User Key Store
The sample keys, by default, are used by build system to sign bootloader, kernel, IMA signature, RPM and so on. It is used for development and demonstration. The user must know what te risk is to use the sample keys in the product.
The user key in a general sense is able to be used in the product with contrary of the sample key. This document defines the definitions for the uses of various keys.
In addition, the scripts/create-user-key-store.sh provides a reference to the creation of user key store, stored in such a layout:
user-keys ├── ima_keys │ ├── x509_ima.der │ └── x509_ima.key ├── mok_sb_keys │ ├── shim_cert.key │ ├── shim_cert.crt │ ├── vendor_cert.key │ └── vendor_cert.crt └── uefi_sb_keys ├── DB.key ├── KEK.key ├── KEK.crt ├── PK.key └── PK.crt
If the user plans to create the user keys by self, please consider to
define the necessary variables mentioned below in local.conf, or construct
a layer for the user key store. Eventually, the build system will copy the
user key store to
$project/tmp/deploy/images/*/user-keys/ for further use.
The vital definitions include:
SIGNING_MODEL := "user"
Prohibit using the sample keys for signing the images.
UEFI_SB_KEYS_DIR := "<path>"
Point to the location of user keys used for UEFI secure boot.
MOK_SB_KEYS_DIR := "<path>"
Point to the location of user keys used for MOK secure boot. Note that MOK secure boot is on top of UEFI secure boot so creating the user keys for MOK secure boot only will still introduce the security risk in your product.
IMA_KEYS_DIR := "<path>"
Point to the location of user keys used for IMA appraisal.
USER_KEY_SHOW_VERBOSE = "1"
Optional. Used to enable the verbose output for debugging purpose.
To ensure a image signed by the untrustworthy sample key cannot be loaded, e.g, preventing the shim signed by the user key from loading the grub signed by the sample key, certain sample keys are added to the blacklists during the build, meaning the following precautions:
- Blacklist the sample DB and DBX in DBX database for UEFI secure boot.
- Blacklist the sample DB, shim_cert and vendor_cert in vendor_dbx database for MOK secure boot.
- Cascade the default blacklist mentioned above and the user specified blacklist if any.
For the details about UEFI secure boot and MOK secure boot, please refer to meta-efi-secure-boot/README.md.