto/Kconfig b/crypto/Kconfig index 4f9cc3e6a560b653225efd70246ad1d79a451f78..f1f9b9bb80cfc88836c6b6b384bd8b089108b412 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -145,6 +145,10 @@ config CRYPTO_PUBLIC_KEYS corresponding value in the environment variable VAR_NAME for both public key paths/URIs as well as key name hints. +config CRYPTO_BUILTIN_DEVELOPMENT_KEYS + select HAS_INSECURE_DEFAULTS + bool "Include development keys in build" + config CRYPTO_KEYSTORE bool "Keystore" help diff --git a/crypto/Makefile b/crypto/Makefile index 7148aecb4a8e2275a62b25c834b1743c156a7f91..481bbec81bb2da3fbaea20c6e4eb32d6c79be4b0 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -33,6 +33,15 @@ $(obj)/public-keys.o: $(obj)/public-keys.h CONFIG_CRYPTO_PUBLIC_KEYS := $(shell echo $(CONFIG_CRYPTO_PUBLIC_KEYS)) CONFIG_CRYPTO_PUBLIC_KEYS := $(foreach d,$(CONFIG_CRYPTO_PUBLIC_KEYS),"$(d)") +ifdef CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS +ifdef CONFIG_CRYPTO_RSA +CONFIG_CRYPTO_PUBLIC_KEYS += rsa-devel:$(srctree)/crypto/fit-4096-development.crt +endif +ifdef CONFIG_CRYPTO_ECDSA +CONFIG_CRYPTO_PUBLIC_KEYS += ecdsa-devel:$(srctree)/crypto/fit-ecdsa-development.crt +endif +endif + filechk_public_keys_dummy = echo $(obj)/public-keys.h: FORCE diff --git a/crypto/fit-4096-development.crt b/crypto/fit-4096-development.crt new file mode 100644 index 0000000000000000000000000000000000000000..dffba216b9c671899bb7c12fb1560e2431b9aa6e --- /dev/null +++ b/crypto/fit-4096-development.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpzCCA4+gAwIBAgIUFUQCZBUFYriH8+8jb1A9eJv5N30wDQYJKoZIhvcNAQEL +BQAwXTEUMBIGA1UECgwLUGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50 +IHNpZ25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5k +ZTAgFw0xOTEwMDExMzA1MThaGA8yMTE5MDkwNzEzMDUxOFowXTEUMBIGA1UECgwL +UGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNpZ25pbmcga2V5MSMw +IQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAMmR5Io1H6qALxBC2sUi548qoU6axIpZ3+yar0gj +A1FF79nRJZNa+EcIgaMCaf+Ft7DseIAEhBzNsZQ1sj2GVEf9W7WXlSbziET1n8PC +aC097W20kziMNOAZOjFIdy24AbcW2yhhpBXsKtzm9V0DlnGN2QM3yxbqKD1iUOl/ +iInM5KwNKxp8KboR5W/LTnUGUYw3ryFVbxJEY0YqqwMOaSk8vzLf0iSf8gu6iabS +ELJEONst0ah3glZj+mRelVdbHDZh6/PpEQ9fQ4QqLOgy1qtqQhT8J0poDOE9BVnC +bDIjbWvq7UavpBu0YzjmG26r7pN75DK0E0UHgGH3Z7jhophkGMYlYfarjjFRujSd +ocpU2tEvxDykFELyvQPG5w7pedtlz5jFRzrS11RrcCsfcUFMf9g+2qKpZlSUhkHg +DDYtDRBYam7hnV7if9nCsLaGwpZM9Fm2zJSOFATO1eKj9yUpMYqI0SobTR7XRNyr +Rd66J0SWlPsg4IDaG1i4ieE7UNDgAtURBCRqu7PZPAEovurPlV+8lbZRljCI2wRg +JfJaoF17AKa0a5raH2kIBD1b3EgCG7nIfyaqR4bPLxwYlm/ymXTnv7zImEBP3ffy +mPK8m2Wtw4Sr8ze1+fcpjmCyCxwe918YuW0AOtQ2nmBOCpz4iWhA61HHK5RYzASM +Bq6LAgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQW +BBRscfq3jG3UfwhRTQyiWoStdF/WFzAfBgNVHSMEGDAWgBRscfq3jG3UfwhRTQyi +WoStdF/WFzANBgkqhkiG9w0BAQsFAAOCAgEAp6suTnOCSormgkuhopR5Sk0nl1ME ++DSxB56E6HVOgP2lXfNAYtfjdZwPtD2cCMyZD9m0w5usXUb+XFzW4L4AFsBnwbuu +3/082u/qF21v7sEhdi83p3ordHnevc5HTTN0mfUNlqsCG+sCL+w+IQEWvHii4Hnc +MPv6xbEhxU0ahTpByFwj0+YFPMq4nwQi6pqZCCP7qm0UV+T5+W8CnCivDq9laX+g +RyJIPgH67ZFQlnnhjSqNq+7yF3Ac0U3IcMKSMaCOCIxuh+QfgHqE9jP62pRblpJx +UPX5WF9/tBQ7757UEj+nHRKpgnJQzQ6Ks8/7FVmvbY9g9KWEIfeULsT8M1qMdW1E +bZqleKhEySQbqUyIM29SpIfqd8unBecKFELfVf47TTEbWQRSExRMDGs31MXnvsiP +jCSW7+BZNBwRXAyR3jB2ludw7DpZJk/VzTf2tja/FPl0sGSG0ggdmGHDnvHApQn5 +RidvJEyQSv+hfn6x+wE0nWpY2/+bV9RvOPwZnLsYkb9falnLwBlTpwa2uX6o4LP1 +8orfuQn3SrfRRKuaVwzjRvkb2fw15745mmOWK/VVtrHD8B3kA6cmTW3JEace+wma +qCeFbwawz4vZpYCV4hQm06YefDRwZ4zBnkPnkN8i0Wqnb2kJUk5YrWKMZyFagAFU +Yu8PytQLFKL1pZU= +-----END CERTIFICATE----- diff --git a/crypto/fit-ecdsa-development.crt b/crypto/fit-ecdsa-development.crt new file mode 100644 index 0000000000000000000000000000000000000000..490d48b93a094ca5ed6fe507193a19eeb35683ae --- /dev/null +++ b/crypto/fit-ecdsa-development.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB+jCCAaCgAwIBAgIUPWGk8K75jmaLrLI7VkbZQwbJuU4wCgYIKoZIzj0EAwIw +XTEUMBIGA1UECgwLUGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNp +Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTAg +Fw0yNDA3MjYwOTM5NTZaGA8yMTI0MDcwMjA5Mzk1NlowXTEUMBIGA1UECgwLUGVu +Z3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNpZ25pbmcga2V5MSMwIQYJ +KoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABKMAmtjmHz3Rka9SaUmDjTgNzdo8CYxmz23xurgcyoNVajjpNGv1 +XwXxG0Hr+l/ehwnes77wtrYwYLyAlvFAdE2jPDA6MAwGA1UdEwEB/wQCMAAwCwYD +VR0PBAQDAgeAMB0GA1UdDgQWBBQ5gyCsUddXXclJHHRUH+w2+R0N2jAKBggqhkjO +PQQDAgNIADBFAiAfMkyM1n7JYCYqvYq4YdbWD8q2kZvVYhRK7gKIRZNUjAIhAKng +1plXACT2UcKDQV9+o3qbve9LDV3aASRmZz47DX+0 +-----END CERTIFICATE----- -- 2.39.5
