From 464433a169336a4362021e67a6f935a152450239 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Thu, 17 Aug 2017 11:22:49 +0800 Subject: [PATCH] sign_rpm_ext: support RPM signing Signed-off-by: Lans Zhang --- meta-integrity/classes/sign_rpm_ext.bbclass | 51 ++++++++++++++++--- .../classes/user-key-store.bbclass | 20 +++++++- .../files/rpm_keys/RPM-GPG-KEY-SecureCore | 18 +++++++ .../files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore | 32 ++++++++++++ 4 files changed, 113 insertions(+), 8 deletions(-) create mode 100644 meta-signing-key/files/rpm_keys/RPM-GPG-KEY-SecureCore create mode 100644 meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore diff --git a/meta-integrity/classes/sign_rpm_ext.bbclass b/meta-integrity/classes/sign_rpm_ext.bbclass index d00e8c3..26746c2 100644 --- a/meta-integrity/classes/sign_rpm_ext.bbclass +++ b/meta-integrity/classes/sign_rpm_ext.bbclass @@ -1,16 +1,55 @@ -#RPM_GPG_NAME ?= "SecureCore Sample RPM Signing Key" -#RPM_GPG_PASSPHRASE ?= "password" +# RPM_GPG_NAME and RPM_GPG_PASSPHRASE must be configured in your build +# environment. By default, the values for the sample keys are configured +# in meta-signing-key. +RPM_GPG_NAME ?= "SecureCore" +RPM_GPG_PASSPHRASE ?= "SecureCore" + RPM_GPG_BACKEND ?= "local" # SHA-256 is used for the file checksum digest. RPM_FILE_CHECKSUM_DIGEST ?= "8" RPM_SIGN_FILES = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}" +# By default, the values below are applicable for the sample keys provided +# by meta-signing-key. RPM_FSK_PATH ?= "${@uks_ima_keys_dir(d) + 'x509_ima.key'}" RPM_FSK_PASSWORD ?= "password" inherit sign_rpm user-key-store -#python () { -# if not d.getVar('GPG_PATH', True): -# d.setVar('GPG_PATH', d.getVar('DEPLOY_DIR_IMAGE', True) + '/.gnupg') -#} +python () { + if d.getVar('RPM_SIGN_FILES', True) != '1': + return + + gpg_path = d.getVar('GPG_PATH', True) + if not gpg_path: + gpg_path = d.getVar('DEPLOY_DIR_IMAGE', True) + '/.gnupg' + + if not os.path.exists(gpg_path): + cmd = ' '.join(('mkdir -p', gpg_path)) + status, output = oe.utils.getstatusoutput(cmd) + if status: + raise bb.build.FuncFailed('Failed to create gpg keying %s: %s' % + (gpg_path, output)) + + d.setVar('GPG_PATH', gpg_path) + + gpg_bin = d.getVar('GPG_BIN', True) or \ + bb.utils.which(os.getenv('PATH'), 'gpg') + gpg_keyid = d.getVar('RPM_GPG_NAME', True) + + # Check RPM_GPG_NAME and RPM_GPG_PASSPHRASE + cmd = "%s --homedir %s --list-keys -a %s" % \ + (gpg_bin, gpg_path, gpg_keyid) + status, output = oe.utils.getstatusoutput(cmd) + if not status: + return + + # Import RPM_GPG_NAME if not found + gpg_key = uks_rpm_keys_dir(d) + 'RPM-GPG-PRIVKEY-' + gpg_keyid + cmd = '%s --homedir %s --import %s' % \ + (gpg_bin, gpg_path, gpg_key) + status, output = oe.utils.getstatusoutput(cmd) + if status: + raise bb.build.FuncFailed('Failed to import gpg key (%s): %s' % + (gpg_key, output)) +} diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 57610ac..c3ed1cf 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass @@ -11,6 +11,7 @@ UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' +RPM = '1' def vprint(str, d): if d.getVar('USER_KEY_SHOW_VERBOSE', True) == '1': @@ -32,6 +33,7 @@ def uks_rpm_keys_dir(d): if uks_signing_model(d) != 'sample': return '' + set_keys_dir('RPM', d) return d.getVar('RPM_KEYS_DIR', True) + '/' def sign_efi_image(key, cert, input, output, d): @@ -165,6 +167,19 @@ def check_system_trusted_keys(d): vprint("%s.crt is unavailable" % _, d) return False +def check_rpm_keys(d): + dir = uks_rpm_keys_dir(d) + + _ = dir + 'RPM-GPG-PRIVKEY-' + d.getVar('RPM_GPG_NAME', True) + if not os.path.exists(_): + vprint("%s is unavailable" % _, d) + return False + + _ = dir + 'RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True) + if not os.path.exists(_): + vprint("%s is unavailable" % _, d) + return False + # Convert the PEM to DER format. def pem2der(input, output, d): import bb.process @@ -338,6 +353,8 @@ def sanity_check_user_keys(name, may_exit, d): _ = check_ima_user_keys(d) elif name == 'SYSTEM_TRUSTED': _ = check_system_trusted_keys(d) + elif name == 'RPM': + _ = check_rpm_keys(d) else: _ = False may_exit = True @@ -359,8 +376,7 @@ def set_keys_dir(name, d): d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') python check_deploy_keys() { - # XXX: the user key for rpm signing is necessary but not required. - for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED'): + for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'): if d.getVar(_, True) != "1": continue diff --git a/meta-signing-key/files/rpm_keys/RPM-GPG-KEY-SecureCore b/meta-signing-key/files/rpm_keys/RPM-GPG-KEY-SecureCore new file mode 100644 index 0000000..e82739d --- /dev/null +++ b/meta-signing-key/files/rpm_keys/RPM-GPG-KEY-SecureCore @@ -0,0 +1,18 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFmNb48BCADfgM0IVukaMp5qK607ZpfaOx89JONJaP0BfACLxRRsQIJoT/2E +Ba0TjYO5IqSuDNXLsfQoHLfLqY0jPkPUsv8PU5+94KwonEQHfE0wbUUXYE/WRGaS +tHx1lsM7IjI1Lv39+k/7gE+DT1s0RctK/uhwlFzVsiszb2+iVRpCZjDcfNc3kE9u +PkC2/rKfk9IHJ8CsyPMLmgiZYSQ64q2G6ysQNLsRReKgC42aEYrPMkD2tlqmJ1oV +vkD3uf/mFrHNMMKT2MArGLai5T5ZF5KD6zcnX6jFmO8DvqGThZDSNMFxdo3y+dLY +bubjM09FyUUaZKmaEJXk16RVmhRhu+zj+obXABEBAAG0OVNlY3VyZUNvcmUgKFJQ +TSBTaWduaW5nIENlcnRpZmljYXRlKSA8U2VjdXJlQ29yZUBmb28uY29tPokBOAQT +AQIAIgUCWY1vjwIbLwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ/WXQJg3d +uIpC8ggAhiX9mcr9/phJckcUoQNZJuhxxn+IOU533QYapWh1ulikr4Hqa8Q0bsDr +szXJoPd+u18oPE8TE9Q/pUvcRCpVPtP2lbc91cyWXbchbMATFvmt/wcCFyKTTczo +vLaCsZt2EVfDuEDHeev+3ABkl7xYD6OxlueQeGZM75XyxDovPEPVuhiwhBIZASK2 +RS2nVXQm3SlyabkRAmzCPxS9Z86qYiF37+hjmx6CtGpTMCy2BCeQyAQiB1nyx/Ix +VmvRB0PSE/fEetYMLrNBzKOG0GjbgsorYkOrzHzIBCKhOnTsOQJLjE9cuTWG38Gx +ogkVTwDo5Lc9K4wBWnX1jNhE56XMxQ== +=AA9G +-----END PGP PUBLIC KEY BLOCK----- diff --git a/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore b/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore new file mode 100644 index 0000000..6ba3140 --- /dev/null +++ b/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore @@ -0,0 +1,32 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQPGBFmNb48BCADfgM0IVukaMp5qK607ZpfaOx89JONJaP0BfACLxRRsQIJoT/2E +Ba0TjYO5IqSuDNXLsfQoHLfLqY0jPkPUsv8PU5+94KwonEQHfE0wbUUXYE/WRGaS +tHx1lsM7IjI1Lv39+k/7gE+DT1s0RctK/uhwlFzVsiszb2+iVRpCZjDcfNc3kE9u +PkC2/rKfk9IHJ8CsyPMLmgiZYSQ64q2G6ysQNLsRReKgC42aEYrPMkD2tlqmJ1oV +vkD3uf/mFrHNMMKT2MArGLai5T5ZF5KD6zcnX6jFmO8DvqGThZDSNMFxdo3y+dLY +bubjM09FyUUaZKmaEJXk16RVmhRhu+zj+obXABEBAAH+BwMCfLq1JDxWFFxguoqa +QVOe9j1oQORI+UK5T4/PyLQAa0m1L4gCApy2bEbS0fAqoF3rJ3k1+h6C5hHCdVdL +UNFTmMHGZw1jXpv2iQiShdegX7fgguzy8AFW/4SxPRS8acT9S7V8AUfje1goOs7u +QpCNn+lKdxyjaRvRIHUmldQRt+NYgBgcTibJWyISOA0bcwgDpiud3yhLJ2gAUAEO +wdE37GnvYa2hC1yzIjV0IPQfKq3UDSrFwiOUAOsGCk8a59S+Me8lcUrA7XO9aceE +4uT9fnsM0E8/O+P+oW4ZaiPo5k+MWMy80LF43fR6oPYAojPt9cilBrpLju8ip8Z0 +D2aeGqFfCFnBynU2QFSjAk8DPRcBwZECgNmhuVUPxxWRYPYo0hJF/X3Vmz6B5EEX +x9Iv4s6oJX7lWGXztKl2rKKLDeHI3JvEfvRA4cwJwR3t7puSp74oNzo+gpA5vMOb +LNWRZfSH5Gl71EFzQ78jNjN931O0FjfyPM44V6BiJFs5zg90K6/umfLCGWEGfbwu +7KwmqOJ3lFf+WwYqD0VT3fbN/dpuBWadok7FLahC61laJ2Kl2bejVpgn7nTodEPZ +kQNwsDtVZCVx5eX76SKSRd2gAAcTk2fhdtkn1pTMl5g/Eb+GMNc1bQaLoYVM0JDZ +mFnWK1gfzvoxESunCOf5VAEESeXjz1L2ABLmkkThteKYn5vGz0gFWI5PUaAJi5Qz +A82/tbBE//rmj/4Igv/nAdvcKZm+/T6C+JBN4H1g1TkRnGgIjs9I9fYnY1D1MLxu +IMGGUBD523av1B8doHcf+67IGUlC9xiwAehWm31EUzuk0RipaiCm5aSr7qvh0SqL +a9tnRTItUO/uelyoSFT/X9X4UxCcz9U32yzB+4M6a6P6yoO1M6x49SchsVTohejP +tdZI/wn0JOPGtDlTZWN1cmVDb3JlIChSUE0gU2lnbmluZyBDZXJ0aWZpY2F0ZSkg +PFNlY3VyZUNvcmVAZm9vLmNvbT6JATgEEwECACIFAlmNb48CGy8GCwkIBwMCBhUI +AgkKCwQWAgMBAh4BAheAAAoJEP1l0CYN3biKQvIIAIYl/ZnK/f6YSXJHFKEDWSbo +ccZ/iDlOd90GGqVodbpYpK+B6mvENG7A67M1yaD3frtfKDxPExPUP6VL3EQqVT7T +9pW3PdXMll23IWzAExb5rf8HAhcik03M6Ly2grGbdhFXw7hAx3nr/twAZJe8WA+j +sZbnkHhmTO+V8sQ6LzxD1boYsIQSGQEitkUtp1V0Jt0pcmm5EQJswj8UvWfOqmIh +d+/oY5segrRqUzAstgQnkMgEIgdZ8sfyMVZr0QdD0hP3xHrWDC6zQcyjhtBo24LK +K2JDq8x8yAQioTp07DkCS4xPXLk1ht/BsaIJFU8A6OS3PSuMAVp19YzYROelzMU= +=G84i +-----END PGP PRIVATE KEY BLOCK-----