jluebbe / meta-code-signing

infrastructure for unifying access to keys on the file system and HSMs

Home Page:https://pretalx.com/openembedded-workshop-2023/talk/3C8MFF/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

meta-code-signing provides infrastructure for unifying access to keys on the
file system and HSMs.

This repository contains two layers:

meta-code-signing:
  A reusable layer providing signing.bbclass, which also contains some
  documentation. This could be upstreamed to meta-oe.

meta-code-signing-demo:
  qemu-based demo with signed fit image, dm-verity, rauc bundle and kernel
  modules.

A talk about this layer was held at OpenEmbedded Workshop 2023:
https://pretalx.com/openembedded-workshop-2023/talk/3C8MFF/

To try the demo, run only the following steps should be needed on a system
prepared for building with Yocto:

  $ . ./oe-init-build-env
  $ vi conf/local.conf
  ... set DL_DIR and other options needed for your system
  $ bitbake qemu-virt-image update-bundle
  $ ./qemu.sh

In qemu, the following steps should happen:

- barebox starts and loads the kernel FIT image
- the kernel starts and mounts the dm-verity-protected rootfs
- the kernel loads and checks module signatures

After logging in as root, you can use rauc to check the bundle signature:

  rauc info /deploy/update-bundle-qemuarm.raucb

or install an update:

  rauc install /deploy/update-bundle-qemuarm.raucb

About

infrastructure for unifying access to keys on the file system and HSMs

https://pretalx.com/openembedded-workshop-2023/talk/3C8MFF/

License:MIT License


Languages

Language:BitBake 71.2%Language:Shell 15.7%Language:NASL 13.1%