BMC image generation without private key

Lei Yu at
Mon Jan 16 20:53:40 AEDT 2023

The OpenBMC build requires a private key to:
1. Generate the public key that is put in the image;
2. Sign the image and generate the whole tarball.

For dev builds, it uses the insecure development key in the tree.
For release builds, it requires the `SIGNING_KEY` env to point to a
secure key to sign the image.

It is considered insecure because it requires the build server to
access the private key.

An alternative is proposed:
* A new `SIGNING_PUBLIC_KEY` env is defined to point to a public key.
* The above key is default to empty, and the behavior is the same as
before, using the insecure development key to generate and sign the
* With a valid `SIGNING_PUBLIC_KEY`:
   * The public key is installed into the BMC image.
   * The generated tarball is not signed, only containing the MANIFEST
and the image.
   * A new `gen-bmc-tar` tool will be introduced to sign the above
tarball, like `gen-bios-tar`.
* If both `SIGNING_PUBLIC_KEY` and `SIGNING_KEY` is set, throw an error.

With the above proposal, the build does not require the private key
anymore and the user could install the public key during build, and
sign the image separately.

Comments are welcome.

Lei YU

More information about the openbmc mailing list