diff mbox series

[v7,03/11] sandbox: capsule: Add keys and certificates needed for capsule update testing

Message ID 20230805113458.1430239-4-sughosh.ganu@linaro.org
State New
Headers show
Series Integrate EFI capsule tasks into u-boot's build flow | expand

Commit Message

Sughosh Ganu Aug. 5, 2023, 11:34 a.m. UTC 
Add the private keys and public key certificates which are to be used
for capsule authentication while testing the EFI capsule update
functionality. There are two pairs of private and public keys. The
SIGNER.{key,crt} pair will be used for signing capsules, whilst the
SIGNER2.{key,crt} pair is to be used as malicious keys for testing
authentication failure cases. The SIGNER.crt is also converted to an
EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the
platform's device-tree for capsule authentication.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
---
Changes since V6:
* New patch that puts the keys and cert files under board/sandbox/
  directory as suggested Simon Glass.

 board/sandbox/SIGNER.crt  |  19 +++++++++++++++++++
 board/sandbox/SIGNER.esl  | Bin 0 -> 831 bytes
 board/sandbox/SIGNER.key  |  28 ++++++++++++++++++++++++++++
 board/sandbox/SIGNER2.crt |  19 +++++++++++++++++++
 board/sandbox/SIGNER2.key |  28 ++++++++++++++++++++++++++++
 5 files changed, 94 insertions(+)
 create mode 100644 board/sandbox/SIGNER.crt
 create mode 100644 board/sandbox/SIGNER.esl
 create mode 100644 board/sandbox/SIGNER.key
 create mode 100644 board/sandbox/SIGNER2.crt
 create mode 100644 board/sandbox/SIGNER2.key

Comments

Simon Glass Aug. 5, 2023, 3:03 p.m. UTC | #1 
Hi Sughosh,

On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> Add the private keys and public key certificates which are to be used
> for capsule authentication while testing the EFI capsule update
> functionality. There are two pairs of private and public keys. The
> SIGNER.{key,crt} pair will be used for signing capsules, whilst the
> SIGNER2.{key,crt} pair is to be used as malicious keys for testing
> authentication failure cases. The SIGNER.crt is also converted to an
> EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the
> platform's device-tree for capsule authentication.
>
> Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> ---
> Changes since V6:
> * New patch that puts the keys and cert files under board/sandbox/
>   directory as suggested Simon Glass.
>
>  board/sandbox/SIGNER.crt  |  19 +++++++++++++++++++
>  board/sandbox/SIGNER.esl  | Bin 0 -> 831 bytes
>  board/sandbox/SIGNER.key  |  28 ++++++++++++++++++++++++++++
>  board/sandbox/SIGNER2.crt |  19 +++++++++++++++++++
>  board/sandbox/SIGNER2.key |  28 ++++++++++++++++++++++++++++
>  5 files changed, 94 insertions(+)
>  create mode 100644 board/sandbox/SIGNER.crt
>  create mode 100644 board/sandbox/SIGNER.esl
>  create mode 100644 board/sandbox/SIGNER.key
>  create mode 100644 board/sandbox/SIGNER2.crt
>  create mode 100644 board/sandbox/SIGNER2.key

Can we call these good.* and bad.* so it is clear what they are for?
Also, please avoid capital letters in filenames.

Regards,
Simon
Sughosh Ganu Aug. 5, 2023, 5:50 p.m. UTC | #2 
hi Simon,

On Sat, 5 Aug 2023 at 20:34, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Sughosh,
>
> On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > Add the private keys and public key certificates which are to be used
> > for capsule authentication while testing the EFI capsule update
> > functionality. There are two pairs of private and public keys. The
> > SIGNER.{key,crt} pair will be used for signing capsules, whilst the
> > SIGNER2.{key,crt} pair is to be used as malicious keys for testing
> > authentication failure cases. The SIGNER.crt is also converted to an
> > EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the
> > platform's device-tree for capsule authentication.
> >
> > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > ---
> > Changes since V6:
> > * New patch that puts the keys and cert files under board/sandbox/
> >   directory as suggested Simon Glass.
> >
> >  board/sandbox/SIGNER.crt  |  19 +++++++++++++++++++
> >  board/sandbox/SIGNER.esl  | Bin 0 -> 831 bytes
> >  board/sandbox/SIGNER.key  |  28 ++++++++++++++++++++++++++++
> >  board/sandbox/SIGNER2.crt |  19 +++++++++++++++++++
> >  board/sandbox/SIGNER2.key |  28 ++++++++++++++++++++++++++++
> >  5 files changed, 94 insertions(+)
> >  create mode 100644 board/sandbox/SIGNER.crt
> >  create mode 100644 board/sandbox/SIGNER.esl
> >  create mode 100644 board/sandbox/SIGNER.key
> >  create mode 100644 board/sandbox/SIGNER2.crt
> >  create mode 100644 board/sandbox/SIGNER2.key
>
> Can we call these good.* and bad.* so it is clear what they are for?
> Also, please avoid capital letters in filenames.

I was using the same nomenclature that was being used currently by the
efi capsule update tests. But I guess I can change this.

-sughosh
Simon Glass Aug. 5, 2023, 6:36 p.m. UTC | #3 
Hi Sughosh,

On Sat, 5 Aug 2023 at 11:50, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> hi Simon,
>
> On Sat, 5 Aug 2023 at 20:34, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Sughosh,
> >
> > On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > >
> > > Add the private keys and public key certificates which are to be used
> > > for capsule authentication while testing the EFI capsule update
> > > functionality. There are two pairs of private and public keys. The
> > > SIGNER.{key,crt} pair will be used for signing capsules, whilst the
> > > SIGNER2.{key,crt} pair is to be used as malicious keys for testing
> > > authentication failure cases. The SIGNER.crt is also converted to an
> > > EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the
> > > platform's device-tree for capsule authentication.
> > >
> > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > ---
> > > Changes since V6:
> > > * New patch that puts the keys and cert files under board/sandbox/
> > >   directory as suggested Simon Glass.
> > >
> > >  board/sandbox/SIGNER.crt  |  19 +++++++++++++++++++
> > >  board/sandbox/SIGNER.esl  | Bin 0 -> 831 bytes
> > >  board/sandbox/SIGNER.key  |  28 ++++++++++++++++++++++++++++
> > >  board/sandbox/SIGNER2.crt |  19 +++++++++++++++++++
> > >  board/sandbox/SIGNER2.key |  28 ++++++++++++++++++++++++++++
> > >  5 files changed, 94 insertions(+)
> > >  create mode 100644 board/sandbox/SIGNER.crt
> > >  create mode 100644 board/sandbox/SIGNER.esl
> > >  create mode 100644 board/sandbox/SIGNER.key
> > >  create mode 100644 board/sandbox/SIGNER2.crt
> > >  create mode 100644 board/sandbox/SIGNER2.key
> >
> > Can we call these good.* and bad.* so it is clear what they are for?
> > Also, please avoid capital letters in filenames.
>
> I was using the same nomenclature that was being used currently by the
> efi capsule update tests. But I guess I can change this.

Yes please. You could use a patch at the start of your series, perhaps?

Regards,
Simon
Sughosh Ganu Aug. 5, 2023, 6:50 p.m. UTC | #4 
hi Simon,

On Sun, 6 Aug 2023 at 00:06, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Sughosh,
>
> On Sat, 5 Aug 2023 at 11:50, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> >
> > hi Simon,
> >
> > On Sat, 5 Aug 2023 at 20:34, Simon Glass <sjg@chromium.org> wrote:
> > >
> > > Hi Sughosh,
> > >
> > > On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > > >
> > > > Add the private keys and public key certificates which are to be used
> > > > for capsule authentication while testing the EFI capsule update
> > > > functionality. There are two pairs of private and public keys. The
> > > > SIGNER.{key,crt} pair will be used for signing capsules, whilst the
> > > > SIGNER2.{key,crt} pair is to be used as malicious keys for testing
> > > > authentication failure cases. The SIGNER.crt is also converted to an
> > > > EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the
> > > > platform's device-tree for capsule authentication.
> > > >
> > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > ---
> > > > Changes since V6:
> > > > * New patch that puts the keys and cert files under board/sandbox/
> > > >   directory as suggested Simon Glass.
> > > >
> > > >  board/sandbox/SIGNER.crt  |  19 +++++++++++++++++++
> > > >  board/sandbox/SIGNER.esl  | Bin 0 -> 831 bytes
> > > >  board/sandbox/SIGNER.key  |  28 ++++++++++++++++++++++++++++
> > > >  board/sandbox/SIGNER2.crt |  19 +++++++++++++++++++
> > > >  board/sandbox/SIGNER2.key |  28 ++++++++++++++++++++++++++++
> > > >  5 files changed, 94 insertions(+)
> > > >  create mode 100644 board/sandbox/SIGNER.crt
> > > >  create mode 100644 board/sandbox/SIGNER.esl
> > > >  create mode 100644 board/sandbox/SIGNER.key
> > > >  create mode 100644 board/sandbox/SIGNER2.crt
> > > >  create mode 100644 board/sandbox/SIGNER2.key
> > >
> > > Can we call these good.* and bad.* so it is clear what they are for?
> > > Also, please avoid capital letters in filenames.
> >
> > I was using the same nomenclature that was being used currently by the
> > efi capsule update tests. But I guess I can change this.
>
> Yes please. You could use a patch at the start of your series, perhaps?

Er, this is actually at the start of the series, isn't it. Well, at
least before we start adding relevant stuff like the ESL file incbin
logic in the u-boot.dtsi file -- this patch precedes patch 4 which is
adding the incbin logic to u-boot.dtsi.

-sughosh
Simon Glass Aug. 5, 2023, 7:06 p.m. UTC | #5 
Hi Sughosh,

On Sat, 5 Aug 2023 at 12:50, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
>
> hi Simon,
>
> On Sun, 6 Aug 2023 at 00:06, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Sughosh,
> >
> > On Sat, 5 Aug 2023 at 11:50, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > >
> > > hi Simon,
> > >
> > > On Sat, 5 Aug 2023 at 20:34, Simon Glass <sjg@chromium.org> wrote:
> > > >
> > > > Hi Sughosh,
> > > >
> > > > On Sat, 5 Aug 2023 at 05:35, Sughosh Ganu <sughosh.ganu@linaro.org> wrote:
> > > > >
> > > > > Add the private keys and public key certificates which are to be used
> > > > > for capsule authentication while testing the EFI capsule update
> > > > > functionality. There are two pairs of private and public keys. The
> > > > > SIGNER.{key,crt} pair will be used for signing capsules, whilst the
> > > > > SIGNER2.{key,crt} pair is to be used as malicious keys for testing
> > > > > authentication failure cases. The SIGNER.crt is also converted to an
> > > > > EFI Signature List(ESL) file, SIGNER.esl, which is embedded in the
> > > > > platform's device-tree for capsule authentication.
> > > > >
> > > > > Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
> > > > > ---
> > > > > Changes since V6:
> > > > > * New patch that puts the keys and cert files under board/sandbox/
> > > > >   directory as suggested Simon Glass.
> > > > >
> > > > >  board/sandbox/SIGNER.crt  |  19 +++++++++++++++++++
> > > > >  board/sandbox/SIGNER.esl  | Bin 0 -> 831 bytes
> > > > >  board/sandbox/SIGNER.key  |  28 ++++++++++++++++++++++++++++
> > > > >  board/sandbox/SIGNER2.crt |  19 +++++++++++++++++++
> > > > >  board/sandbox/SIGNER2.key |  28 ++++++++++++++++++++++++++++
> > > > >  5 files changed, 94 insertions(+)
> > > > >  create mode 100644 board/sandbox/SIGNER.crt
> > > > >  create mode 100644 board/sandbox/SIGNER.esl
> > > > >  create mode 100644 board/sandbox/SIGNER.key
> > > > >  create mode 100644 board/sandbox/SIGNER2.crt
> > > > >  create mode 100644 board/sandbox/SIGNER2.key
> > > >
> > > > Can we call these good.* and bad.* so it is clear what they are for?
> > > > Also, please avoid capital letters in filenames.
> > >
> > > I was using the same nomenclature that was being used currently by the
> > > efi capsule update tests. But I guess I can change this.
> >
> > Yes please. You could use a patch at the start of your series, perhaps?
>
> Er, this is actually at the start of the series, isn't it. Well, at
> least before we start adding relevant stuff like the ESL file incbin
> logic in the u-boot.dtsi file -- this patch precedes patch 4 which is
> adding the incbin logic to u-boot.dtsi.

OK, well anyway if you can rename them to be more meaningful that would help.

Regards,
Simon
diff mbox series

Patch

diff --git a/board/sandbox/SIGNER.crt b/board/sandbox/SIGNER.crt
new file mode 100644
index 0000000000..82d8576a64
--- /dev/null
+++ b/board/sandbox/SIGNER.crt
@@ -0,0 +1,19 @@ 
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUUzrWhMi7oPFshQP6eFlccqf7exswDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLVEVTVF9TSUdORVIwIBcNMjMwODA0MTgwNzQyWhgPMzAw
+MzEwMDYxODA3NDJaMBYxFDASBgNVBAMMC1RFU1RfU0lHTkVSMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsAX2ldD9Y0c0utd1NU/uFW7jFbMRV4cByWOc
++Rcer/nFgX9yta7ivu3BJ1ueWR17zRNiQpIzLyEipoSPwyyViD5wLrPLRXVP0dru
+aCWyiPm+hm7mpjvwhvR7F2efJTguq9nJI4scaL7APUhbIXHHSL9mK8IlbFnshaR/
+qwd//nBW64HVqWlHNd+uxpFP2Qp0kQwb1b80USNWuMtjaIBam2R1xxDac1jSd001
+4X/XcDORxRpJl+0gONw7Ws2nuggeBGlCsy2Fo9/mngEG3bwa7qSmUM9T1Cp+1+vg
+Rmi7ox7Yb4m2KaTXoD76mydcQW7+fQkCvpUVC8AtOTWMOfrCMQIDAQABo1MwUTAd
+BgNVHQ4EFgQUHvG7Xchqzwdggky+oyzlpNem8UowHwYDVR0jBBgwFoAUHvG7Xchq
+zwdggky+oyzlpNem8UowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAUn1ncSqeXbQAHNrVOFldLwu70hNlMxf2z4EfH2M7vJgrpwkRuIFw7PXNITBh
+CImd/ghm5NGFysrK7BwdHkFvUXZV3rE93BhcLC9leWfky33kW9olIzpE14i5FfBn
+ABmaokPhOrzAneGzU35sZHNotlqOrzgpKVkpOWrykhYZ5Qjk8Sz0xvzuG8TJc20s
+2og+W8Rm2u/xI9xPxtFbq9vUjvFS35o1pm+vkzpgNdo4YS1PG37BW/aopsooLSk7
+9Rxv5vzNXtQqeZ5qBdKbAVh3OsgqwigTmXVvOX3xpy9r9qiimhaISxCt83RZ7wQW
+I19t9pXyxAi6u7MRhJZlAeH/3w==
+-----END CERTIFICATE-----
diff --git a/board/sandbox/SIGNER.esl b/board/sandbox/SIGNER.esl
new file mode 100644
index 0000000000000000000000000000000000000000..f8cc272309b2f80113c29e22bc9fdd5c767b4667
GIT binary patch
literal 831
zcmZ1&d0^?2Da*aux2_hA(f&|m&&&V@%1|1@gOCPI%=`vTjNcb9GchtTi3D3+YdNud
z!N;6d=3f<&F-6ONS4$i4vT<s)d9;1!Wn|=LWiSvk6fqEDV-96u=HU);4GxJ9_H_4i
z4Kh#==QT1murM$&v@kF?F^ZDlH#RUZHZ(9Wg9_l(*~F-XYzZSP19KB2KLgNRTue=j
zj0_uCzfHaHH`(1}*Y#3U|97H!k3}~NhPN}GOrG;oTyFi(qmA`NTh~3>_x7NA^t?#f
z>a)U0PLquF6_u8?^dHul+F@6qxB0YdssF`W?=n<3b^P4dmiKI#^@p}E)#B;%RW0;Z
z-#n?@Et9eDfUQTgV&QR*{b|~VRC6NVv@WS%&0hbnAnbMH)s>m<ruWw!o9KU&t7IaN
z^ws?)fy!Y!PA6wHM9oeqJuYyoIO0;duj#}3>jlOWk4kw?f2&||$2#il@?9KqESXN5
zbz2wTe>RVi?d~3_cT1K9oDaUDRd@aM1GkLbi{)<QcW%>Ma(#i_ui5G`j(PuTIhpoN
z73DslYiZhJ`RkA&6Eh<N<Kke0Km%D|xXbdfh_Q&secT;;BI`VRLX*$F#X3)yTwnIl
z%Rn9^t;`}}Al86g0Y6BAFeBrC7FGjhAcY+4z_<klJ0n9-ZF-^Byx1)aGPkZ;M8@iK
z@4h6QYApWke51U4vh|)B+RHfwcQh8f`Fd8-Ad#bU?mv#SCl^~!ojUbKMpn)-Kd>zH
z-bULy5-~dZsg>zZPS-w(zNM;c<#N4ar|5@t2FY2AoF7{4IWYI(=HR-Vl;VtSQGM$z
zG&LhNEwesN5|ez&@#Le<mt%k4Ngp{`oU3!I!!G(r+O78=mGAf;yBNLt_LaVmLHB2w
zF3Vp(*($;GmPMkjzjWQf=x-~Qozl?NwEilS|Lo7%xGP$f^Riek&1Q@!w>qJ9NJDsL
xX})Fc$L0Fj-&QP|CD!3Bu=aCF<a-t|<@nrhQ$HQy*tL7JV9T^r#)tp!0|2#rO&9<G

literal 0
HcmV?d00001

diff --git a/board/sandbox/SIGNER.key b/board/sandbox/SIGNER.key
new file mode 100644
index 0000000000..9a37f59796
--- /dev/null
+++ b/board/sandbox/SIGNER.key
@@ -0,0 +1,28 @@ 
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwBfaV0P1jRzS6
+13U1T+4VbuMVsxFXhwHJY5z5Fx6v+cWBf3K1ruK+7cEnW55ZHXvNE2JCkjMvISKm
+hI/DLJWIPnAus8tFdU/R2u5oJbKI+b6GbuamO/CG9HsXZ58lOC6r2ckjixxovsA9
+SFshccdIv2YrwiVsWeyFpH+rB3/+cFbrgdWpaUc1367GkU/ZCnSRDBvVvzRRI1a4
+y2NogFqbZHXHENpzWNJ3TTXhf9dwM5HFGkmX7SA43Dtazae6CB4EaUKzLYWj3+ae
+AQbdvBrupKZQz1PUKn7X6+BGaLujHthvibYppNegPvqbJ1xBbv59CQK+lRULwC05
+NYw5+sIxAgMBAAECggEAHn8h/knjpMAw/BAZP//VrYP1Nwy7u/Dpl9U43JUrXWzG
+Uc3dd2nR4id6GBIRCLqJePnbQ9JlqMwyXyxHZhbC34SF1imTVbjh9+dY99VULdQr
+NMphDrsCzLbt3pu24HFv8Jk+dniDFwi5cMSo+U3nq4xxrLIp3rBjwLHD5sNZYyEU
+9xZnj7ziTn5X8da8iRxNpyzz2kQeVemJ0ahr/IkX718bkakSFMesGkln06vH7rAs
+069SeqOPrFEbWYXI5iMktLugl3JZpzasRE48j0M42PuProgvT7jb8B35ZF7kn0jT
+MqTIHglsJRWcSY0fAb2lHSAvd2vLLVunxr9PDWZvGQKBgQDVzVTuvo1CrVrQLy+B
+tpy2k5mjR3qxAOcoWTnKcMErLe8imWWaxukODenP4XqQIX4Sl+X3BXxOqun0Klap
+FEsI7TWSHf0eULFtFj0SCgqfRR+V/nblP05eO2nFXgr5YdNa1bWf/aMHplBo4q9e
+bbAr4InUB7IGWL2cWjhOhWuJbQKBgQDSw81cBM+vGPUYH/wlxlTVgZCo2Dg2NHjt
+LUBqvOZNr21j2F+w8t1vKmqwhkqpc5HIi3pHjEA5gZLTRtmf4GQyo973I6MGn4bS
+eayOd6/+FkAi9DUD+WaF7yctJqeevav6KF2UCiz78OtCAU5Y9jFFJpuOANIztI7m
+t7ZCUpMFVQKBgFnAsP7oj3SGQbFTnaXeeztKCx04TJExx9hwXIpXe0AdMF5d9wFa
+r0tvG9Bg34rSBJLZoXhpnR2JMl2FyIuCMV219t84J6IqTdF1nH2OKZdi9TeKc28Z
+fFSirGxmZkT6hDeFr5FScLYtY2QkhWomseY5hKK1+E4hwrd4SFruN46hAoGBAJgh
+nzTBgEtqH1enlrCJhSiLmihV0dVGcNb559pjuXTvoG0GfKPT2gPowRPkCzZe5ia0
+jrHgSWd44MtCA8nEBW8MG9+VyJH6Si3Yh7ZaLB2iX+8bCL1yow8f/c44bZtGW0F5
+K3q1EZ1VW+rL2IqcQhog8P1CGHgb514f0x3yTo71AoGACGdb+Nb6lg8OSJPUcuuH
+xsWk6RhkJl9bldTleS+QT3R9zO3FvbTwnCCYJboh5Cq/jVmiA7T+fcVAyEJNHSdm
+hxbHdScuiJdNWL9+FczOkylnKH3VEdG3RS5lGdyi6r+miTMs3h8WfzGp4JINysjg
+PUFskK36qGjASfkRUn0hizQ=
+-----END PRIVATE KEY-----
diff --git a/board/sandbox/SIGNER2.crt b/board/sandbox/SIGNER2.crt
new file mode 100644
index 0000000000..2e8e5d5828
--- /dev/null
+++ b/board/sandbox/SIGNER2.crt
@@ -0,0 +1,19 @@ 
+-----BEGIN CERTIFICATE-----
+MIIDDzCCAfegAwIBAgIUWw3vHYnrjoHUXytxSm2eYWzbYVAwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLVEVTVF9TSUdORVIwIBcNMjMwODA0MTgwODEyWhgPMzAw
+MzEwMDYxODA4MTJaMBYxFDASBgNVBAMMC1RFU1RfU0lHTkVSMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEApj8NaRndsTVtKZXrEV5JHpN7sFAdOjbetbZ2
+b6TJASreCKJKhls9bWZbPmdgqr8Dn3LD2du3D0WErsUZzN2HS+DBuknj1e4v2Ejc
+N66vAj/MyxrQmzSH7H7DXz0BLTwacOvu6TCSoY6qVdlNlEM2RIl+KpZ4S6cr9iTS
+WoNu8n9H3i3SYux5yfcXb3F6QNQ0hpuMvgw4YGHiPAxLXhLurNE2EH5zmUkDniYv
+tf0M9EufeLhSQd+zMhof5gdeSC2/IL2uJwN2shzgStHXfh0olAhmKy2Du2o/p380
+I/Tdak5cwpwtetN2zHM1OaZMHDg4OsT9Ep9dSekWMstHNKsySwIDAQABo1MwUTAd
+BgNVHQ4EFgQUm9b8SnF811nweXSfGisfpzUHGwgwHwYDVR0jBBgwFoAUm9b8SnF8
+11nweXSfGisfpzUHGwgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AQEAaOZFOcQzF1MRekcBmIZMaHSWYxOUrVLzBNSNhFD8muYiUAAufrkyTUq0Mmat
+w5hAnJ34VGpU1wxQlr/uwH7wpZZnGuj10rAp3tqES0g24AeH1bC9wmRs+rD6dcZR
+YmZq6FxtV7Cv3pQX7lhDYbcBj2za3YT6I1+yczskAHR6KYYuJzKJ7XRVCL7ZlYRX
+pUMZBQq2eAVWlW/c5iDT3KoGZUD9Of71F7qyUAqMMYafeDxguDz7gKstoXVCklQ+
+I4C7JKmRbrRvMgXx6O1clGhAsRZ0nNAtzi7XT5tD27qFwIPgwv48RWgsmPtzE03S
+YGQ5WhYMdHOOjWmcV6MDkCpiSA==
+-----END CERTIFICATE-----
diff --git a/board/sandbox/SIGNER2.key b/board/sandbox/SIGNER2.key
new file mode 100644
index 0000000000..2324f69ebd
--- /dev/null
+++ b/board/sandbox/SIGNER2.key
@@ -0,0 +1,28 @@ 
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCmPw1pGd2xNW0p
+lesRXkkek3uwUB06Nt61tnZvpMkBKt4IokqGWz1tZls+Z2CqvwOfcsPZ27cPRYSu
+xRnM3YdL4MG6SePV7i/YSNw3rq8CP8zLGtCbNIfsfsNfPQEtPBpw6+7pMJKhjqpV
+2U2UQzZEiX4qlnhLpyv2JNJag27yf0feLdJi7HnJ9xdvcXpA1DSGm4y+DDhgYeI8
+DEteEu6s0TYQfnOZSQOeJi+1/Qz0S594uFJB37MyGh/mB15ILb8gva4nA3ayHOBK
+0dd+HSiUCGYrLYO7aj+nfzQj9N1qTlzCnC1603bMczU5pkwcODg6xP0Sn11J6RYy
+y0c0qzJLAgMBAAECggEABDY2MLoew3IkBltrParAWAUUcFLi95jw92q6BkOHEJg8
+2qia1yCitPUtPodMLmOKF5x4EdgXg5sv2O8MGbWP1VtUKXGh3QJcnRnNmsZ1hXJC
+RBcrei2aVLsqf0V2Mg3+GuG8PW3vLWHyZ/Sd6afeuXEYm2Bzrw9J5rfd3dBVKm7f
+HBvIyy1ATO/2cbUaEaCLOyhxLhssTI2TIK5SjlsjFLxiQXEi6RyGfBxUCriKZykS
+krMdvYh7Tf0uYcv0STmQ5s5Rd+RhRIGCVAdsNBxxJjgBAgqqa/B+kWbcc6o2D41n
+yWjErUaBBx3t0A7oT4K4DSTYwMNDVY3fhdd+szsocQKBgQDjnm8LG4UO6OQDm6iX
+0vTQTItoAz5TU6GEjHTCfVEqiupD4LKfHhSXwp2hRyzxXO5oNTU9MQCzYd7Npes0
+oVk4Tjo3YDacNPgxqKjODu/Q+tkTH15ydzGr674+YXHfCA1uT5GKOiiF0H1FZgMa
+Dk0s+3uWX34vbL4QCu97bUhBewKBgQC6+Z0J9sClgWvvjkglJN3XhRnAacp+WgX7
+bkpgSboXIIsqeqhd1WCLeV7L1pcZgifYBMPojf5LTBqBedL1q3RuqiqQWD/bSIYN
+Oc9KCdTjksS8Zo+w+s5zDObDhW9y13H2mKwDqilYBrT4fiA62wPMf1SjEF+RSC6K
+ZrQzHO1xcQKBgAILsXnLFIYOx8XUh05eAf9BQNt9c/jxvnjffkklMS6Nsw9LHK/b
+aFn40MvbROcia64aFFFpeFUkYwk8HYIKlS+xXEqVHciHnVds6Z94eOVK69qFJKco
+tRSTeNE8tPZJLz23j1pLrYOOXSHbidmZGU53MCQo1Yx9kLO6NW7Ji6WzAoGBALP4
+lEoE80Xbn3NEdvkZ1VcfzLvCmKCqMlvjuz+Xd8HPF2VaDznSq01VFAQMmAB7obJy
+U8hC9OSxakn6Yy8JS9dBgBrUdxKxaibM4FQZxosOuMPHzMPDhniDkJPemnnmGtIL
+/nbAkW8jdYpCjO9Z5PwwC92xYuvKmNGrLgSM8ZhhAoGAfgSZTpASXubM18E3ecfw
+5z333wf9qEQgZj7i9MzByFZudyHUhv/FPW1ocUJf36Wu1dfofZg3noSL6oakrm2v
+dFDo4PoyCStuF0w9SSzpIld01ZG0t7XqphY0DmshCXIXsqr7Vb4WrbBI7KX+b3Um
+BzmROfaSud97NjQ/RA26OZk=
+-----END PRIVATE KEY-----