BMC image generation without private key

Patrick Williams patrick at
Wed Jan 18 23:05:35 AEDT 2023

On Tue, Jan 17, 2023 at 03:21:40PM -0500, Michael Richardson wrote:

> The build server requires authorization from the holder of the private key to
> create signatures.   One way is have direst access to the private key.
> I think that if the build server is so untrusted, then maybe there are other
> problems :-)

I don't have any security guidelines or NIST papers[1] to quote here, but
my impression is that this is a great over-simplification.  Every design 
for signing firmware I've ever seen used in production separates the build
server from the signing server, so there must be good reason for it.

I suspect it stems from it being a lesser-evil if someone unauthorized signs
a one-off image than it is if the private key escapes.  Build servers run
a lot of code and thus have a lot of surface to attack.  A signing
server can have a single remote API ("here is an image and my identity
... give me a signature"), which keeps the signing key(s) safer.

Requiring the private key to be present on the build server likely also
precludes any use of HSMs[2].


Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the openbmc mailing list