search

Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
24 stars 0 forks source link

Store vboot keys in HSM #212

Open macpijan opened 1 year ago

macpijan commented 1 year ago

The problem you're addressing (if any)

vboot keys are stored as plaintext files

Describe the solution you'd like

vboot keys are stored in HSM (Hardware Security Module)

Where is the value to a user, and who might that user be?

keys are better protected and can be shared more securely

Describe alternatives you've considered

Additional context

miczyg1 commented 1 year ago

There are a few problems here:

  1. There are multiple vboot keys (recovery and firmware key).
  2. One would have to implement whole HSM communication logic in vboot signing scripts and utilities.
pietrushnic commented 1 year ago

@miczyg1 point 2 is not a problem, it is very small challenge. What vboot use locally to sign? What key format is support? I would say almost any USB token could be used like HSM.

miczyg1 commented 1 year ago

it uses the key file stored on the filesystem under configured path in coreboot configuration or directory with keys passed to the signing script. Secondly these keys use a different format, vboot utilities seem to wrap the RSA keys around their own structure.