02-06, 13:30–14:00 (Europe/Brussels), Agora
Three years have passed since the previous talk on PKCS#11-based code signing (OE Workshop 2020) and this approach has be used successfully for several projects. Also, there's been interest from the community and from customers to have this properly upstream in oe-core.
In this session, Jan will first explain the infrastructure (signing.bbclass) and the recipe-level integration submitted for inclusion and then show some examples on how to use the class with custom recipes and keys.
The approach taken with signing.bbclass is to pass all key access through the PKCS#11 API, which is supported by most Hardware Security Modules (HSMs) and can be emulated for simple key files as well. This results in a unified API at the recipe level.
Many upstream projects which support signing of build artifacts already support PKCS#11 keys, so the amount of required patches is low.
Jan first started using OpenEmbedded when working on OpenMoko and OpenEZX around 2008. Today he supports colleagues and customers when using OE at Pengutronix.