Difference between revisions of "Secure Boot with your own keys"

Latest revision as of 19:54, 26 March 2020

Disclaimer: There may be a cleaner way to do this. There may also be a way to speed the process up using partial rebuilds. This guide was created by Fizzbuzz and successfully tested on a Blackbird system using the raptor-v2.00 branch of the blackbird-op-build firmware repository.

Set up a Debian Stretch build environment in accordance with the instructions on the Compiling Firmware page.
Set environmental variables (for the purposes of this walkthrough and its helper functions) referring to the OpenPower build directory and the directory where you will be placing your firmware signing keys:
```
1 export OPBUILDDIR=~/blackbird-op-build
2 export KEYDIR=~/new-keys
```

Generate the keys you will be using to secure your hardware:

1 mkdir $KEYDIR
2 cd $KEYDIR
3 openssl ecparam -genkey -outform pem -noout -name secp521r1 -out hw_key_a.key
4 openssl ecparam -genkey -outform pem -noout -name secp521r1 -out hw_key_b.key
5 openssl ecparam -genkey -outform pem -noout -name secp521r1 -out hw_key_c.key
6 openssl ecparam -genkey -outform pem -noout -name secp521r1 -out sw_key_a.key

Edit $OPBUILDDIR/openpower/configs/hostboot/blackbird.config or $OPBUILDDIR/openpower/configs/hostboot/talos.config (depending on which system you have) and remove or comment out the unset SECUREBOOT line.
Follow the Compiling Firmware instructions for building the OpenPower firmware. Run op-build menuconfig before the final op-build if you want to customize your build in some way.

Replace the keys and key hashes in the pulled code with your own. I've provided some helper functions for this purpose and described the procedure below.

 1 # Helper functions:
 2 
 3 get_keyhash () {
 4 	$OPBUILDDIR/output/host/bin/create-container -v -w0 \
 5 		-a $1/hw_key_a.key -b $1/hw_key_b.key -c $1/hw_key_c.key \
 6 		--payload /dev/zero --imagefile /dev/null | grep "HW keys hash";
 7 }
 8 
 9 check_keys () {
10 	while read p;
11 		do echo `dirname $p`;
12 		get_keyhash `dirname $p`;
13 		echo '--';
14 	done <<< $(find -name hw_key_a.*)
15 }
16 
17 replace_keys () {
18 	NEWKEYHASH=$(get_keyhash $KEYDIR);
19 	while read p; do
20 		OLDKEYHASH=$(get_keyhash `dirname $p`);
21 		if [ "$OLDKEYHASH" != "$NEWKEYHASH" ]; then
22 			echo "Replacing keys in `dirname $p`"
23 			cp -a $KEYDIR/. $(dirname $p)
24 		fi
25 	done <<< $(find -name hw_key_a.*)
26 }
27 
28 check_imprints () {
29 	while read p; do
30 		echo "$p"
31 		cat $p | xxd -p
32 	done <<< $(find -name imprintHwKeyHash)
33 }
34 
35 replace_imprints () {
36 	NEWIMPRINT=$(get_keyhash $KEYDIR | cut -d' ' -f8);
37 	while read p; do
38 		OLDIMPRINT=$(cat $p | xxd -p);
39 		OLDIMPRINT="${OLDIMPRINT//[$'\t\r\n ']}"
40 		if [ "$OLDIMPRINT" != "$NEWIMPRINT" ]; then
41 			echo "Replacing imprint $p"
42 			echo "$NEWIMPRINT" | xxd -p -r > $p
43 		fi
44 	done <<< $(find -name imprintHwKeyHash)
45 }
46 
47 untar_code () {
48   untar_pkg () {
49     cd $OPBUILDDIR/dl/$1/
50     tar xzf $1-*.tar.gz
51   }
52   untar_pkg hostboot
53   untar_pkg libflash
54   untar_pkg sb-signing-utils
55   untar_pkg skiboot
56   untar_pkg pnv-lpc
57   cd $OPBUILDDIR
58 }
59 
60 retar_code () {
61   retar_pkg () {
62     cd $OPBUILDDIR/dl/$1/
63     tar czf $1-*.tar.gz $1-*/
64     rm -fr $1-/
65   }
66   retar_pkg hostboot
67   retar_pkg libflash
68   retar_pkg sb-signing-utils
69   retar_pkg skiboot
70   retar_pkg pnv-lpc
71   cd $OPBUILDDIR
72 }
73 
74 # Procedure:
75 
76 cd $OPBUILDDIR
77 untar_code
78 replace_keys
79 replace_imprints
80 retar_code

You can confirm the process worked by running get_keyhash $KEYDIR and comparing the hash returned with the hashes returned by check_keys and check_imprints. They should all match.

Configure the build system to produce a key transition container in the PNOR image. Run op-build menuconfig and set External options -> OpenPower -> OpenPower Packages -> OpenPower PNOR assembly options -> Secure Boot key transition type to Transition existing keys to development keys. "Development keys" in the context of the build system means "keys existing locally on my hard drive." "Production keys" refer to keys on a signing server somewhere for which the build system will generate signing requests if any "Production key" options are set.
Clear the old build output and re-build. Our aim in building the first time was only to force the build system to populate the dl directory with all the source code it would be compiling.
```
1 cd $OPBUILDDIR
2 mv output/.config .
3 rm -fr output/*
4 mv .config output/
5 op-build
```
Save a copy of output/images/ to an external drive. Rename the external drive's copy to transition-images or something similar.
Run op-build menuconfig again and set Secure Boot key transition type back to None.
Repeat the "clear the old build output and re-build" step.
Save a copy of output/images/ to an external drive.
Shutdown the computer.
Follow the instructions on the Compiling Firmware page to install the transition-images PNOR image on your external drive.
Make sure the "secure mode disable" jumper on your mainboard is set. (See the user manual for your mainboard if you need help locating this.)
Boot up the computer and then let it shut itself down. If you did not manually clear and set the ECC bits for your firmware during the installation process, the system may reboot itself first to set those bits. Once it is finished, the hash of your own keys should be "imprinted" on the processor's SEEPROM. To confirm this, you can run cat /proc/device-tree/ibm,secureboot/hw-key-hash | xxd -p in either the host OS or the Petitboot shell to see what value is currently set in the SEEPROM after replacing the key transition PNOR image with a non-transition one.
Follow the instructions on the Compiling Firmware page to install the images PNOR image on your external drive.
Make sure the "secure mode disable" jumper on your mainboard is unset.
Boot up the computer. It should now be booting in secure mode using your signed firmware!

@@ Line 1: / Line 1: @@
-== Secure Boot with your own keys ==
+''Disclaimer: There may be a cleaner way to do this. There may also be a way to speed the process up using partial rebuilds. This guide was created by [[User:Fizzbuzz|Fizzbuzz]] and successfully tested on a Blackbird system using the raptor-v2.00 branch of the blackbird-op-build firmware repository.''
-''There may be a cleaner way to do this, but this is what worked for me with my Blackbird.''
 # Set up a Debian Stretch build environment in accordance with the instructions on the [[Compiling Firmware]] page.
-# Set environmental variables (for the purposes of this walkthrough) referring to the OpenPower build directory and the directory where you will be placing your firmware signing keys: <syntaxhighlight lang="bash" line='line'>
+# Set environmental variables (for the purposes of this walkthrough and its helper functions) referring to the OpenPower build directory and the directory where you will be placing your firmware signing keys: <syntaxhighlight lang="bash" line='line'>
 export OPBUILDDIR=~/blackbird-op-build
 export KEYDIR=~/new-keys
@@ Line 28: / Line 26: @@
 check_keys () {
-	while read p; do echo `dirname $p`; get_keyhash `dirname $p`; echo '--'; done <<< $(find -name hw_key_a.*)
+	while read p;
+		do echo `dirname $p`;
+		get_keyhash `dirname $p`;
+		echo '--';
+	done <<< $(find -name hw_key_a.*)
 }
@@ Line 115: / Line 117: @@
 # Make sure the "secure mode disable" jumper on your mainboard is unset.
 # Boot up the computer. It should now be booting in secure mode using your signed firmware!
+[[Category:Guides]]

Difference between revisions of "Secure Boot with your own keys"

Latest revision as of 19:54, 26 March 2020

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools

Print/export