Skip to content

Sign Images for IPXE

Jump to bottom
Ademar Arvati edited this page Jun 12, 2020 · 3 revisions

Create your own private CA key

openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 7300 -out rootCA.crt
openssl x509 -in rootCA.crt -out rootCA.pem -outform PEM

Tell bootloader about it upon build time. Certificates must be in PEM format.

make bin/ipxe.iso TRUST=rootCA.pem

Create CA infrastruture

echo 01 > ca.srl
touch ca.idx
mkdir signed
nano ca.cnf

[ ca ]
  default_ca             = ca_default
  
  [ ca_default ]
  certificate            = rootCA.crt
  private_key            = rootCA.key
  serial                 = ca.srl
  database               = ca.idx
  new_certs_dir          = signed
  default_md             = default
  policy                 = policy_anything
  preserve               = yes
  default_days           = 90
  unique_subject         = no
  
  [ policy_anything ]
  countryName            = optional
  stateOrProvinceName    = optional
  localityName           = optional
  organizationName       = optional
  organizationalUnitName = optional
  commonName             = optional
  emailAddress           = optional
  
  [ cross ]
  basicConstraints       = critical,CA:true
  keyUsage               = critical,cRLSign,keyCertSign
  
  [ codesigning ]
  keyUsage                = digitalSignature,nonRepudiation
  extendedKeyUsage        = codeSigning,emailProtection

Code Signing Key

openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt
openssl x509 -in codesign.crt -out codesign.pem -outform PEM
cat codesign.pem rootCA.pem > codesign-full.pem

You can now use this certificate to sign a binary that will then be trusted by iPXE. For example:

openssl cms -sign -binary -noattr -in vmlinuz \
              -signer codesign.crt -inkey codesign.key -certfile rootCA.crt \
              -outform DER -out vmlinuz.sig

Embedded Certificate

make bin/ipxe.iso CERT=rootCA.pem TRUST=rootCA.pem

Cross-signing certificates - example vanaware.github.io.pem

openssl ca -config ca.cnf -extensions cross -notext -preserveDN -ss_cert vanaware.github.io.pem -out vanaware.github.io-cross.crt

Sign file script Example

#!/bin/sh
if [ $# -gt 0 ]; then
	while [ "$1" != "" ]; do
		openssl cms -sign -binary -noattr -in "$1" \
              -signer codesign.crt -inkey codesign.key -certfile rootCA.crt \
              -outform DER -out "$1.sig" && echo "Signature: $1.sig"
		shift
	done
else
    echo "Should have at least one argument of name of file to sign"
	echo "Usage:"
	echo "sign.file.sh filename_to_sign1 [filename_to_sign2] [filename_to_sign3] ..."
fi

Verify file script Example

#!/bin/sh
if [ $# -gt 0 ]; then
	while [ "$1" != "" ]; do
		echo -n "Verifing $1 : "
		openssl smime -verify -purpose any -in "$1.sig" \
              -CAfile rootCA.crt -certfile codesign.crt \
              -inform DER -content "$1" -out /dev/null 2>/dev/null && echo "OK" || echo "not OK"
		shift
	done
else
    echo "Should have at least one argument of name of file to sign"
	echo "Usage:"
	echo "sign.file.sh filename_to_sign1 [filename_to_sign2] [filename_to_sign3] ..."
fi

Clone this wiki locally