key-store: rename ima private key and certificate on target

If sample keys are selected, key-store service will deploy IMA private key during first boot, but beople may be confused if we deploy a sample private key like "xxx.crt", so this commit is making sure key/cert on target are consistent with key files on build system. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2026-04-20 18:08:17 +00:00 · 2018-10-26 10:16:42 +08:00
parent bf314c0d0c
commit 37a59625e5
4 changed files with 18 additions and 5 deletions
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -110,6 +110,19 @@ default, the sample keys are used for the purpose of development and
 demonstration. Please ensure you know what your risk is to use the sample keys
 in your product, because they are completely public.

+If sample keys are used, the private IMA key is installed as /etc/keys/x509_ima.key.
+
+A typical signing command is as following:
+
+    # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass=<passowrd> /path/to/file
+or
+
+    # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass=<passowrd> -r /path/to/directory
+
+The following command can be used to verify a file's IMA signature with specified certificate:
+
+    # evmctl ima_verify --key /etc/keys/x509_ima.der /path/to/file
+
 ### RPM File Signing
 The payloads in a RPM are signed by the private key during the build, and each
 IMA signatures for the corresponding  payload file will be eventually written
--- a/meta-integrity/recipes-core/initrdscripts/files/init.ima
+++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima
@@ -110,10 +110,10 @@ for cert in ${ROOT_DIR}/etc/keys/x509_secondary_*.der; do
    fi
 done

-# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
+# The trusted IMA certificate /etc/keys/x509_ima.der in initramfs was
 # automatically loaded by kernel already. Here is the opportunity to load
 # a custom IMA certificate from the real rootfs.
-for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do
+for cert in ${ROOT_DIR}/etc/keys/x509_ima*.der; do
    [ ! -s "$cert" ] && continue
    name=`basename $cert`

--- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
@@ -19,5 +19,5 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 CONFIG_IMA_TRUSTED_KEYRING=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_BLACKLIST_KEYRING=y
-CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -24,7 +24,7 @@ SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
 MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"

 # For ${PN}-ima-privkey
-IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
+IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key"

 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
@@ -37,7 +37,7 @@ SECONDARY_TRUSTED_DER_ENC_CERT = "${KEY_DIR}/x509_secondary_system_trusted_key.d
 MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"

 # For ${PN}-ima-cert
-IMA_CERT = "${KEY_DIR}/x509_evm.der"
+IMA_CERT = "${KEY_DIR}/x509_ima.der"

 python () {
    if not (uks_signing_model(d) in "sample", "user"):