diff --git a/README.md b/README.md index 9a5af0d..b07ceb0 100644 --- a/README.md +++ b/README.md @@ -267,6 +267,7 @@ Operation ``` Usage: habtool [OPTIONS] -h Show this help + -z "file" (default) or "gcp" SRK CA creation options: -C SRK private key in PEM format @@ -282,19 +283,19 @@ CSF/IMG certificates creation options: -b IMG public key in PEM format SRK table creation options: - -1 SRK public key 1 in PEM format - -2 SRK public key 2 in PEM format - -3 SRK public key 3 in PEM format - -4 SRK public key 4 in PEM format + -1 SRK public key 1 ('file': PEM format, 'gcp': resource ID) + -2 SRK public key 2 ('file': PEM format, 'gcp': resource ID) + -3 SRK public key 3 ('file': PEM format, 'gcp': resource ID) + -4 SRK public key 4 ('file': PEM format, 'gcp': resource ID) -o Write SRK table hash to file -t Write SRK table to file Executable signing options: - -A CSF private key in PEM format - -a CSF public key in PEM format - -B IMG private key in PEM format - -b IMG public key in PEM format + -A CSF private key ('file': PEM format, 'gcp': resource ID) + -a CSF public key ('file': PEM format, 'gcp': resource ID) + -B IMG private key ('file': PEM format, 'gcp': resource ID) + -b IMG public key ('file': PEM format, 'gcp': resource ID) -t Read SRK table from file -x <1-4> Index for SRK key -e Crypto engine (e.g. 0x1b for HAB_ENG_DCP) @@ -311,6 +312,31 @@ The [USB armory](https://github.com/usbarmory/usbarmory/wiki) guide for [Secure Boot](https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)) provides an introduction on HABv4 using the USB armory Mk II as reference platform. +Google Cloud support +-------------------- + +When setting the `-z` flag to `gcp`, `habtool` will use the Google Cloud APIs to fetch certificates +and perform signing operations. This backend requires that public and private keys are referenced +using [GCP Resource IDs](https://cloud.google.com/config-connector/docs/how-to/managing-resources-with-resource-ids) +rather than on-disk files. + +Signing keys must be stored in [CloudHSM](https://cloud.google.com/kms/docs/hsm), and the particular +keys to use when signing the CSF and IMG payloads are passed as +[CloudHSM Key Resource IDs](https://cloud.google.com/kms/docs/getting-resource-ids) to the `-A` and `-B`flags, e.g: +`projects/myProject/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1`. + +Public key Resource IDs, passed via the `-1`, `-2`, `-3`, `-4`, `-A`, or `-B` flags, should reference either: + +- a +[Certificate](https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools.certificates#Certificate) +resource, e.g.: +`projects/myProject/locations/us-central1/caPools/myPool/certificates/myCertificate` +- a [CertificateAuthority](https://cloud.google.com/certificate-authority-service/docs/reference/rpc/google.cloud.security.privateca.v1#google.cloud.security.privateca.v1.CertificateAuthority) +resource, e.g.: +`projects/myProject/locations/us-central1/caPools/myPool/certificateAuthorities/myCertificateAuthority` + +In the later case, the authoritie's public key certificate will be used. + License ======= diff --git a/cmd/habtool/README.md b/cmd/habtool/README.md index f795e02..cebe5e0 100644 --- a/cmd/habtool/README.md +++ b/cmd/habtool/README.md @@ -121,8 +121,8 @@ The [USB armory](https://github.com/usbarmory/usbarmory/wiki) guide for [Secure Boot](https://github.com/usbarmory/usbarmory/wiki/Secure-boot-(Mk-II)) provides an introduction on HABv4 using the USB armory Mk II as reference platform. -Using `habtool` with Google Cloud -================================= +Google Cloud support +==================== When setting the `-z` flag to `gcp`, `habtool` will use the Google Cloud APIs to fetch certificates and perform signing operations. This backend requires that public and private keys are referenced