meta-integrity: implement the system trusted cert and IMA trusted cert

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2026-01-12 01:00:15 +00:00 · 2017-07-04 10:39:00 +08:00
parent 34c28b6a2d
commit 572b7999c3
11 changed files with 110 additions and 80 deletions
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -7,14 +7,15 @@ DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1
 # in initramfs only. So we don't add it to RDEPENDS_${PN} here.

 SRC_URI += "\
-    ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
+    ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \
+       if d.getVar('IMA_ENABLED', True) == '1' else ''} \
 "

-do_configure_append() {
-    cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.der"
+do_configure_prepend() {
+    cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"

    if [ -f "$cert" ]; then
-        install -m 0644 "$cert" "${B}/system_trusted_cert.x509"
+        install -m 0644 "$cert" "${B}"
    else
        true
    fi
--- a/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg
@@ -5,3 +5,7 @@ CONFIG_INTEGRITY_AUDIT=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="system_trusted_key.crt"
+CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
+CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -161,8 +161,8 @@ def check_system_trusted_keys(d):
        vprint("%s.key is unavailable" % _, d)
        return False

-    if not os.path.exists(dir + _ + '.der'):
-        vprint("%s.der is unavailable" % _, d)
+    if not os.path.exists(dir + _ + '.crt'):
+        vprint("%s.crt is unavailable" % _, d)
        return False

 # Convert the PEM to DER format.
--- a/meta-signing-key/files/ima_keys/x509_ima.der
+++ b/meta-signing-key/files/ima_keys/x509_ima.der
--- a/meta-signing-key/files/ima_keys/x509_ima.key
+++ b/meta-signing-key/files/ima_keys/x509_ima.key
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1zbVTvepaUFh4
-NA5xCGNJSmslWY+pIAOYkDdpRjvyaPoewwBYW3TJ/+9oGqRMfq/HPf3VUKQto2EX
-o4SDLMwSgRtiJpP3hyUs+/qXa/y/Ip4Mv0vQQuQQ6nocpvsmLCGJQhAPIfgL3rVf
-vvV664q6Y76zHcgFtn95kGnNDY5vVcW7G864eqFIruB5A5y1R6iA9ovg+10vQw1c
-8BhIAX8RJdsk+25vwjtRR7TLAgC/Eiy6jlyNVGCCmqjBg0FKiq6VcLUfhkvtesUr
-lNCqWmvesfykNlg/DT4yudoUdgloGnSCRtjDHGmDEz7foqindoPwZ+VKOcQlVDIL
-2zB40QYTAgMBAAECggEAOWJaz7nsVOFza02TGV56aFHTDBD+5XUzbV5n/xSqK1Oz
-Ty5h14HWlUPxfzyZi4OZXBxXGJPBnp4pMVrtorHrIBQcXpiqr8C6nT5T1KPDPVlh
-5cgj1/KlJim8rXqPX3cihr6RbxVbw/Nh8HzH4yqhuT9um/7Ueekmx2or2wtiYAV7
-1GoIWvIP/tEnSLiPDtkHu/u71IggqsI2NZMx4ojfIrtRd3m7M5NGNYK95fasCfoY
-WfNHNowR6fNI8hhpTJd4eVf5v3oM0KziE+gy+APYTxMsH+P/D+9/f9ZAOnt/mIbe
-FScxOjrMADkGFKDS1q2fMfjMpdZa24iBmwvbEMILsQKBgQDv6QO3wtl54ZT1mvBi
-PQBsppRu8WEqoaGN0VKfh5+tOFeEgiOnaMHGvr56TKrJyFj5fuRCHNyVHEaGI7a8
-DkcFs55QVhI4MWUzLMYF44zjG4iMoNkQ3BvdbBEKzwcbWVILLhweXsl+MrfbvufC
-XLiq/jHunPjqgtLeQhtL9+NUjQKBgQDB/xGFaUkzqxpWQ4gUrq4RMcknZwB6iwVn
-/CpcfTkiEeaqjptAtkhicecEel+a8y6wcrDL4bZ7s3zQmWBdq7vDZ7grOQiavh4Z
-nwrmyscYTpdEj9mKwnmXCdyQMk3cjvZ3MGke6btQ9Cvi301IqKQuo6asEbrp5clQ
-YMMoiWEtHwKBgQCT2uGlsPpi+TnanCCmCr5mN8unDDA8G9z7EBSBqQ4prV2Slrnu
-hMtX91pg+TsQnN7o9OEsNalkZEa6iOwnvgzbYLWjAUi9RQP/pApuuqyrkt52/PKK
-R30M23stVCYnHsdHiKVfuj8n/Y3+agtfZ9GP4JVZX3iw3uuies9j5GRASQKBgFCu
-PCM3/nG2n2VxAI9ZdptAEWCJvfE5EC6G+Tct/SzmNQCJ/peTN9d5d5KtMkXHDYvk
-pxKj9LjNlQNMRn+uhJBn+ng/aAyzNOGC+42wl8zMIq0pBlhnORpPx6NQyIEKFAbN
-42ov2u94HShlpkapnF6pQRAe75WHM4pyM7gQKpIRAoGATpgOFlCtVb28mszrgV8g
-OEQI9rRCrSEGi0fTKzZ8FPDDN6Ic+MLXknqCshEfxD889SJ4IMV84uiXd8+gfPHN
-6peHzdwlC5dd+7JL/IHmvRc6V2/ow4RkyONvzhbehIMEsRYvwdf179LdSkQh/3ZO
-MJ6oqhi1Y92Sp3/R0Lh8bFI=
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC1hawgbepWUt0G
+xbJixmdZCLoYbnueOwuplWBxhlQus1VMOeuF+1Q+rUwKZo23Y41j7DQREK4/Z2ns
+insdQR4NRN3sPlqeEtr4RpkKTvxtMhXBUISnbk+8BDsPwsA84JJ3Ljfwo7vZAPd0
+9pGu0gnYkU+K3DW1ZlrIv8Rwy4w7naiE0XP7ZEhIgqNNZmGABsN5AXImvC7xJfIJ
+AqNnhsfjWBrdXjQnLRKJ96DpXQXpd+NPpdY1ujta+RZKewY6o/B9SUpgWfb9bKzk
+YOuYKF6UtecOWraj5+nZHn6wN1IW1V76iX+8krYyZpUFK04FNLKox64E7XXn2pKC
+eJhr4PhhAgMBAAECggEAbSSDezg7l03ZgdHq0UM0Lq91nW0IvPoJqByd0YSQJ0hC
+uEN3HqcgX1M5jmNdQHAGOpdyMvSRoKPgZ45YOh3GIPpQaVSQjc0OhguEx1L4qftc
+Y1CzgixsmsL8dByIE9J/nlNW5US9lNvk7hm3PKMjsmikp/yB+qEhYuUTCzMIDWtY
+yQwQrAJlQOCoIKH+yR1rg+eJQSJijRBzVIwyM/KcPs/qs7VCmyQd4hVVwzMuhr46
+TUJnlaj/p1yJ/Ki0/E4ku5amFyzExWvua5GEeJSGrWrftXSWW7/qrfl0nY8IlHGS
+uYQLA8kSzG4nDfN89wgMQlhVYZHg3Uq6gYjErUfHwQKBgQDtsTXIhcJxi2TXo8uN
+3RGTiJWpuL5eVrdUELNaFdDdw/AknjGbasqDQuJZhRa6IlUgPhD3gJAI1UxcGPPG
+peGKmZYUwImeUkp1p5DbbuoPFinwaBsMb2h4HzmpKhZZV+Fb8U4sOXUk8htA/JoV
+znkRoMdNKTbrn9WXKwbQCeUqOQKBgQDDgOgoEISg0+7jygWv6tXRQUp0Quh5ttyC
+fgss1fhhl7JCgMxBwbTtkI3lPed9E76UcUsaDOuLu4sFAdxPBymJ+szF3uaxUIx
+eMbxDE6xgMItVgG9eM7lNF/Fyfthl5Ak+vxyxMNxNoRilCnaJUbArH+9fpNYVYWp
+ecpX8fPfaQKBgQC/zjGdd7rZz2d3z9hRySQGzsAe7lLIY+eaccOZHWOnoRanJfTX
+owi8hUfshMN7uiMlSkx4E/aoOz2oLgPBAsFwjxm0Jv842DsomR1foJn3DXJpui0
+1y4RSPlJtgnE3PKhNA8mBtOuFaTCg1R/5layT/CkJm8IIrnEO9dKh8GimQKBgQCf
+9Pd92E37nItHmsJedcBtzoLRbvDwrPnsvAMe57nOjvc8e9GyqnIehG/XNC4I8Zww
+2Ph/Zd5q9IDwVY7lSe6Sz/RzQBJkxmJrQctb69rzBktZdpZD5PU6uUhm9uSTq8NH
+ToeAi5bxKU7VrS41CuzBtiFp9Icv7gFHcZtpq1ACiQKBgQCn2JsqGS/ovKu6fAe3
+3k9MPO6Psk+1wr/cm7IxTfR81BnJEyGspOfbHNjpiVOTZz3R47xlrrraOpncGkWv
+jXXc92PACvjRS6b42c4Rmgv0OuohVFzn6YkJ4GamUinzoaKBXGM4XBdYZgzbfVMC
+V0o9jJM38My5DTfhVZNpejKk9g==
 -----END PRIVATE KEY-----
--- a/meta-signing-key/files/system_trusted_keys/system_trusted_key.crt
+++ b/meta-signing-key/files/system_trusted_keys/system_trusted_key.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUzCCAjugAwIBAgIJAIBSPsg9GPovMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNV
+BAMMNVN5c3RlbSBUcnVzdGVkIENlcnRpZmljYXRlIGZvciBqemhhbmcwQHBlay1q
+emhhbmcwLWQyMB4XDTE3MDcwMzEzMjk1MVoXDTI3MDcwMTEzMjk1MVowQDE+MDwG
+A1UEAww1U3lzdGVtIFRydXN0ZWQgQ2VydGlmaWNhdGUgZm9yIGp6aGFuZzBAcGVr
+LWp6aGFuZzAtZDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeH9Ms
+7ObqsaLz3k4RMtep9wPnHiVGHs/SzUWdwD+jRBetpcNpIqEaLLXD8wrTuA5zAUP3
+SPSSnX3kYvFdod4qrxFjYtLhbPxZmcyJKk1b4ysLolaG3xjWMbl1qfFim4Z0W0cb
+NU9TYtjjaLLoG6eg2/bS/6GSGp7fTJHNTE9Z8HdS2LoX+vjVCCYjuYwJumO3JiO
+aIXpAg/ZvI8QfDSyijbSmxHU3X8CFGvOJ5Xr/48gci+tOBZDMUQsmNY+vyiCpBya
+qiyLlW73IWAUU9QW3SmYOB26FQWP4dCsY+tivTKWix0H+Ub+ZNW5bQjKBEAL5aCd
+ZolkD57DOsFpfFaBAgMBAAGjUDBOMB0GA1UdDgQWBBSWvSvxTMp4KSXu1gXCdt/X
+pVZJDDAfBgNVHSMEGDAWgBSWvSvxTMp4KSXu1gXCdt/XpVZJDDAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWE6YGqWfqmiybNoX8la9RDnnjXEVhU3Kw
+8ayE8hTrjDczQN3/fbhxYSRus2QdDSLwh/IfUG0fiZdUL6rBNp2XueU2H2Iz4dGW
+Cvr4PKp65BgYNAvfNgUg2os+MteMwlvyIClTdk5RElIZfh0/QqnypxR0GEpXmnCE
+VibE1hQd+gAbF7BZnSWRbfggb5QMpmGmFmqW02I5sjFjFVpZh2GD17wluYpjek58
+3ib90ySOn4ghI3i3lneOUswpsTDmpwGgllP5yGo3zLpTabtWkOdUGbbAgrRbX9j2
+eGb25wL3YyovnOZ6oUu3pPMjjmIERi1NeIVMZgoPHuYuIu5eA+7e
+-----END CERTIFICATE-----
--- a/meta-signing-key/files/system_trusted_keys/system_trusted_key.der
+++ b/meta-signing-key/files/system_trusted_keys/system_trusted_key.der
--- a/meta-signing-key/files/system_trusted_keys/system_trusted_key.key
+++ b/meta-signing-key/files/system_trusted_keys/system_trusted_key.key
@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIYw6V76JkHaSG
-1mswZ7g9Ed6TprtZpcSNrqvLnMHxs7C7peUfcrXhSu1Iz220B1kcHzw8QgsRdOCa
-OB3QYVlbYNlZTghh/ZyPsjpmeN55IdLO0zM2XkngzSS1oeW+UFDoFK1znRpEBgZv
-wiTWU51UzK2jQ07SPOd4GT9Y1bvyLNevoyWHKllaZoutgDGNe53sf2BpEJaLppJ5
-FksVXZnn4+/ZLdnkLp+mtFn3Whf7/ZEBkt6on4OvuQBWf+fztUBOEr+3ZqiVzov3
-/TphNUgUIUZ9jkKlSvHQ6dvZgjdbjO4ZXnz214oLLPRkUOXEm1+BO3eQsmTYLfyS
-H/aEy7//AgMBAAECggEAe39BD/rd9CGoskkXSn/BtjF7IThSoo9dMYyC6Du184Yw
-15UIPndtzGlnD8Z278rPiltdvi1dsOZ9Pc5z4Wb9sSlhCn7i/7FTeeP3xgub4L+N
-slXLbCh0E42aoC4k70OEeWO0+lnKRD4KXXojRcvGXOq/4KysuTk71nKI7fDbogYV
-XID/TmYfC8TweBv60Qslr+sexUfGNg4+BV36NqaSVStnHJE0PXeMzuL7hbKzEKN2
-TQ641Aqosd+gf2s9K7Vhq+FnHrUFJDKM1mT28iPIGH7e6PVW13A72QaEEEEcPT6F
-U23zeCg+68M2PMD4Ig/6bxj/ADVYvzwovvPyMF/6gQKBgQDu6LLPY2hGQyfakgka
-NefeabY/QOSYuGb7zntw1TZY5EZahtFmuM0CLJ1O0Rb+QICJcz5mRoDF7Pxl9rNO
-uerM1+m3ndYC4QZm1YZY9Fj2sr+Q8TpHmjB/RIe8OXzGo/uG9GQmLUW9nN+NqU7X
-fHpszhcePjPOB1OY7TncH2j1HwKBgQDWuODfWlipPlbJxNgvw1bozclt7DWAhR7v
-AsGyGban6P8tWZwrRv3p2Xf2+hvZetka3xw2jMRKWfBYg39lPxlG3uLMSrkmPLm8
-9DWdKyD8B0WLxI8ayvdwk1cgTgKZABw39pL7irwBEDEex4mPmZLrIAkyB8pMmr6T
-y3TBkgf5IQKBgAaSmlDAUF8We+M0f1GcSAvDZsMouuFEuXiV/qllBEC/zvuwl9Q2
-o1U6+vzvHa3TAnZFmGLh76sCURNRDS/OR5ppGkH18qxTmoR7vV13I3duBX0sVckg
-gdMOhJl2D2u7mTDmSlcOicukpDXWgZfGEewqY1JuraguZWtgo2Xd61pLAoGBAIft
-4e2DND1vyWFRy8nwz0PxgmKj9fq2Sy7jf9tPi+IgDeqXn9WFy5gOo3MmQhsbOfVY
-6HNgCaNH7G8cT7m4iDflQY4yf6NFLhAASTCF7QufTtd8R1uewaXyoGVC/UH+X97N
-qZ6z5PCHX5EsoFjXz7opPaj+ZYK5M4w8cF1aJNIBAoGAcpFShqUYLBKfSnpQEoTa
-cfxXzG/yst+5vGybft8g7TjFvHbnqP/+Nq+VcLZJWXGcdTob1q5+7IkCAAPEv53E
-X7FCPMtFzGAL6++T2fsoFPbVpqJZMLd2NUopxwk73uXTdfcNlZse9UJsfE2PphJN
-RGdmOUaX9YasTQGHidkbRYs=
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCeH9Ms7ObqsaLz
+3k4RMtep9wPnHiVGHs/SzUWdwD+jRBetpcNpIqEaLLXD8wrTuA5zAUP3SPSSnX3k
+YvFdod4qrxFjYtLhbPxZmcyJKk1b4ysLolaG3xjWMbl1qfFim4Z0W0cb+NU9TYtj
+jaLLoG6eg2/bS/6GSGp7fTJHNTE9Z8HdS2LoX+vjVCCYjuYwJumO3JiOaIXpAg/Z
+vI8QfDSyijbSmxHU3X8CFGvOJ5Xr/48gci+tOBZDMUQsmNY+vyiCpByaqiyLlW73
+IWAUU9QW3SmYOB26FQWP4dCsY+tivTKWix0H+Ub+ZNW5bQjKBEAL5aCdZolkD57D
+OsFpfFaBAgMBAAECggEAZSZQjSWCVdGKPtwPLltKsDQOcBLNnzxojx22kcIAM22E
+hBVMmn2Hdtnw8EcRvvu3aoP9uTsXEI7kkGtmoRHBr6ZLxjraUU/JYXvL5laEI+p+
+h7OyDBa8qZAnZghvHDgG23nkVBVqOwvWxbk90WpwOMA1lp/XUokSbKpatkhlljQ+
+wi9FQR3NjMbVaBmtBfN6VFLWfTPH9TjNdjRyJ6sXh+tgCxzivVG0zFevbx2vJuaA
+3zUrAVZSxnpjUIc7T+aX9PvTQ5PnqZzmyi4ejKJnTKWFDxNjf6XSoIMMLIRO6qZv
+qIl+CXAeXenMtvEbF9XZkna5/kWcVshWFhGFZ0ffkQKBgQDO5hl44A/p79A2Oh5H
+p3xTHVR/CvzUAagIZNCBRh9noVWE5nwCAycuCd7WCktXkXeMBIowdSbIy1OqeMFu
+oxq+VnKWQ5zLc1CsEckNng7QajTGy8U1KtdX0BBA7L1t6kkBIwN8HNjhgQG8DAD8
+Wq5AuE4tuczN1cXtkneK4BxUhQKBgQDDpnxvNh9ldtgRMBqSoOsFYuls1dyrSMmS
+OCITRfrJFGNLHhjJCDvZ3pDBZAHFpnqnFKnsezyBQ6Lk+I3EqcE5yz/B4aSRJjZV
+4JIBUKqdFHfdsv0IToEyJA00eOqlwUI8C84Uw5exYu7aulBX7dlvlETko8QrKrM0
+vShvvi6IzQKBgAsc0MFtR22JM+W1uWqf1E2ihadNL8czT5Mj1w8adRVb1PwOZRq2
+kKQoY4+bffB2H7WliMaRhEPEp/nAAqOunwEaI41ulD1ZNDwJuILCuoj3K16CE1WH
+t4k/45+ZF5OPwdwNxWIlKoDyLOWsv2DOfg172LccA6QKl1brRwBuiRcBAoGAQ7gw
+gd3d6CTGjMx1piMEtgySdxVfF/pNqsq7IKisMUVZSPrV4V90N+kNeaK/6kXBVmuU
+lUHio2thypctmtCXDQYIv3b2mzb6v6bHYqUlKNGY26fEZUem+E/6MhtYPJ8z6cy8
+O/unWcLAofyzKnwtMq3DWtBEahyRgsOmZ2cQfFECgYEAhuZBWI8J42MAuuZq8wvk
+wtD0NugsqMAPzdbaMo6jPZrobO3CRqljr2F0bOj2t3wwM/pUAYZgmp3KrG4KNlTt
+BoTUNooCJ3zvRKdDdRiwdc5cl4DAzwWN4HazAHf0uMSdtXxCc7EQs3yQHjjFHDBY
+hGDKUC0HjCAGOTDqnDJpk2g=
 -----END PRIVATE KEY-----
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -1,7 +1,8 @@
 DESCRIPTION = "Key store for key installation"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
-                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+LIC_FILES_CHKSUM = "\
+    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
+"

 inherit user-key-store

@@ -9,17 +10,17 @@ S = "${WORKDIR}"

 ALLOW_EMPTY_${PN} = "1"

-PACKAGES =+ " \
-             ${PN}-system-trusted-cert \
-             ${PN}-ima-cert \
-            "
+PACKAGES =+ "\
+    ${PN}-system-trusted-cert \
+    ${PN}-ima-cert \
+"

 # Note any private key is not available if user key signing model used.
-PACKAGES_DYNAMIC += " \
-                     ${PN}-ima-privkey \
-                     ${PN}-system-trusted-privkey \
-                     ${PN}-rpm-pubkey \
-                    "
+PACKAGES_DYNAMIC += "\
+    ${PN}-ima-privkey \
+    ${PN}-system-trusted-privkey \
+    ${PN}-rpm-pubkey \
+"

 KEY_DIR = "${sysconfdir}/keys"
 # For RPM verification
@@ -32,14 +33,10 @@ SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
 IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"

 # For ${PN}-system-trusted-cert
-SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der"
-FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
-CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
+SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"

 # For ${PN}-ima-cert
 IMA_CERT = "${KEY_DIR}/x509_evm.der"
-FILES_${PN}-ima-cert = "${IMA_CERT}"
-CONFFILES_${PN}-ima-cert = "${IMA_CERT}"

 python () {
    if uks_signing_model(d) != "sample":
@@ -83,7 +80,7 @@ do_install() {
    install -d "${D}${KEY_DIR}"

    key_dir="${@uks_system_trusted_keys_dir(d)}"
-    install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}"
+    install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}"

    if [ "${@uks_signing_model(d)}" = "sample" ]; then
        install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
@@ -120,3 +117,9 @@ pkg_postinst_${PN}-rpm-pubkey() {
        done
    fi
 }
+
+FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
+CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
+
+FILES_${PN}-ima-cert = "${IMA_CERT}"
+CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
--- a/meta-signing-key/scripts/create-user-key-store.sh
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -1,6 +1,10 @@
 #!/bin/bash

-KEYS_DIR="`pwd`/user-keys"
+_S="${BASH_SOURCE[0]}"
+_D=`dirname "$_S"`
+ROOT_DIR="`cd "$_D" && pwd`"
+
+KEYS_DIR="$ROOT_DIR/user-keys"

 function show_help()
 {
@@ -88,7 +92,7 @@ ca_sign() {
            -CAform "$ca_cert_form" \
            -CAkey "$ca_key_dir/$ca_key_name.key" \
            -set_serial 1 -days 3650 \
-            -extfile openssl.cnf -extensions v3_req \
+            -extfile "$ROOT_DIR/openssl.cnf" -extensions v3_req \
            -out "$key_dir/$key_name.crt"

        rm -f "$key_dir/$key_name.csr"
@@ -126,9 +130,6 @@ create_system_user_key() {

    ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
        "/CN=System Trusted Certificate for $USER@`hostname`/"
-
-    pem2der "$key_dir/system_trusted_key.crt"
-    rm -f "$key_dir/system_trusted_key.crt"
 }

 create_ima_user_key() {
--- a/meta-signing-key/scripts/openssl.cnf
+++ b/meta-signing-key/scripts/openssl.cnf
@@ -1,2 +1,3 @@
 [v3_req]
+subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always