From 5125317506818637b6adaad73461e859c78e9814 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Thu, 24 Oct 2024 18:14:55 +0100 Subject: [PATCH] coreos-base/coreos-sb-keys: Drop unnecessary PK and KEK certificates These are only needed when you are going to ship DB updates to existing systems, which we are not going to do. Our EFI variables are only for testing. End users are expected to use EFI variables provided by their hosts or hardware vendors. We presumably provided these before because some PK and KEK does need to be provided, but we can now use the Microsoft and Red Hat ones provided via Gentoo's edk2 package. Signed-off-by: James Le Cuirot --- build_library/vm_image_util.sh | 2 -- .../coreos-base/coreos-sb-keys/README.md | 2 -- ...0.3.ebuild => coreos-sb-keys-1.0.0.ebuild} | 4 --- .../coreos-base/coreos-sb-keys/files/KEK.crt | 19 ------------- .../coreos-base/coreos-sb-keys/files/KEK.key | 28 ------------------- .../coreos-base/coreos-sb-keys/files/PK.crt | 19 ------------- .../coreos-base/coreos-sb-keys/files/PK.key | 28 ------------------- 7 files changed, 102 deletions(-) rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/{coreos-sb-keys-0.0.3.ebuild => coreos-sb-keys-1.0.0.ebuild} (78%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt delete mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index 1791108d0b6..dde1f533f40 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -886,8 +886,6 @@ _write_qemu_uefi_secure_conf() { virt-fw-vars \ --input "${flash_in}" \ --output "$(_dst_dir)/${flash_rw}" \ - --set-pk "${owner}" /usr/share/sb_keys/PK.crt \ - --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \ --add-db "${owner}" /usr/share/sb_keys/DB.crt sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md index 0231aa542e0..f50820c9450 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md @@ -1,7 +1,5 @@ ## Keys & Certificates -- PK (Platform Key): The Platform Key is the key to the platform. -- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database. - DB (Signature Database): The signature database is used to validate signed EFI binaries. - Shim Certificates: Our set of certificates diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild similarity index 78% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild index 9562a134a11..5080f9ec8c9 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-1.0.0.ebuild @@ -16,10 +16,6 @@ S="${WORKDIR}" src_install() { insinto /usr/share/sb_keys - newins "${FILESDIR}/PK.key" PK.key - newins "${FILESDIR}/PK.crt" PK.crt - newins "${FILESDIR}/KEK.key" KEK.key - newins "${FILESDIR}/KEK.crt" KEK.crt newins "${FILESDIR}/DB.key" DB.key newins "${FILESDIR}/DB.crt" DB.crt diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt deleted file mode 100644 index 54646e2aae2..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDBzCCAe+gAwIBAgIJAN/ga2oSNhyiMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV -BAMMD0NvcmVPUyB0ZXN0IEtFSzAeFw0xNTA0MTMxODMzMzRaFw0xNTA1MTMxODMz -MzRaMBoxGDAWBgNVBAMMD0NvcmVPUyB0ZXN0IEtFSzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAL/DE8ss0bgdKgLmyQ6CQsAUpeWwLlxMNca+LROR5+UH -VAa/Xph30xdfmpydWxUO0Ga1ZnyTfZp+UfOWya9kYkzzmmuKAzC0HLzolSWxQ3sL -EDsXEbpfl7KsjDvPuXdVoJukdN8EppqP6DLGjHbY5lk5AfXj7xCP3wHlLzMsPoxu -hkfDfZSB0qJ5r+L6egz50Vufvxn1oiolMWh7zorkQaM5i4cP6BEQtan7WNhKDJAZ -3fbApmcJyOP7TvWLHcAyuI2FM13J89bc7vrclb2PrtAoijNyDnNImLb187/gC8Ab -kHVFIm8KyZ8ZByNoU5hy4bA1U/EEZ+slyIqqKcnWbukCAwEAAaNQME4wHQYDVR0O -BBYEFC1uWlFmCG6L18813V9Xy12dQ/MJMB8GA1UdIwQYMBaAFC1uWlFmCG6L1881 -3V9Xy12dQ/MJMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEOKN7AS -2szIJ4ejcxRJhih5rBFwVkim80rwBX8Ga3sStAAKEpdZC7fjrxXm8UWYbEa8Qisz -+O74T7QqXaCRoxh3ij4fgg4clULOfjGGWWEghl4rtpUIsarCk3HWtEzqLWbAQOA0 -co3B08KbwYhOYfx1MkRE1K6kFKojJ1tod/w9jxY1/w/qmJKFP/vM6//H9dhVPr14 -4ySqz/NYhb0FZRVGJkeLbXWy4sLZy2Of+ojCRjjAgmY9RAT6ZxovgyXqVBDWfboX -4Yp9bAboktfNtX6+9wMIW5bTuZ5yZjK+I+MnHSqbRVh/6T/kh5j5+jdPXnKgZGXy -PWAnhbRJTjUAVTY= ------END CERTIFICATE----- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key deleted file mode 100644 index 0536b49f82b..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/KEK.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC/wxPLLNG4HSoC -5skOgkLAFKXlsC5cTDXGvi0TkeflB1QGv16Yd9MXX5qcnVsVDtBmtWZ8k32aflHz -lsmvZGJM85prigMwtBy86JUlsUN7CxA7FxG6X5eyrIw7z7l3VaCbpHTfBKaaj+gy -xox22OZZOQH14+8Qj98B5S8zLD6MboZHw32UgdKiea/i+noM+dFbn78Z9aIqJTFo -e86K5EGjOYuHD+gRELWp+1jYSgyQGd32wKZnCcjj+071ix3AMriNhTNdyfPW3O76 -3JW9j67QKIozcg5zSJi29fO/4AvAG5B1RSJvCsmfGQcjaFOYcuGwNVPxBGfrJciK -qinJ1m7pAgMBAAECggEAL5jxMc4nJAcBJYU5RIOqo9i8MN3hNAGqm3Ea6S+fGqcO -ATrA9SFQ4Q1W6Cbas8hgjA3cqXFGjPFr0AWOfB1zlNwmaSjxj8Y1F+K3Gor8T+84 -ESKxwMv3cF8J09LEm01Ctz9DzxNtcxHjNa84sEs4Kc9PoEP6U+cSGHtVkuMZh2t9 -hNad8DfdM2oZi5IPcVcBXr/+QmyjereKlTij5BPSdeKw2JKprv0NWgzuZkDlhtAF -aSNLkODk3NT9+zMSqvuSkNkWuvcl8kFG32strHzsEKneugEbLQPLwEA2hRz6gDo2 -alPUo9shg4o54r47pascVJjbiFPevIvF0GTgmv/VAQKBgQDodWPClJZiyifJ6M65 -V4p+N4evhr6xBTxYMTfXoXIT6IwqyiDyhDnjUApM9wwr9YTxixJukAdcdDnWOMJb -qR2JquGXeChPAArH69FzsuybVXURpBiIOBBNFmWf/T97Aw55l6OXxzA/aAuQMFyF -H8zEQddC57yEMIpToTuNkNq8CQKBgQDTLpvNtsqKBxIpnybv2gRo2MDgJtk+PGu/ -UN3f1GDP1C9nhEVWb1n4v7n9bhYs5zra3vYkgvr317QVAbKF+PUmIPLmid5gN8J5 -46+qdVvK88UPJye2cuIrHO/XScWiC95SzQo6KfVNqawLJhioZ3OlK69pOcLoXWsO -/nJC5i6T4QKBgQCM6hx/Z/OCD2nvS+GFGTwrJx5pmRUf2jyqeauQW53704yko8M1 -QFKXKX4VCe2m+D6O7e9OdqD/urUU13N6fRoayivW1lAZE711U860hFJKF5PQDdmR -Oesnz9vrEGna+A9eRj41U9o7labs0WREjvJiRkdnl3L/7yzrZWHkf1sZgQKBgQDJ -X49oKR6XYci68a0yV8WOqOm6lLDhPMJNy3HXBvBOHXoajrGDi2jS3xgehoQUy2V+ -4c763/8qqIBq65RtVgmGEzMsDFmFjIYgrrGKrKAcNjk5is++lWv/SneV5h3TuNeG -Q0i2T94+8UVB2FD4/LT00mRQxaiK5NG6mX0hN9dAYQKBgEC8GarO5+lPEXNhkqcM -rWBtZTszTP9WGs0nB6+ZGZ+23uMwNA/6YZvyvAssfJ9yr4pyI/r2WH0rHa9146s0 -rJx+Xs/TSbGRYDq7BcwjN3DuSvoCg/0arVeoptrmoDIrFOzhlgQWdrIOMqVKTNKi -s/B7OsUuIhJ7HAJSatt2uzam ------END PRIVATE KEY----- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt deleted file mode 100644 index 9fcb2a2e17d..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDBTCCAe2gAwIBAgIJAPrtEex/4ln3MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV -BAMMDkNvcmVPUyB0ZXN0IFBLMB4XDTE1MDQxMzE4MzMyMloXDTE1MDUxMzE4MzMy -MlowGTEXMBUGA1UEAwwOQ29yZU9TIHRlc3QgUEswggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCrAWnfZoNaw4FVFbdkQo+aBTjMnaEs643EdqoXRn8ohmJu -gCnNNy4mcwsxrx7ksSyfU3ZeVeFXFcydAt53F0hFLsWEi/Riw59AImOuyOXxcrK5 -CAzaOqWIs0RvDqvEJjm7JSuOVndeTVFp7d/2up0zJoXltMaZLs3748AyI29aL2jr -PEW8+FZRqp/z9/EWpifcPZXFzqc7QYTwamfznwqUIFXMLqW5bREroFpZ9MMTmc86 -WMQYUySPdCxvQKKgvGyf0qYWVw2mPp6jZZF84dELn1FvNJ4AMIa/d2TGSkNOpPkn -0VTWtmJTZoY2n/0/KHFQPT1Ot7M9/s6pRd8IIfDzAgMBAAGjUDBOMB0GA1UdDgQW -BBRHBFY7ba7b2aOujtUZB1dHVQUqFDAfBgNVHSMEGDAWgBRHBFY7ba7b2aOujtUZ -B1dHVQUqFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCT3Xs/My5E -ST//7SrupTakH+QRd7/qIFj2/coXuWE0Qp9cWiWIy9GDyd0oyQsKQklVbuLArju4 -N8oekgtJnNoYbJnLs0JPfAIC5Np3wYTNCyjVi8kSyKSWdXM2vKkycG023sFiFdSk -0pgmwCO1E8fGxe9YDjCdtRTp8+j6m5GrRkl3YYfqYtUFfXy+BhcKs1H6AlfaKAZH -m1fYDGmGGuOTij/5yEyY38NJybjL8Aak89nwuVrHm76whldsA3LfPYenjLk5qTd8 -yEYgvoajAZDIXkT05F9E9SdSaob2ZK1nDp98kG+rnv7dN/xQVfaKywuM3cdy5TKk -VqV0ENF7w+O5 ------END CERTIFICATE----- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key deleted file mode 100644 index 589fef190ee..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/PK.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrAWnfZoNaw4FV -FbdkQo+aBTjMnaEs643EdqoXRn8ohmJugCnNNy4mcwsxrx7ksSyfU3ZeVeFXFcyd -At53F0hFLsWEi/Riw59AImOuyOXxcrK5CAzaOqWIs0RvDqvEJjm7JSuOVndeTVFp -7d/2up0zJoXltMaZLs3748AyI29aL2jrPEW8+FZRqp/z9/EWpifcPZXFzqc7QYTw -amfznwqUIFXMLqW5bREroFpZ9MMTmc86WMQYUySPdCxvQKKgvGyf0qYWVw2mPp6j -ZZF84dELn1FvNJ4AMIa/d2TGSkNOpPkn0VTWtmJTZoY2n/0/KHFQPT1Ot7M9/s6p -Rd8IIfDzAgMBAAECggEAZI/0Ptf+LwYBrJOUwXUTFbQ0br/T5KKxP/O4mu9uH9rH -T8w2yOPGU/4beyBMvpgicZ+XYGqIlbnQFhV11frvGSAkL4pOMTZxFDok/MhP0Olu -iLlfNYZ/iiBCAj1SbYs9L/zv3Eik8ePuGKk2p9WeVFI3M5pXoAWSRKruf42vEg0Q -mAvjpabEFi41RavmO6EuDt5m6VOO3wgGXBZw/+skTtCtlhABK08aggV4a1jrrAJX -FVH8+XmYG7xknxMLxQYSuG1H0n86iext1+jtL74qd51PeaVzfXfE00xjnM08naV+ -XivpwhxsSo0aSMsuOipvMefvQDDwbYVN1RVlEIDuoQKBgQDhRy7j2Dz1zN+C0Bg3 -X2xInQGHq3MineGa/DCzN17rGT0jYB/9FMZTSfk60RNzFacHgLhfSxk0sPfBdi+J -WGWjm48nVz/vsx6V8DNOYiHoi2DxdpHoohUzdxKccySnv1vMDcVRQg3gb47UNp0p -FRqi/g47Ts+JSLS29X6vqB/iBwKBgQDCU31L4ipLXOWbiJDQVGq5A0N0zAo2j+Jx -Kr3G+R72XRHTBLCvverayCwrI+fvUyvAeUs/trswQ/PmXdkmg40EEJDCJ87ktfEW -MfgRJhloPJkyTf+JKaLlUQwgV7YVtV932EWC8V9Rdcf8rNZ9gt9TiiwGOTCrNDH4 -tL1d1T9OtQKBgAXgw5pyU/Td6Z8SKu+W785dOmL92D04/V/74JFsim978xpvMaZ6 -2knmDji4p9dC417Qvv7NiNTVIUHNAaSFx/Ei5/NQ1Xw9ojirUctjyBq3OEpUm64E -PKVhH/0xC+3MkmqamWFrZc1LW+CxpBwkTtOd6WUmw0eDvCNh+HJA4sQVAoGBAKFN -rDPRCEqGUhFIyuwjJnNswhGxTMj9pnlJgT4ojAr0NldzDTbT7p6sif1FUMDXyPl7 -tXqts7PctBgEzrupduRo28BOSu6OGBDUaZXSikR8CK45EGRKq2yuWeJ+7CYY56YT -X5/Ru81idx7GWUTV3Yr6ppCD6GI0cUaAwK+i02oBAoGAcCho+7uZ0+I2BkR9Fxz/ -gdHgL3Cw5o3x7i1erXXCoxN9YLHwidOtj9w+8IS9dSY9ii08w8LE4BXpgoFe+TGU -yXgEnl8qOUAcXKMu4jRj4LqNaJWXnAZ7J+1WJZ4h7ygGEJh0aYByiUdL5aShs/YJ -CevUdCQxnWbrAySfMEMIXg0= ------END PRIVATE KEY-----