Complete SSH key integration across all build systems

- Updated Makefile to generate SSH keys with correct naming (cpu_rsa/cpu_rsa.pub)
- SSH keys are now generated and embedded in initramfs at /etc/cpu_rsa.pub
- Updated build info to include SSH key information and security warnings
- Enhanced GitHub Actions workflows to include SSH keys in release assets
- Updated documentation with SSH key usage examples
- Fixed workflow paths and dependencies for proper SSH key integration

Author: ericvh

.github/workflows/build.yml

@@ -67,6 +67,16 @@ jobs:
         go build -o ../../u-root-bin ./
         cd ../cpu
     
+    - name: Generate SSH keys
+      run: |
+        mkdir -p build/binaries
+        echo "Generating default SSH keys for CPU..."
+        ssh-keygen -t rsa -b 4096 -f build/binaries/cpu_rsa -N "" -C "cpu-default-key"
+        echo "SSH keys generated:"
+        echo "  Private key: build/binaries/cpu_rsa"
+        echo "  Public key: build/binaries/cpu_rsa.pub"
+        ls -la build/binaries/cpu_rsa*
+
     - name: Build cpu binary for aarch64
       run: |
         cd build/repos/cpu
@@ -90,9 +100,10 @@ jobs:
         echo "Creating u-root initramfs with cpud as init..."
         mkdir -p ../../initramfs
         
-        # Build the initramfs with cpud bundled in as init
+        # Build the initramfs with cpud bundled in as init and include SSH public key
         echo "Building initramfs with u-root..."
         GOOS=linux GOARCH=arm64 ../../u-root-bin -format=cpio -o ../../initramfs/cpud-initramfs.cpio \
+            -files "../../binaries/cpu_rsa.pub:etc/cpu_rsa.pub" \
             -initcmd="cpud" \
             ./cmds/cpud \
             ../u-root/cmds/core/ls \
@@ -136,15 +147,24 @@ jobs:
         echo "Files in this archive:" >> BUILD_INFO.txt
         echo "- cpu: CPU client binary" >> BUILD_INFO.txt
         echo "- cpud: CPU daemon binary" >> BUILD_INFO.txt
+        echo "- cpu_rsa: Default SSH private key" >> BUILD_INFO.txt
+        echo "- cpu_rsa.pub: Default SSH public key" >> BUILD_INFO.txt
         echo "- cpud-initramfs.cpio.gz: U-root initramfs with cpud as init" >> BUILD_INFO.txt
         echo "" >> BUILD_INFO.txt
         echo "Usage:" >> BUILD_INFO.txt
         echo "  ./cpu -h    # Show CPU client help" >> BUILD_INFO.txt
         echo "  ./cpud -h   # Show CPU daemon help" >> BUILD_INFO.txt
         echo "" >> BUILD_INFO.txt
+        echo "SSH Keys:" >> BUILD_INFO.txt
+        echo "  Default SSH keys are provided for convenience" >> BUILD_INFO.txt
+        echo "  Private key: cpu_rsa" >> BUILD_INFO.txt
+        echo "  Public key: cpu_rsa.pub (also embedded in initramfs)" >> BUILD_INFO.txt
+        echo "  WARNING: These are default keys - generate your own for production!" >> BUILD_INFO.txt
+        echo "" >> BUILD_INFO.txt
         echo "Initramfs usage:" >> BUILD_INFO.txt
         echo "  Use cpud-initramfs.cpio.gz as initrd with Linux kernel" >> BUILD_INFO.txt
         echo "  Boot parameters: init=/init" >> BUILD_INFO.txt
+        echo "  SSH public key is embedded at /etc/cpu_rsa.pub" >> BUILD_INFO.txt
         cat BUILD_INFO.txt
     
     - name: Create checksums
@@ -153,6 +173,8 @@ jobs:
         echo "Creating checksums..."
         sha256sum cpu > cpu.sha256
         sha256sum cpud > cpud.sha256
+        sha256sum cpu_rsa > cpu_rsa.sha256
+        sha256sum cpu_rsa.pub > cpu_rsa.pub.sha256
         sha256sum BUILD_INFO.txt > BUILD_INFO.txt.sha256
         cd ../initramfs
         sha256sum cpud-initramfs.cpio.gz > cpud-initramfs.cpio.gz.sha256
@@ -221,9 +243,13 @@ jobs:
         files: |
           build/binaries/cpu
           build/binaries/cpud
+          build/binaries/cpu_rsa
+          build/binaries/cpu_rsa.pub
           build/binaries/BUILD_INFO.txt
           build/binaries/cpu.sha256
           build/binaries/cpud.sha256
+          build/binaries/cpu_rsa.sha256
+          build/binaries/cpu_rsa.pub.sha256
           build/binaries/BUILD_INFO.txt.sha256
           build/binaries/cpud-initramfs.cpio.gz
           build/binaries/cpud-initramfs.cpio.gz.sha256
@@ -242,10 +268,20 @@ jobs:
           - `BUILD_INFO.txt` - Build information and usage notes
           - `*.sha256` - SHA256 checksums for verification
           
+          ### SSH Keys
+          - `cpu_rsa` - Default SSH private key
+          - `cpu_rsa.pub` - Default SSH public key (also embedded in initramfs)
+          - `cpu_rsa.sha256` - Private key checksum
+          - `cpu_rsa.pub.sha256` - Public key checksum
+          
+          **⚠️ WARNING**: These are default keys for convenience. Generate your own keys for production use!
+          
           ### Initramfs
           - `cpud-initramfs.cpio.gz` - U-root initramfs with cpud as init
           - `cpud-initramfs.cpio.gz.sha256` - Initramfs checksum
           
+          The initramfs includes the SSH public key at `/etc/cpu_rsa.pub` for automatic authentication.
+          
           ### Archive
           - `cpu-binaries-aarch64-${{ env.CPU_VERSION }}.tar.gz` - Complete archive with all binaries
           - `cpu-binaries-aarch64-${{ env.CPU_VERSION }}.tar.gz.sha256` - Archive checksum
@@ -254,18 +290,26 @@ jobs:
           
           ### Download individual binaries:
           ```bash
-          # Download binaries
+          # Download binaries and keys
           wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpu
           wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpud
+          wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpu_rsa
+          wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpu_rsa.pub
           
           # Make executable
           chmod +x cpu cpud
+          chmod 600 cpu_rsa
+          chmod 644 cpu_rsa.pub
           
           # Verify (optional)
           wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpu.sha256
           wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpud.sha256
+          wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpu_rsa.sha256
+          wget https://github.com/${{ github.repository }}/releases/download/${{ github.event.inputs.release_tag || github.ref_name }}/cpu_rsa.pub.sha256
           sha256sum -c cpu.sha256
           sha256sum -c cpud.sha256
+          sha256sum -c cpu_rsa.sha256
+          sha256sum -c cpu_rsa.pub.sha256
           ```
           
           ### Download complete archive:

.github/workflows/package.yml

@@ -55,6 +55,13 @@ jobs:
         git clone https://github.com/u-root/cpu.git
         cd cpu
         echo "CPU_VERSION=$(git describe --tags --always)" >> $GITHUB_ENV
+
+    - name: Generate SSH keys
+      run: |
+        echo "Generating default SSH keys for CPU..."
+        ssh-keygen -t rsa -b 4096 -f binaries/cpu_rsa -N "" -C "cpu-default-key"
+        echo "SSH keys generated:"
+        ls -la binaries/cpu_rsa*
     
     - name: Build binaries
       run: |
@@ -70,9 +77,11 @@ jobs:
         FROM scratch
         COPY binaries/cpu /usr/local/bin/cpu
         COPY binaries/cpud /usr/local/bin/cpud
+        COPY binaries/cpu_rsa /etc/cpu_rsa
+        COPY binaries/cpu_rsa.pub /etc/cpu_rsa.pub
         COPY BUILD_INFO.txt /BUILD_INFO.txt
         LABEL org.opencontainers.image.title="CPU Binaries"
-        LABEL org.opencontainers.image.description="Prebuilt CPU binaries for aarch64"
+        LABEL org.opencontainers.image.description="Prebuilt CPU binaries for aarch64 with SSH keys"
         LABEL org.opencontainers.image.source="https://github.com/${{ github.repository }}"
         LABEL org.opencontainers.image.version="${{ env.CPU_VERSION }}"
         LABEL org.opencontainers.image.licenses="BSD-3-Clause"
@@ -91,10 +100,18 @@ jobs:
         Files in this package:
         - /usr/local/bin/cpu: CPU client binary
         - /usr/local/bin/cpud: CPU daemon binary
+        - /etc/cpu_rsa: Default SSH private key
+        - /etc/cpu_rsa.pub: Default SSH public key
+        
+        WARNING: These are default keys for convenience - generate your own for production!
         
         Usage:
           docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest /usr/local/bin/cpu -h
           docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest /usr/local/bin/cpud -h
+        
+        Extract SSH keys from container:
+          docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest cat /etc/cpu_rsa > cpu_rsa
+          docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest cat /etc/cpu_rsa.pub > cpu_rsa.pub
         EOF
     
     - name: Build and push Docker image

Makefile

@@ -26,6 +26,8 @@ CPU_BINARY := $(BINARIES_DIR)/cpu
 CPUD_BINARY := $(BINARIES_DIR)/cpud
 INITRAMFS_FILE := $(INITRAMFS_DIR)/cpud-initramfs.cpio.gz
 BUILD_INFO := $(BINARIES_DIR)/BUILD_INFO.txt
+SSH_PRIVATE_KEY := $(BINARIES_DIR)/cpu_rsa
+SSH_PUBLIC_KEY := $(BINARIES_DIR)/cpu_rsa.pub
 
 # Version detection
 CPU_VERSION := $(shell cd $(CPU_REPO) 2>/dev/null && git describe --tags --always 2>/dev/null || echo "unknown")
@@ -66,6 +68,18 @@ $(GO_WORK): $(CPU_REPO) $(UROOT_REPO)
 	@echo "use ./repos/cpu" >> $(GO_WORK)
 	@echo "use ./repos/u-root" >> $(GO_WORK)
 
+$(SSH_PRIVATE_KEY): | $(BUILD_DIR)
+	@echo "Generating default SSH keys for CPU..."
+	@mkdir -p $(BINARIES_DIR)
+	@if [ ! -f "$(SSH_PRIVATE_KEY)" ]; then \
+		ssh-keygen -t rsa -b 4096 -f $(SSH_PRIVATE_KEY) -N "" -C "cpu-default-key"; \
+		echo "SSH keys generated:"; \
+		echo "  Private key: $(SSH_PRIVATE_KEY)"; \
+		echo "  Public key: $(SSH_PUBLIC_KEY)"; \
+	else \
+		echo "SSH keys already exist, skipping generation"; \
+	fi
+
 # Repository management
 repos: $(CPU_REPO) $(UROOT_REPO)  ## Clone all repositories
 
@@ -89,7 +103,7 @@ $(CPUD_BINARY): $(GO_WORK) $(UROOT_BIN)
 	@echo "Building cpud binary for aarch64..."
 	@cd $(CPU_REPO) && GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=$(CGO_ENABLED) go build -o ../../binaries/cpud ./cmds/cpud
 
-$(BUILD_INFO): $(CPU_BINARY) $(CPUD_BINARY)
+$(BUILD_INFO): $(CPU_BINARY) $(CPUD_BINARY) $(SSH_PRIVATE_KEY)
 	@echo "Creating build info..."
 	@cd $(CPU_REPO) && CPU_VERSION=$$(git describe --tags --always) && \
 	echo "U-Root CPU Binaries for aarch64 (Local Build)" > ../../binaries/BUILD_INFO.txt && \
@@ -101,19 +115,28 @@ $(BUILD_INFO): $(CPU_BINARY) $(CPUD_BINARY)
 	echo "Files in this archive:" >> ../../binaries/BUILD_INFO.txt && \
 	echo "- cpu: CPU client binary" >> ../../binaries/BUILD_INFO.txt && \
 	echo "- cpud: CPU daemon binary" >> ../../binaries/BUILD_INFO.txt && \
+	echo "- cpu_rsa: Default SSH private key" >> ../../binaries/BUILD_INFO.txt && \
+	echo "- cpu_rsa.pub: Default SSH public key" >> ../../binaries/BUILD_INFO.txt && \
 	echo "- cpud-initramfs.cpio.gz: U-root initramfs with cpud as init" >> ../../binaries/BUILD_INFO.txt && \
 	echo "" >> ../../binaries/BUILD_INFO.txt && \
 	echo "Usage:" >> ../../binaries/BUILD_INFO.txt && \
 	echo "  ./cpu -h    # Show CPU client help" >> ../../binaries/BUILD_INFO.txt && \
 	echo "  ./cpud -h   # Show CPU daemon help" >> ../../binaries/BUILD_INFO.txt && \
 	echo "" >> ../../binaries/BUILD_INFO.txt && \
+	echo "SSH Keys:" >> ../../binaries/BUILD_INFO.txt && \
+	echo "  Default SSH keys are provided for convenience" >> ../../binaries/BUILD_INFO.txt && \
+	echo "  Private key: cpu_rsa" >> ../../binaries/BUILD_INFO.txt && \
+	echo "  Public key: cpu_rsa.pub (also embedded in initramfs)" >> ../../binaries/BUILD_INFO.txt && \
+	echo "  WARNING: These are default keys - generate your own for production!" >> ../../binaries/BUILD_INFO.txt && \
+	echo "" >> ../../binaries/BUILD_INFO.txt && \
 	echo "Initramfs usage:" >> ../../binaries/BUILD_INFO.txt && \
 	echo "  Use cpud-initramfs.cpio.gz as initrd with Linux kernel" >> ../../binaries/BUILD_INFO.txt && \
 	echo "  Boot parameters: init=/init" >> ../../binaries/BUILD_INFO.txt && \
+	echo "  SSH public key is embedded at /etc/cpu_rsa.pub" >> ../../binaries/BUILD_INFO.txt && \
 	echo "" >> ../../binaries/BUILD_INFO.txt && \
 	echo "Build system: Makefile" >> ../../binaries/BUILD_INFO.txt
 
-binaries: check-go $(CPU_BINARY) $(CPUD_BINARY) $(BUILD_INFO) ## Build cpu and cpud binaries
+binaries: check-go $(CPU_BINARY) $(CPUD_BINARY) $(BUILD_INFO) $(SSH_PRIVATE_KEY) ## Build cpu and cpud binaries
 	@echo "Verifying built binaries..."
 	@ls -la $(BINARIES_DIR)/
 	@echo ""
@@ -122,14 +145,19 @@ binaries: check-go $(CPU_BINARY) $(CPUD_BINARY) $(BUILD_INFO) ## Build cpu and c
 	@echo "CPUD binary info:"
 	@file $(CPUD_BINARY)
 	@echo ""
+	@echo "SSH key info:"
+	@echo "Private key: $(SSH_PRIVATE_KEY)"
+	@echo "Public key: $(SSH_PUBLIC_KEY)"
+	@echo ""
 	@echo "Binary sizes:"
 	@du -h $(BINARIES_DIR)/*
 
-$(INITRAMFS_FILE): $(CPUD_BINARY) $(UROOT_BIN)
+$(INITRAMFS_FILE): $(CPUD_BINARY) $(UROOT_BIN) $(SSH_PUBLIC_KEY)
 	@echo "Creating u-root initramfs with cpud as init..."
 	@rm -f $(INITRAMFS_DIR)/*
 	@echo "Building initramfs with u-root..."
 	@cd $(CPU_REPO) && GOOS=$(GOOS) GOARCH=$(GOARCH) ../../u-root-bin -format=cpio -o ../../initramfs/cpud-initramfs.cpio \
+		-files "../../binaries/cpu_rsa.pub:etc/cpu_rsa.pub" \
 		-initcmd="cpud" \
 		./cmds/cpud \
 		../u-root/cmds/core/ls \

docs/INITRAMFS.md

@@ -7,61 +7,37 @@ This guide explains how to use the CPU initramfs that boots directly into the cp
 The CPU initramfs is a u-root-based initial RAM filesystem that:
 - Boots directly into the cpud daemon
 - Provides a minimal Linux environment
-- Automatically mounts essential filesystems (`/proc`, `/sys`### Troubleshooting
-
-### Common Issues
+- Automatically mounts essential filesystems (`/proc`, `/sys`, `/dev`)
+- Includes a default SSH public key for authentication (`/etc/cpu_rsa.pub`)
+- Starts cpud as the init process
 
-1. **Boot Hangs**: Check console output, ensure correct kernel
-2. **Network Issues**: Verify network configuration and drivers
-3. **Permission Issues**: Ensure proper filesystem permissions
-4. **Pi won't boot**: Check config.txt and cmdline.txt syntax
+## SSH Key Authentication
 
-### Raspberry Pi Specific Issues
+The initramfs includes a default SSH public key at `/etc/cpu_rsa.pub` for convenient authentication. The corresponding private key is available in the release binaries.
 
-#### **Pi doesn't boot with initramfs**
-```bash
-# Check config.txt syntax
-sudo nano /boot/firmware/config.txt
+**⚠️ WARNING**: These are default keys for convenience. Generate your own keys for production use!
 
-# Ensure correct path and format
-initramfs cpud-initramfs.cpio.gz followkernel
+### Using the Default Keys
 
-# Verify file exists and permissions
-ls -la /boot/firmware/cpud-initramfs.cpio.gz
-```
-
-#### **No network on Pi**
 ```bash
-# Check if interface is up
-ip link show
-
-# Bring up ethernet
-ip link set eth0 up
-dhclient eth0
+# Download the private key from the release
+wget https://github.com/ericvh/cpu-prebuilt/releases/latest/download/cpu_rsa
+chmod 600 cpu_rsa
 
-# Check cable connection
-ethtool eth0
+# Use with CPU client
+./cpu -key cpu_rsa user@target-system
 ```
 
-#### **No console output**
-```bash
-# In cmdline.txt, ensure console is set
-console=serial0,115200 console=tty1
+### Generating Your Own Keys
 
-# Enable UART in config.txt
-enable_uart=1
-```
-
-#### **Pi 4/5 specific issues**
 ```bash
-# Ensure 64-bit mode is enabled
-arm_64bit=1
+# Generate your own key pair
+ssh-keygen -t rsa -b 4096 -f my_cpu_key -N ""
 
-# Check if using correct boot partition
-ls -la /boot/firmware/  # Pi 4/5
-ls -la /boot/           # Pi 3 and earlier
-````)
-- Starts cpud as the init process
+# Replace the public key in the initramfs (requires rebuilding)
+# Or use cpu with your custom key
+./cpu -key my_cpu_key user@target-system
+```
 
 ## Use Cases