Use the DER-formatted system trusted key

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc

@@ -11,9 +11,10 @@ SRC_URI += "\
 "
 
 do_configure_append() {
-    if [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ]; then
-        openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \
-            -outform DER -out "${B}/system_trusted_cert.x509"
+    cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.der"
+
+    if [ -f "$cert" ]; then
+        install -m 0644 "$cert" "${B}/system_trusted_cert.x509"
     else
         true
     fi

meta-signing-key/recipes-support/key-store/key-store_0.1.bb

@@ -29,10 +29,10 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
 SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
 
 # For ${PN}-ima-privkey
-IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.pem"
+IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
 
 # For ${PN}-system-trusted-cert
-SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.pem"
+SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der"
 FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 
@@ -83,7 +83,7 @@ do_install() {
     install -d "${D}${KEY_DIR}"
 
     key_dir="${@uks_system_trusted_keys_dir(d)}"
-    install -m 0644 "$key_dir/system_trusted_key.pem" "${D}${SYSTEM_CERT}"
+    install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}"
 
     if [ "${@uks_signing_model(d)}" = "sample" ]; then
         install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"

meta-signing-key/scripts/create-user-key-store.sh

@@ -47,6 +47,13 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
 SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
 IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
 
+pem2der() {
+    local src="$1"
+    local dst="${src/.crt/.der}"
+
+    openssl x509 -in "$src" -outform DER -out "$dst"
+}
+
 ca_sign() {
     local key_dir="$1"
     local key_name="$2"
@@ -68,8 +75,17 @@ ca_sign() {
             -keyout "$key_dir/$key_name.key" \
             -out "$key_dir/$key_name.csr"
 
+        local ca_cert="$ca_key_dir/$ca_key_name.crt"
+        local ca_cert_form="PEM"
+
+        [ ! -s "$ca_cert" ] && {
+            ca_cert="$ca_key_dir/$ca_key_name.der"
+            ca_cert_form="DER"
+        }
+
         openssl x509 -req -in "$key_dir/$key_name.csr" \
-            -CA "$ca_key_dir/$ca_key_name.crt" \
+            -CA "$ca_cert" \
+            -CAform "$ca_cert_form" \
 	    -CAkey "$ca_key_dir/$ca_key_name.key" \
             -set_serial 1 -days 3650 \
 	    -out "$key_dir/$key_name.crt"
@@ -109,6 +125,9 @@ create_system_user_key() {
 
     ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
         "/CN=System Trusted Certificate for $USER@`hostname`/"
+
+    pem2der "$key_dir/system_trusted_key.crt"
+    rm -f "$key_dir/system_trusted_key.crt"
 }
 
 create_ima_user_key() {
@@ -118,6 +137,9 @@ create_ima_user_key() {
 
     ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \
         "/CN=IMA Trusted Certificate for $USER@`hostname`/"
+
+    pem2der "$key_dir/x509_ima.crt"
+    rm -f "$key_dir/x509_ima.crt"
 }
 
 create_user_keys() {