02-03, 16:00–16:30 (Europe/Amsterdam), Hedy Lamarr
Many upstream components integrated via OpenEmbedded already support cryptographic signatures for authentication (kernel, FIT images, update artifacts, boot images).
There is already some existing support for signing using keys stored in the file-system (uboot-sign.bbclass, meta-rauc's bundle.bbclass, meta-secure-core). In larger projects, there is often the requirement to support more secure key storage devices such as HSMs (Hardware Security Modules).
Fortunately, support for the standard API to use keys on hardware tokens (PKCS#11) is widespread by now. We can use this API and SoftHSM (a PKCS#11 simulator) to decouple individual packages from the key configuration. This simplifies testing, as almost the same code is used during development with keys loaded from the file-system and during release with a real HSM.
Jan will present his implementation (a single .bbclass) and some example packages. He is looking for feedback, additional use-cases and testing.
Video: https://youtu.be/ntwbkJTP1pw
Jan first started using OpenEmbedded when working on openmoko and openezx around 2008. Today he supports colleagues and customers when using OE at Pengutronix.