feat: Add PKCS#11 support for platform key(s)

[bencorrado]

Is your feature request related to a problem? Please describe.

When using auroraboot to build a UKI we should be able to pass a URI for a PKCS#11 device that is holding the RSA private key.

Describe the solution you'd like

Add support to go-ukify and auroraboot to pass in a URI, passcode and/or module link to allow for the private key (primarily db.key) to be stored on a hardware key instead of plaintext on the filesystem.

Describe alternatives you've considered

Keep using a more insecure option of keys in plaintext on the filesystem.

Additional context

For auroraboot something like changing/adding:

		&cli.StringFlag{
			Name:  "sb-key-uri",
			Value: "",
			Usage: "Override SBKey with a PKCS#11 URI (e.g. 'pkcs11:manufacturer=piv_II;id=%02'). If empty, the default file-based key will be used.",
		},
		&cli.StringFlag{
			Name:  "pkcs11-pin",
			Value: "",
			Usage: "PIN for the PKCS#11 token (YubiKey); required when using a pkcs11 URI",
		},
		&cli.StringFlag{
			Name:  "pkcs11-path",
			Value: "/usr/lib/libykcs11.so",
			Usage: "Path to the PKCS#11 module (default: /usr/lib/libykcs11.so)",
		},

...

		// Check if the keys directory contains the required files
		requiredFiles := []string{"db.der", "db.auth", "KEK.der", "KEK.auth", "PK.der", "PK.auth", "tpm2-pcr-private.pem"}
		// If no SBKey override is provided, then require "db.key".
		if ctx.String("sb-key-uri") == "" {
			requiredFiles = append(requiredFiles, "db.key")
		}

...


			var sbKey string
			if ctx.String("sb-key-uri") != "" {
				// Use the provided PKCS#11 URI.
				sbKey = ctx.String("sb-key-uri")
			} else {
				// Otherwise use the default file-based SBKey.
				sbKey = filepath.Join(ctx.String("keys"), "db.key")
			}

			builder := &uki.Builder{
				Arch:          config.Arch,
				Version:       kairosVersion,
				SdStubPath:    stub,
				KernelPath:    filepath.Join(artifactsTempDir, "vmlinuz"),
				InitrdPath:    filepath.Join(artifactsTempDir, "initrd"),
				Cmdline:       entry.Cmdline,
				OsRelease:     filepath.Join(sourceDir, "etc/os-release"),
				OutUKIPath:    entry.FileName + ".efi",
				PCRKey:        filepath.Join(ctx.String("keys"), "tpm2-pcr-private.pem"),
				SBKey:         sbKey,
				SBCert:        filepath.Join(ctx.String("keys"), "db.pem"),
				SdBootPath:    systemdBoot,
				OutSdBootPath: outputSystemdBootEfi,
				Splash:        ctx.String("splash"),
			        PKCS11Pin:    ctx.String("pkcs11-pin"),
			        PKCS11Path:   ctx.String("pkcs11-path"),
			}

and adding support for github.com/ThalesIgnite/crypto11 to go-ukifiy and the handlers to support the auroraboot parts above.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[Itxaka]

nitrokeys seems to cover this and they are pretty cheap for testing https://www.nitrokey.com/products/nitrokeys

I got one for myself to substitute my 2 yubikeys so I migth be able to test this when it arrives.

[bencorrado]

I just bought some https://www.smartcard-hsm.com/ from the US disti last week, they arrive tomorrow.

You can probably get them from: https://www.cardomatic.de/en/c/smartcard-hsm

The banner on the Nitrokey HSM 2 site said wait till August.

The regular NitroKey can only hold a few keys, the HSM version can hold 10's of them. It also lets you setup security zones and have a few HSMs all hold they same copies of keys without they plaintext ever being exposed. This is what I plan to use for production. I can write a blog on it when we get things moving here.

[Itxaka]

a thing that its clear is that most of the docs and libs out there are for the ?HSM versions of all this keys, so make sure that we get one. The one mentioned by @bencorrado seems cheap enough that we can get one to add the support in there.

Also this: have a few HSMs all hold they same copies of keys its very interesting becuase it means the whole team could have a a hardware key that contains the "kairos official key" or whatever so we dont have to rely on a single person for this. Still the more people that has it the more chances to lose it soooo...

[Itxaka]

also having a look at the smartcard-hsm, they seem to cover also our use cases