Add support for HSM-based signing

Add rudimentary support for using a PKCS11 engine to provide the private key for the signed boot component.

This does not impact the device-unique key that is generated as part of provisioning.

Where the PKCS11_NAME and FILE_PEM are both supplied, favour the PKCS11 name.

Author: tdewey-rpi

README.adoc

@@ -94,12 +94,27 @@ Once you have followed all those steps, `rpi-sb-provisioner` should be correctly
 Configure `rpi-sb-provisioner` by using the following fields in `/etc/rpi-sb-provisioner/config`
 
 === CUSTOMER_KEY_FILE_PEM
-*Mandatory*
+*Optional, mandatory if CUSTOMER_KEY_PKCS11_NAME is not set*
 
 The fully qualified path to your signing key, encoded in PEM format. This file is expected to contain an RSA 2048-bit Private Key.
 
 WARNING: This file should be considered key material, and should be protected while at rest and in use according to your threat model.
 
+=== CUSTOMER_KEY_PKCS11_NAME
+*Optional, mandatory if CUSTOMER_KEY_FILE_PEM is not set*
+
+The keypair alias for a PKCS11 keypair, typically stored on a Hardware Security Module (HSM) and provided through a helper tool. This is expected to act in place of the RSA 2048-bit Private key specified with CUSTOMER_KEY_FILE_PEM, and will be used as the signing device for all future pre-boot authentication images.
+
+The value should take the format:
+
+----
+"pkcs11:object=<keypair-alias>;type=private"
+----
+
+WARNING: You must use double quotes to enclose the value.
+
+WARNING: The PKCS11 provider, and it's associated HSM, should be considered key material and should be protected while at rest and in use according to your threat model.
+
 === GOLD_MASTER_OS_FILE
 *Mandatory*
 

device-triage/triage.sh

@@ -21,8 +21,8 @@ if [ -z "${RPI_DEVICE_BOOTLOADER_CONFIG_FILE}" ]; then
     RPI_DEVICE_BOOTLOADER_CONFIG_FILE=/var/lib/rpi-sb-provisioner/bootloader.default
 fi
 
-if [ -z "${CUSTOMER_KEY_FILE_PEM}" ]; then
-    echo "You must provide a customer key file in the environment via CUSTOMER_KEY_FILE_PEM"
+if [ -z "${CUSTOMER_KEY_FILE_PEM}" ] || [ -z "${CUSTOMER_KEY_PKCS11_NAME}" ]; then
+    echo "You must provide a key in the environment via CUSTOMER_KEY_FILE_PEM, or a key name via CUSTOMER_KEY_PKCS11_NAME"
     exit 1
 fi
 

host-support/terminal-functions.sh

@@ -130,4 +130,21 @@ get_fastboot_config_file() {
     else
         echo "/var/lib/rpi-sb-provisioner/boot_ramdisk_config.txt"
     fi
+}
+
+get_signing_directives() {
+    if [ -n "${CUSTOMER_KEY_PKCS11_NAME}" ]; then
+        echo "${CUSTOMER_KEY_PKCS11_NAME} -engine pkcs11 -keyform engine"
+    else
+        if [ -n "${CUSTOMER_KEY_FILE_PEM}" ]; then
+            if [ -f "${CUSTOMER_KEY_FILE_PEM}" ]; then
+                echo "RSA private key \"${CUSTOMER_KEY_FILE_PEM}\" not a file. Aborting." >&2
+                exit 1
+            fi
+            echo "${CUSTOMER_KEY_FILE_PEM} -keyform PEM"
+        else
+            echo "Neither PKCS11 key name, or PEM key file specified. Aborting." >&2
+            exit 1
+        fi
+    fi
 }

key-writer/keywriter.sh

@@ -31,9 +31,8 @@ writeSig() {
    # Include the update-timestamp
    echo "ts: $(date -u +%s)" >> "${OUTPUT}"
 
-   if [ -n "${CUSTOMER_KEY_FILE_PEM}" ]; then
-      [ -f "${CUSTOMER_KEY_FILE_PEM}" ] || die "RSA private key \"${CUSTOMER_KEY_FILE_PEM}\" not found"
-      "${OPENSSL}" dgst -sign "${CUSTOMER_KEY_FILE_PEM}" -keyform PEM -sha256 -out "${SIG_TMP}" "${IMAGE}"
+   if [ -n "$(get_signing_directives)" ]; then
+      "${OPENSSL}" dgst -sign "$(get_signing_directives)" -sha256 -out "${SIG_TMP}" "${IMAGE}"
       echo "rsa2048: $(xxd -c 4096 -p < "${SIG_TMP}")" >> "${OUTPUT}"
    fi
    rm "${SIG_TMP}"