Dasharo
Generate signing keys using OpenSSL utilities
Brief summary
Utilize OpenSSL command line utilities to generate the necessary signing keys for the capsule update process.
Additional context Create a list of supported algorithms and key sizes with links to source code or edk2 documentation, along with OpenSSL commands to create those.
No Jira task for this, or is it part of some task named differently?
Update: I found it.
coreboot PR (capsule.sh update): https://github.com/Dasharo/coreboot/pull/552
docs PR: https://github.com/Dasharo/docs/pull/885
I have managed to create all the required certificates using the documentation and to create a capsule. I can not test if using the generated keys in capsule.sh make would work because error: current board configuration lacks support of update capsules in the case of building for either qemu or vp66xx. Signing the capsule and verifying the signature would be the last step of verifying if everything works. Do you know any device which supports the capsules or if I can easily change it in the config?
I have been able to sign the capsule using the generated keys using capsule.sh make and decode and verify it using payloads/external/edk2/workspace/Dasharo/BaseTools/BinWrappers/PosixLike/GenerateCapsule which probably means that the instructions are valid. The only issue is with selecting the CA to be used by openssl which looks for the CA at /etc/ssl/pki/CA by default on my and @JanPrusinowski's systems.