Error while generating keys for secure boot

[tchandramohan]

Hi,

I am following your tutorial on YouTube for ONIE secure Boot tutorial.
I am attempting to generate the keys using the command:
$: make MACHINE=kvm_x86_64 signing-keys-install.
A majority of the keys are generated in the directory : onie/encryption/machines/kvm_x86_64/keys
But the command is unsuccessful and exits.
I am providing a screenshot of my terminal.
Can you please guide?

P.S: I am running as build, not root & I am NOT using DUE.
I do not want to use DUE!

[ehdoyle]

For the error above you're trying to generate secure keys twice. The line about 'keys directory already exists' is there to indicate you're about to overwrite keys that may have already been used for signing as the script has no way of knowing if you're using them elsewhere and takes the safer route of not overwriting them and potentially making already signed code useless. The install step is there to copy the keys to a virtual USB drive which can then be used to program the keys in to the virtual UEFI BIOS when running ONIE in emulation.

However, the problem with secure boot is that it depends quite a bit on the developer's build environment. Things like key handling, the location of a signed shim, etc are really difficult to deploy in a generalized way that would meet an organization's security requirements, and the deployment for the kvm_x86_64 target in ONIE is really more of an example to show all the steps involved and prove that they work. To do that it has to make assumptions about key handling and the location of the signed shim which are built in to the build process to be able to move build products from one step to the next, from build setup, to build, to runtime setup, to running. All of which may have unique user requirements.
So deploying this in any other way than what has been provided becomes an exercise for the user, as they're the only ones who understand their environment.
It also makes it difficult to debug these things when there isn't a shared environment, which is one of the problems that DUE addresses - it's very easy to set up an identical environment for both parties to debug in.

So to summarize - ONIE build for secure boot isn't currently supported outside of the examples that have been provided because there are so many end user specific details that cannot be known by the ONIE. Using what is there as a reference is the recommended way to get any particular end user solution to work.