dasharo/slimbootloader.github.io
0
0
Fork 0
mirror of https://github.com/Dasharo/slimbootloader.github.io.git synced 2026-03-06 15:26:36 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bc9010f2c7ed0488a67abfa96374b1dbae5e717d
slimbootloader.github.io/security/key-management.html

311 lines
15 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
<meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>SBL Build and Sign &mdash; Slim Bootloader 1.0 documentation</title>
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../_static/graphviz.css" type="text/css" />
<link rel="stylesheet" href="../_static/custom.css" type="text/css" />
<link rel="shortcut icon" href="../_static/sbl_logo_blue_32x32_icon.ico"/>
<!--[if lt IE 9]>
<script src="../_static/js/html5shiv.min.js"></script>
<![endif]-->
<script src="../_static/jquery.js"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js"></script>
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/sphinx_highlight.js"></script>
<script src="../_static/js/theme.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Measured Boot" href="measured-boot.html" />
<link rel="prev" title="Verified Boot" href="verified-boot.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="../index.html" class="icon icon-home">
Slim Bootloader
<img src="../_static/sbl_logo_white_200x200.png" class="logo" alt="Logo"/>
</a>
<div class="version">
1.0
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../introduction/index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="../getting-started/index.html">Getting Started</a></li>
<li class="toctree-l1"><a class="reference internal" href="../supported-hardware/index.html">Supported Hardware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../developer-guides/index.html">Developers Guide</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Security Features</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="boot-guard.html">Boot Guard</a></li>
<li class="toctree-l2"><a class="reference internal" href="verified-boot.html">Verified Boot</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">SBL Build and Sign</a></li>
<li class="toctree-l2"><a class="reference internal" href="#key-management">Key Management</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#key-id-and-configurations">KEY ID and configurations</a></li>
<li class="toctree-l3"><a class="reference internal" href="#keys-generation">Keys Generation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#build-environment-configuration-for-key-id-usage">Build Environment Configuration for Key ID usage</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="measured-boot.html">Measured Boot</a></li>
<li class="toctree-l2"><a class="reference internal" href="firmware-update.html">Firmware Update</a></li>
<li class="toctree-l2"><a class="reference internal" href="container-security.html">Container Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="firmware-resiliency-and-recovery.html">Firmware Resiliency and Recovery</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../how-tos/index.html">How-Tos</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tools/index.html">Tools</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tutorials/index.html">Tutorials</a></li>
<li class="toctree-l1"><a class="reference internal" href="../specs/index.html">Specifications</a></li>
<li class="toctree-l1"><a class="reference internal" href="../references/references.html">References and Links</a></li>
<li class="toctree-l1"><a class="reference internal" href="../references/terminology.html">Terminology and Acronyms</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../index.html">Slim Bootloader</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item"><a href="index.html">Security Features</a></li>
<li class="breadcrumb-item active">SBL Build and Sign</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="sbl-build-and-sign">
<h1>SBL Build and Sign<a class="headerlink" href="#sbl-build-and-sign" title="Permalink to this heading"></a></h1>
<p>SBL build process uses a signing interface. This signing method can access required keys from any accessible location based on an id.
A sample implementation of signing service is provided by <em>SingleSign.py</em> and is invoked during SBL build process.
Customers may use different signing infrastructure including use of secure signing servers, etc. and the SingleSign.py can be updated/replaced with customers signing infrastructure.</p>
</section>
<section id="key-management">
<span id="id1"></span><h1>Key Management<a class="headerlink" href="#key-management" title="Permalink to this heading"></a></h1>
<p>Cryptographic keys used for signing SBL binaries should be securely managed. A leak of private key would allow a hacker to install/push compromised SBL or rootkits on platforms. Here is a link to <a class="reference external" href="https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf">link</a> to NIST whitepaper which provides BKMs for Code signing and secure key management.</p>
<p>Below is a list of Security keys and their function in securing SBL.</p>
<table class="docutils align-default">
<thead>
<tr class="row-odd"><th class="head"><p>Key Name</p></th>
<th class="head"><p>Owner</p></th>
<th class="head"><p>Usage</p></th>
<th class="head"><p>Comment</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>OEM Key</p></td>
<td><p>Platform Owner</p></td>
<td><p>To sign BootGuard Key
Manifest.</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>BPM Key</p></td>
<td><p>Firmware Owner</p></td>
<td><p>To sign BootGuard Boot
Policy Manifest.</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>ConfigData Key</p></td>
<td><p>Firmware Owner</p></td>
<td><p>To sign Config Data
blob.</p></td>
<td><p>Use CfgDataTool.py</p></td>
</tr>
<tr class="row-odd"><td><p>Master Key</p></td>
<td><p>Firmware Owner</p></td>
<td><p>To sign SBL
Key Manifest.</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>Container Def
Key</p></td>
<td><p>Firmware Owner</p></td>
<td><p>To sign container
header.</p></td>
<td><p>Use GenContainer.py
to package various
components</p></td>
</tr>
<tr class="row-odd"><td><p>Container
Component Key</p></td>
<td><p>Container Owner</p></td>
<td><p>To sign container
components, such as,
UEFI Payload,PSE fw etc</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>OS Key</p></td>
<td><p>OS Owner</p></td>
<td><p>Hash of its public key
is stored in SBL Key
Manifest.</p></td>
<td><p>Use GenContainer.py
to package a OS binary.</p></td>
</tr>
<tr class="row-odd"><td><p>Firmware Update
Capsule Key</p></td>
<td><p>Firmware Owner</p></td>
<td><p>To sign capsule
images.</p></td>
<td><p>Use
GenCapsuleFirmware.py</p></td>
</tr>
</tbody>
</table>
<section id="key-id-and-configurations">
<h2>KEY ID and configurations<a class="headerlink" href="#key-id-and-configurations" title="Permalink to this heading"></a></h2>
<p>A unique key id would be associated for each private key corresponding to a component to be signed.</p>
<p>Table below depicts key ids defined for components and their associated test keys for various key types used for signing components.</p>
<table class="docutils align-default">
<thead>
<tr class="row-odd"><th class="head" colspan="2"><p>KEY ID</p></th>
<th class="head" colspan="2"><p>KEY</p></th>
<th class="head"><p>Usage</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td colspan="2"><p>KEY_ID_MASTER_RSA2048</p></td>
<td colspan="2"><p>MasterTestKey_Priv_RSA2048.pem</p></td>
<td><p>Signing external key hash store</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEY_ID_MASTER_RSA3072</p></td>
<td colspan="2"><p>MasterTestKey_Priv_RSA3072.pem</p></td>
<td><p>Signing external key hash store</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>KEY_ID_CFGDATA_RSA2048</p></td>
<td colspan="2"><p>ConfigTestKey_Priv_RSA2048.pem</p></td>
<td><p>Signing CfgData</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEY_ID_CFGDATA_RSA3072</p></td>
<td colspan="2"><p>ConfigTestKey_Priv_RSA3072.pem</p></td>
<td><p>Signing CfgData</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>KEY_ID_FIRMWAREUPDATE_RSA2048</p></td>
<td colspan="2"><p>FirmwareUpdateTestKey_Priv_RSA2048.pem</p></td>
<td><p>Signing firmware capsule update</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEY_ID_FIRMWAREUPDATE_RSA3072</p></td>
<td colspan="2"><p>FirmwareUpdateTestKey_Priv_RSA3072.pem</p></td>
<td><p>Signing firmware capsule update</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>KEY_ID_CONTAINER_RSA2048</p></td>
<td colspan="2"><p>ContainerTestKey_Priv_RSA2048.pem</p></td>
<td><p>Signing Container header</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEY_ID_CONTAINER_RSA3072</p></td>
<td colspan="2"><p>ContainerTestKey_Priv_RSA3072.pem</p></td>
<td><p>Signing Container header</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>KEY_ID_CONTAINER_COMP_RSA2048</p></td>
<td colspan="2"><p>ContainerCompTestKey_Priv_RSA2048.pem</p></td>
<td><p>Signing Container component</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEY_ID_CONTAINER_COMP_RSA3072</p></td>
<td colspan="2"><p>ContainerCompTestKey_Priv_RSA3072.pem</p></td>
<td><p>Signing Container componentm</p></td>
</tr>
<tr class="row-even"><td colspan="2"><p>KEY_ID_OS1_PUBLIC_RSA2048</p></td>
<td colspan="2"><p>OS1_TestKey_Pub_RSA3072.pem</p></td>
<td><p>Public key used to sign Linux OS image</p></td>
</tr>
<tr class="row-odd"><td colspan="2"><p>KEY_ID_OS1_PUBLIC_RSA3072</p></td>
<td colspan="2"><p>OS1_TestKey_Pub_RSA3072.pem</p></td>
<td><p>Public key used to sign Linux OS image</p></td>
</tr>
</tbody>
</table>
<p>One could use either key id or complete path to signing keys while configuring in build scripts.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Signing tools support either KEY_ID corresponding to a component or complete path to private key.</p>
</div>
</section>
<section id="keys-generation">
<h2>Keys Generation<a class="headerlink" href="#keys-generation" title="Permalink to this heading"></a></h2>
<p>Keys required for SBL can be generated using GenerateKeys.py available
at BootloaderCorePkg/Tools/. The key generation process is a <strong>one
time process</strong> for specific project. Use same set of keys for signing
and verification operations for a specific project when generating
firmware capsule update image, cfgdata stitch, Container image and
others. Verification operations would fail incase different keys are used
which causes security violations.</p>
<p>Usage of GenerateKeys.py tool see <a class="reference internal" href="../getting-started/build-host-setup.html#sbl-keys"><span class="std std-ref">SBL Keys Generation</span></a></p>
</section>
<section id="build-environment-configuration-for-key-id-usage">
<h2>Build Environment Configuration for Key ID usage<a class="headerlink" href="#build-environment-configuration-for-key-id-usage" title="Permalink to this heading"></a></h2>
<p>Key directory to be used can be specified using an environment variable.</p>
<p>Set env variable “SBL_KEY_DIR” to keys directory generated using
GenerateKeys.py or similar methods. This env variable need to be to set before running SBL
build command. Also, set environment variable before executing tools in standalone mode as
Capsule firmware update, container operations, cfgdata stitching and
others when KEY ID are used.</p>
<p>For environment setting see <a class="reference internal" href="../developer-guides/build-system.html#build-sbl"><span class="std std-ref">Build SBL</span></a></p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Use respective component keys from SblKey directory while performing standalone operations as Capsule firmware update, container operations, cfgdata stitching.</p>
</div>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="verified-boot.html" class="btn btn-neutral float-left" title="Verified Boot" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="measured-boot.html" class="btn btn-neutral float-right" title="Measured Boot" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>&#169; Copyright 2018 - 2024, Intel Corporation.
<span class="lastupdated">Last updated on Jun 07, 2024.
</span></p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink