Adding keys to BMC production build

Fri Mar 12 03:51:33 AEDT 2021

On 3/10/21 8:35 PM, Troy Lee wrote:
> Hi Patrick, You could assign SIGNING_KEY to your private key for 
> signing image. If it is not set, 
> meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb 
> will be applied. Thanks, ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
> ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
>
> Hi Patrick,
>
> You could assign SIGNING_KEY to your private key for signing image.
>
> If it is not set, 
> meta-phosphor/recipes-phosphor/flash/phosphor-insecure-signing-key-native.bb 
> will be applied.
>
> Thanks,
>
> Troy Lee
>
> *From:* openbmc 
> <openbmc-bounces+troy_lee=aspeedtech.com at lists.ozlabs.org> *On Behalf 
> Of *Patrick Voelker
> *Sent:* Thursday, March 11, 2021 10:18 AM
> *To:* OpenBMC (openbmc at lists.ozlabs.org) <openbmc at lists.ozlabs.org>
> *Subject:* Adding keys to BMC production build
>
> Is there a page or document with instructions for adding a custom key 
> for signing the production BMC build? I haven't had any luck finding 
> it yet.
>

Yes, sort of.  The OpenBMC "Configuration Guide" wiki has items like this:
https://github.com/openbmc/openbmc/wiki/Configuration-guide#image-signature

Troy, I've added your info to the wiki.  Thank you!

The OpenBMC security working group has discussed migrating the config 
guide into the docs repo.  Any volunteers?

-Joseph