Skip to content

Secure your Revision

This page shows how to make Pantavisor check the integrity of your revision using the secureboot feature.

Note

Bear in mind that secureboot is set to lenient by default in the configuration. This means that only the signed artifacts will be verified by Pantavisor but if we wanted it to check that all artifacts in the revision were signed, we would need to set it to strict.

Now, there are two options depending on how do we want to store the public key for Pantavisor to use: on-disk or using a certificate chain.

Use an on-disk public key

You can use OpenSSL to generate a new key pair:

mkdir keys; cd keys
openssl genrsa -out priv.pem 2048
openssl rsa -in priv.pem -outform PEM -pubout -out pub.pem
cd ..

With the keys already created, we have to put the public key in the initrd rootfs. To so so, you will need to build Pantavisor with the PV_PVS_PUB_PEM option:

PV_PVS_PUB_PEM=/home/anibal/keys/pub.pem \
PVR_MERGE_SRC=https://pvr.pantahub.com/pantahub-ci/rpi64_5_10_y_bsp_latest \
./build.docker.sh rpi64-5.10.y

Now let us sign one of the platforms using pvr sig in your cloned revision:

cd my-checkout
pvr sig --key ../keys/priv.pem add -p pv-avahi
pvr add .
pvr commit
pvr post

And we are set! Pantavisor will now verify the signature of the signed artifacts using the on-disk public key.

Use a certificate chain of trust

To generate a chain of certificates using OpenSSL:

mkdir keys; cd keys
openssl genrsa  -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl genrsa  -out myKey.key 2048
openssl req -nodes -new -key myKey.key -out myKey.csr
openssl x509 -req -in myKey.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out myKey.crt -days 825 -sha256 
cd ..

We need to put the root certificate in the initrd rootfs. For that, you will need to build Pantavisor with the PV_PVS_CERT_PEM option.

PV_PVS_PUB_PEM=/home/anibal/keys/myCA.pem \
PVR_MERGE_SRC=https://pvr.pantahub.com/pantahub-ci/rpi64_5_10_y_bsp_latest \
./build.docker.sh rpi64-5.10.y

Finally, you can sign one of the platforms using pvr sig in your cloned revision:

cd my-checkout
pvr sig --x5c ../cert/myKey.crt --key ../cert/myKey.key add --part pvr-sdk
pvr add .
pvr commit
pvr post

Pantavisor will now verify the signature of the signed artifacts using the key in the revision certificate. It will also check the revision certificate chain of trust is valid using the on-disk root certificate.