SBL Build and Sign

SBL build process uses a signing interface. This signing method can access required keys from any accessible location based on an id. A sample implementation of signing service is provided by SingleSign.py and is invoked during SBL build process. Customers may use different signing infrastructure including use of secure signing servers, etc. and the SingleSign.py can be updated/replaced with customer’s signing infrastructure.

Key Management

Cryptographic keys used for signing SBL binaries should be securely managed. A leak of private key would allow a hacker to install/push compromised SBL or rootkits on platforms. Here is a link to link to NIST whitepaper which provides BKM’s for Code signing and secure key management.

Below is a list of Security keys and their function in securing SBL.

Key Name

Owner

Usage

Comment

OEM Key

Platform Owner

To sign BootGuard Key Manifest.

BPM Key

Firmware Owner

To sign BootGuard Boot Policy Manifest.

ConfigData Key

Firmware Owner

To sign Config Data blob.

Use CfgDataTool.py

Master Key

Firmware Owner

To sign SBL Key Manifest.

Container Def Key

Firmware Owner

To sign container header.

Use GenContainer.py to package various components

Container Component Key

Container Owner

To sign container components, such as, UEFI Payload,PSE fw etc

OS Key

OS Owner

Hash of it’s public key is stored in SBL Key Manifest.

Use GenContainer.py to package a OS binary.

Firmware Update Capsule Key

Firmware Owner

To sign capsule images.

Use GenCapsuleFirmware.py

KEY ID and configurations

A unique key id would be associated for each private key corresponding to a component to be signed.

Table below depicts key id’s defined for components and their associated test keys for various key types used for signing components.

KEY ID

KEY

Usage

KEY_ID_MASTER_RSA2048

MasterTestKey_Priv_RSA2048.pem

Signing external key hash store

KEY_ID_MASTER_RSA3072

MasterTestKey_Priv_RSA3072.pem

Signing external key hash store

KEY_ID_CFGDATA_RSA2048

ConfigTestKey_Priv_RSA2048.pem

Signing CfgData

KEY_ID_CFGDATA_RSA3072

ConfigTestKey_Priv_RSA3072.pem

Signing CfgData

KEY_ID_FIRMWAREUPDATE_RSA2048

FirmwareUpdateTestKey_Priv_RSA2048.pem

Signing firmware capsule update

KEY_ID_FIRMWAREUPDATE_RSA3072

FirmwareUpdateTestKey_Priv_RSA3072.pem

Signing firmware capsule update

KEY_ID_CONTAINER_RSA2048

ContainerTestKey_Priv_RSA2048.pem

Signing Container header

KEY_ID_CONTAINER_RSA3072

ContainerTestKey_Priv_RSA3072.pem

Signing Container header

KEY_ID_CONTAINER_COMP_RSA2048

ContainerCompTestKey_Priv_RSA2048.pem

Signing Container component

KEY_ID_CONTAINER_COMP_RSA3072

ContainerCompTestKey_Priv_RSA3072.pem

Signing Container componentm

KEY_ID_OS1_PUBLIC_RSA2048

OS1_TestKey_Pub_RSA3072.pem

Public key used to sign Linux OS image

KEY_ID_OS1_PUBLIC_RSA3072

OS1_TestKey_Pub_RSA3072.pem

Public key used to sign Linux OS image

One could use either key id or complete path to signing keys while configuring in build scripts.

Note

Signing tools support either KEY_ID corresponding to a component or complete path to private key.

Keys Generation

Keys required for SBL can be generated using GenerateKeys.py available at BootloaderCorePkg/Tools/. The key generation process is a one time process for specific project. Use same set of keys for signing and verification operations for a specific project when generating firmware capsule update image, cfgdata stitch, Container image and others. Verification operations would fail incase different keys are used which causes security violations.

Usage of GenerateKeys.py tool see SBL Keys Generation

Build Environment Configuration for Key ID usage

Key directory to be used can be specified using an environment variable.

Set env variable “SBL_KEY_DIR” to keys directory generated using GenerateKeys.py or similar methods. This env variable need to be to set before running SBL build command. Also, set environment variable before executing tools in standalone mode as Capsule firmware update, container operations, cfgdata stitching and others when KEY ID are used.

For environment setting see Build SBL

Note

Use respective component keys from SblKey directory while performing standalone operations as Capsule firmware update, container operations, cfgdata stitching.