mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-05-07 10:09:22 +00:00
meta-integrity: implement the system trusted cert and IMA trusted cert
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
@@ -7,14 +7,15 @@ DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1
|
|||||||
# in initramfs only. So we don't add it to RDEPENDS_${PN} here.
|
# in initramfs only. So we don't add it to RDEPENDS_${PN} here.
|
||||||
|
|
||||||
SRC_URI += "\
|
SRC_URI += "\
|
||||||
${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
|
${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \
|
||||||
|
if d.getVar('IMA_ENABLED', True) == '1' else ''} \
|
||||||
"
|
"
|
||||||
|
|
||||||
do_configure_append() {
|
do_configure_prepend() {
|
||||||
cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.der"
|
cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
|
||||||
|
|
||||||
if [ -f "$cert" ]; then
|
if [ -f "$cert" ]; then
|
||||||
install -m 0644 "$cert" "${B}/system_trusted_cert.x509"
|
install -m 0644 "$cert" "${B}"
|
||||||
else
|
else
|
||||||
true
|
true
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -5,3 +5,7 @@ CONFIG_INTEGRITY_AUDIT=y
|
|||||||
CONFIG_INTEGRITY_SIGNATURE=y
|
CONFIG_INTEGRITY_SIGNATURE=y
|
||||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||||
CONFIG_SYSTEM_TRUSTED_KEYRING=y
|
CONFIG_SYSTEM_TRUSTED_KEYRING=y
|
||||||
|
CONFIG_SYSTEM_TRUSTED_KEYS="system_trusted_key.crt"
|
||||||
|
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
|
||||||
|
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
|
||||||
|
CONFIG_SECONDARY_TRUSTED_KEYRING=y
|
||||||
|
|||||||
@@ -161,8 +161,8 @@ def check_system_trusted_keys(d):
|
|||||||
vprint("%s.key is unavailable" % _, d)
|
vprint("%s.key is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if not os.path.exists(dir + _ + '.der'):
|
if not os.path.exists(dir + _ + '.crt'):
|
||||||
vprint("%s.der is unavailable" % _, d)
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# Convert the PEM to DER format.
|
# Convert the PEM to DER format.
|
||||||
|
|||||||
Binary file not shown.
@@ -1,28 +1,28 @@
|
|||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1zbVTvepaUFh4
|
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC1hawgbepWUt0G
|
||||||
NA5xCGNJSmslWY+pIAOYkDdpRjvyaPoewwBYW3TJ/+9oGqRMfq/HPf3VUKQto2EX
|
xbJixmdZCLoYbnueOwuplWBxhlQus1VMOeuF+1Q+rUwKZo23Y41j7DQREK4/Z2ns
|
||||||
o4SDLMwSgRtiJpP3hyUs+/qXa/y/Ip4Mv0vQQuQQ6nocpvsmLCGJQhAPIfgL3rVf
|
insdQR4NRN3sPlqeEtr4RpkKTvxtMhXBUISnbk+8BDsPwsA84JJ3Ljfwo7vZAPd0
|
||||||
vvV664q6Y76zHcgFtn95kGnNDY5vVcW7G864eqFIruB5A5y1R6iA9ovg+10vQw1c
|
9pGu0gnYkU+K3DW1ZlrIv8Rwy4w7naiE0XP7ZEhIgqNNZmGABsN5AXImvC7xJfIJ
|
||||||
8BhIAX8RJdsk+25vwjtRR7TLAgC/Eiy6jlyNVGCCmqjBg0FKiq6VcLUfhkvtesUr
|
AqNnhsfjWBrdXjQnLRKJ96DpXQXpd+NPpdY1ujta+RZKewY6o/B9SUpgWfb9bKzk
|
||||||
lNCqWmvesfykNlg/DT4yudoUdgloGnSCRtjDHGmDEz7foqindoPwZ+VKOcQlVDIL
|
YOuYKF6UtecOWraj5+nZHn6wN1IW1V76iX+8krYyZpUFK04FNLKox64E7XXn2pKC
|
||||||
2zB40QYTAgMBAAECggEAOWJaz7nsVOFza02TGV56aFHTDBD+5XUzbV5n/xSqK1Oz
|
eJhr4PhhAgMBAAECggEAbSSDezg7l03ZgdHq0UM0Lq91nW0IvPoJqByd0YSQJ0hC
|
||||||
Ty5h14HWlUPxfzyZi4OZXBxXGJPBnp4pMVrtorHrIBQcXpiqr8C6nT5T1KPDPVlh
|
uEN3HqcgX1M5jmNdQHAGOpdyMvSRoKPgZ45YOh3GIPpQaVSQjc0OhguEx1L4qftc
|
||||||
5cgj1/KlJim8rXqPX3cihr6RbxVbw/Nh8HzH4yqhuT9um/7Ueekmx2or2wtiYAV7
|
Y1CzgixsmsL8dByIE9J/nlNW5US9lNvk7hm3PKMjsmikp/yB+qEhYuUTCzMIDWtY
|
||||||
1GoIWvIP/tEnSLiPDtkHu/u71IggqsI2NZMx4ojfIrtRd3m7M5NGNYK95fasCfoY
|
yQwQrAJlQOCoIKH+yR1rg+eJQSJijRBzVIwyM/KcPs/qs7VCmyQd4hVVwzMuhr46
|
||||||
WfNHNowR6fNI8hhpTJd4eVf5v3oM0KziE+gy+APYTxMsH+P/D+9/f9ZAOnt/mIbe
|
TUJnlaj/p1yJ/Ki0/E4ku5amFyzExWvua5GEeJSGrWrftXSWW7/qrfl0nY8IlHGS
|
||||||
FScxOjrMADkGFKDS1q2fMfjMpdZa24iBmwvbEMILsQKBgQDv6QO3wtl54ZT1mvBi
|
uYQLA8kSzG4nDfN89wgMQlhVYZHg3Uq6gYjErUfHwQKBgQDtsTXIhcJxi2TXo8uN
|
||||||
PQBsppRu8WEqoaGN0VKfh5+tOFeEgiOnaMHGvr56TKrJyFj5fuRCHNyVHEaGI7a8
|
3RGTiJWpuL5eVrdUELNaFdDdw/AknjGbasqDQuJZhRa6IlUgPhD3gJAI1UxcGPPG
|
||||||
DkcFs55QVhI4MWUzLMYF44zjG4iMoNkQ3BvdbBEKzwcbWVILLhweXsl+MrfbvufC
|
peGKmZYUwImeUkp1p5DbbuoPFinwaBsMb2h4HzmpKhZZV+Fb8U4sOXUk8htA/JoV
|
||||||
XLiq/jHunPjqgtLeQhtL9+NUjQKBgQDB/xGFaUkzqxpWQ4gUrq4RMcknZwB6iwVn
|
znkRoMdNKTbrn9WXKwbQCeUqOQKBgQDDgOgoEISg0+7jygWv6tXRQUp0Quh5ttyC
|
||||||
/CpcfTkiEeaqjptAtkhicecEel+a8y6wcrDL4bZ7s3zQmWBdq7vDZ7grOQiavh4Z
|
+fgss1fhhl7JCgMxBwbTtkI3lPed9E76UcUsaDOuLu4sFAdxPBymJ+szF3uaxUIx
|
||||||
nwrmyscYTpdEj9mKwnmXCdyQMk3cjvZ3MGke6btQ9Cvi301IqKQuo6asEbrp5clQ
|
eMbxDE6xgMItVgG9eM7lNF/Fyfthl5Ak+vxyxMNxNoRilCnaJUbArH+9fpNYVYWp
|
||||||
YMMoiWEtHwKBgQCT2uGlsPpi+TnanCCmCr5mN8unDDA8G9z7EBSBqQ4prV2Slrnu
|
ecpX8fPfaQKBgQC/zjGdd7rZz2d3z9hRySQGzsAe7lLIY+eaccOZHWOnoRanJfTX
|
||||||
hMtX91pg+TsQnN7o9OEsNalkZEa6iOwnvgzbYLWjAUi9RQP/pApuuqyrkt52/PKK
|
+owi8hUfshMN7uiMlSkx4E/aoOz2oLgPBAsFwjxm0Jv842DsomR1foJn3DXJpui0
|
||||||
R30M23stVCYnHsdHiKVfuj8n/Y3+agtfZ9GP4JVZX3iw3uuies9j5GRASQKBgFCu
|
1y4RSPlJtgnE3PKhNA8mBtOuFaTCg1R/5layT/CkJm8IIrnEO9dKh8GimQKBgQCf
|
||||||
PCM3/nG2n2VxAI9ZdptAEWCJvfE5EC6G+Tct/SzmNQCJ/peTN9d5d5KtMkXHDYvk
|
9Pd92E37nItHmsJedcBtzoLRbvDwrPnsvAMe57nOjvc8e9GyqnIehG/XNC4I8Zww
|
||||||
pxKj9LjNlQNMRn+uhJBn+ng/aAyzNOGC+42wl8zMIq0pBlhnORpPx6NQyIEKFAbN
|
2Ph/Zd5q9IDwVY7lSe6Sz/RzQBJkxmJrQctb69rzBktZdpZD5PU6uUhm9uSTq8NH
|
||||||
42ov2u94HShlpkapnF6pQRAe75WHM4pyM7gQKpIRAoGATpgOFlCtVb28mszrgV8g
|
ToeAi5bxKU7VrS41CuzBtiFp9Icv7gFHcZtpq1ACiQKBgQCn2JsqGS/ovKu6fAe3
|
||||||
OEQI9rRCrSEGi0fTKzZ8FPDDN6Ic+MLXknqCshEfxD889SJ4IMV84uiXd8+gfPHN
|
3k9MPO6Psk+1wr/cm7IxTfR81BnJEyGspOfbHNjpiVOTZz3R47xlrrraOpncGkWv
|
||||||
6peHzdwlC5dd+7JL/IHmvRc6V2/ow4RkyONvzhbehIMEsRYvwdf179LdSkQh/3ZO
|
jXXc92PACvjRS6b42c4Rmgv0OuohVFzn6YkJ4GamUinzoaKBXGM4XBdYZgzbfVMC
|
||||||
MJ6oqhi1Y92Sp3/R0Lh8bFI=
|
V0o9jJM38My5DTfhVZNpejKk9g==
|
||||||
-----END PRIVATE KEY-----
|
-----END PRIVATE KEY-----
|
||||||
|
|||||||
@@ -0,0 +1,20 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDUzCCAjugAwIBAgIJAIBSPsg9GPovMA0GCSqGSIb3DQEBCwUAMEAxPjA8BgNV
|
||||||
|
BAMMNVN5c3RlbSBUcnVzdGVkIENlcnRpZmljYXRlIGZvciBqemhhbmcwQHBlay1q
|
||||||
|
emhhbmcwLWQyMB4XDTE3MDcwMzEzMjk1MVoXDTI3MDcwMTEzMjk1MVowQDE+MDwG
|
||||||
|
A1UEAww1U3lzdGVtIFRydXN0ZWQgQ2VydGlmaWNhdGUgZm9yIGp6aGFuZzBAcGVr
|
||||||
|
LWp6aGFuZzAtZDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeH9Ms
|
||||||
|
7ObqsaLz3k4RMtep9wPnHiVGHs/SzUWdwD+jRBetpcNpIqEaLLXD8wrTuA5zAUP3
|
||||||
|
SPSSnX3kYvFdod4qrxFjYtLhbPxZmcyJKk1b4ysLolaG3xjWMbl1qfFim4Z0W0cb
|
||||||
|
+NU9TYtjjaLLoG6eg2/bS/6GSGp7fTJHNTE9Z8HdS2LoX+vjVCCYjuYwJumO3JiO
|
||||||
|
aIXpAg/ZvI8QfDSyijbSmxHU3X8CFGvOJ5Xr/48gci+tOBZDMUQsmNY+vyiCpBya
|
||||||
|
qiyLlW73IWAUU9QW3SmYOB26FQWP4dCsY+tivTKWix0H+Ub+ZNW5bQjKBEAL5aCd
|
||||||
|
ZolkD57DOsFpfFaBAgMBAAGjUDBOMB0GA1UdDgQWBBSWvSvxTMp4KSXu1gXCdt/X
|
||||||
|
pVZJDDAfBgNVHSMEGDAWgBSWvSvxTMp4KSXu1gXCdt/XpVZJDDAMBgNVHRMEBTAD
|
||||||
|
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWE6YGqWfqmiybNoX8la9RDnnjXEVhU3Kw
|
||||||
|
8ayE8hTrjDczQN3/fbhxYSRus2QdDSLwh/IfUG0fiZdUL6rBNp2XueU2H2Iz4dGW
|
||||||
|
Cvr4PKp65BgYNAvfNgUg2os+MteMwlvyIClTdk5RElIZfh0/QqnypxR0GEpXmnCE
|
||||||
|
VibE1hQd+gAbF7BZnSWRbfggb5QMpmGmFmqW02I5sjFjFVpZh2GD17wluYpjek58
|
||||||
|
3ib90ySOn4ghI3i3lneOUswpsTDmpwGgllP5yGo3zLpTabtWkOdUGbbAgrRbX9j2
|
||||||
|
eGb25wL3YyovnOZ6oUu3pPMjjmIERi1NeIVMZgoPHuYuIu5eA+7e
|
||||||
|
-----END CERTIFICATE-----
|
||||||
Binary file not shown.
@@ -1,28 +1,28 @@
|
|||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIYw6V76JkHaSG
|
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCeH9Ms7ObqsaLz
|
||||||
1mswZ7g9Ed6TprtZpcSNrqvLnMHxs7C7peUfcrXhSu1Iz220B1kcHzw8QgsRdOCa
|
3k4RMtep9wPnHiVGHs/SzUWdwD+jRBetpcNpIqEaLLXD8wrTuA5zAUP3SPSSnX3k
|
||||||
OB3QYVlbYNlZTghh/ZyPsjpmeN55IdLO0zM2XkngzSS1oeW+UFDoFK1znRpEBgZv
|
YvFdod4qrxFjYtLhbPxZmcyJKk1b4ysLolaG3xjWMbl1qfFim4Z0W0cb+NU9TYtj
|
||||||
wiTWU51UzK2jQ07SPOd4GT9Y1bvyLNevoyWHKllaZoutgDGNe53sf2BpEJaLppJ5
|
jaLLoG6eg2/bS/6GSGp7fTJHNTE9Z8HdS2LoX+vjVCCYjuYwJumO3JiOaIXpAg/Z
|
||||||
FksVXZnn4+/ZLdnkLp+mtFn3Whf7/ZEBkt6on4OvuQBWf+fztUBOEr+3ZqiVzov3
|
vI8QfDSyijbSmxHU3X8CFGvOJ5Xr/48gci+tOBZDMUQsmNY+vyiCpByaqiyLlW73
|
||||||
/TphNUgUIUZ9jkKlSvHQ6dvZgjdbjO4ZXnz214oLLPRkUOXEm1+BO3eQsmTYLfyS
|
IWAUU9QW3SmYOB26FQWP4dCsY+tivTKWix0H+Ub+ZNW5bQjKBEAL5aCdZolkD57D
|
||||||
H/aEy7//AgMBAAECggEAe39BD/rd9CGoskkXSn/BtjF7IThSoo9dMYyC6Du184Yw
|
OsFpfFaBAgMBAAECggEAZSZQjSWCVdGKPtwPLltKsDQOcBLNnzxojx22kcIAM22E
|
||||||
15UIPndtzGlnD8Z278rPiltdvi1dsOZ9Pc5z4Wb9sSlhCn7i/7FTeeP3xgub4L+N
|
hBVMmn2Hdtnw8EcRvvu3aoP9uTsXEI7kkGtmoRHBr6ZLxjraUU/JYXvL5laEI+p+
|
||||||
slXLbCh0E42aoC4k70OEeWO0+lnKRD4KXXojRcvGXOq/4KysuTk71nKI7fDbogYV
|
h7OyDBa8qZAnZghvHDgG23nkVBVqOwvWxbk90WpwOMA1lp/XUokSbKpatkhlljQ+
|
||||||
XID/TmYfC8TweBv60Qslr+sexUfGNg4+BV36NqaSVStnHJE0PXeMzuL7hbKzEKN2
|
wi9FQR3NjMbVaBmtBfN6VFLWfTPH9TjNdjRyJ6sXh+tgCxzivVG0zFevbx2vJuaA
|
||||||
TQ641Aqosd+gf2s9K7Vhq+FnHrUFJDKM1mT28iPIGH7e6PVW13A72QaEEEEcPT6F
|
3zUrAVZSxnpjUIc7T+aX9PvTQ5PnqZzmyi4ejKJnTKWFDxNjf6XSoIMMLIRO6qZv
|
||||||
U23zeCg+68M2PMD4Ig/6bxj/ADVYvzwovvPyMF/6gQKBgQDu6LLPY2hGQyfakgka
|
qIl+CXAeXenMtvEbF9XZkna5/kWcVshWFhGFZ0ffkQKBgQDO5hl44A/p79A2Oh5H
|
||||||
NefeabY/QOSYuGb7zntw1TZY5EZahtFmuM0CLJ1O0Rb+QICJcz5mRoDF7Pxl9rNO
|
p3xTHVR/CvzUAagIZNCBRh9noVWE5nwCAycuCd7WCktXkXeMBIowdSbIy1OqeMFu
|
||||||
uerM1+m3ndYC4QZm1YZY9Fj2sr+Q8TpHmjB/RIe8OXzGo/uG9GQmLUW9nN+NqU7X
|
oxq+VnKWQ5zLc1CsEckNng7QajTGy8U1KtdX0BBA7L1t6kkBIwN8HNjhgQG8DAD8
|
||||||
fHpszhcePjPOB1OY7TncH2j1HwKBgQDWuODfWlipPlbJxNgvw1bozclt7DWAhR7v
|
Wq5AuE4tuczN1cXtkneK4BxUhQKBgQDDpnxvNh9ldtgRMBqSoOsFYuls1dyrSMmS
|
||||||
AsGyGban6P8tWZwrRv3p2Xf2+hvZetka3xw2jMRKWfBYg39lPxlG3uLMSrkmPLm8
|
OCITRfrJFGNLHhjJCDvZ3pDBZAHFpnqnFKnsezyBQ6Lk+I3EqcE5yz/B4aSRJjZV
|
||||||
9DWdKyD8B0WLxI8ayvdwk1cgTgKZABw39pL7irwBEDEex4mPmZLrIAkyB8pMmr6T
|
4JIBUKqdFHfdsv0IToEyJA00eOqlwUI8C84Uw5exYu7aulBX7dlvlETko8QrKrM0
|
||||||
y3TBkgf5IQKBgAaSmlDAUF8We+M0f1GcSAvDZsMouuFEuXiV/qllBEC/zvuwl9Q2
|
vShvvi6IzQKBgAsc0MFtR22JM+W1uWqf1E2ihadNL8czT5Mj1w8adRVb1PwOZRq2
|
||||||
o1U6+vzvHa3TAnZFmGLh76sCURNRDS/OR5ppGkH18qxTmoR7vV13I3duBX0sVckg
|
kKQoY4+bffB2H7WliMaRhEPEp/nAAqOunwEaI41ulD1ZNDwJuILCuoj3K16CE1WH
|
||||||
gdMOhJl2D2u7mTDmSlcOicukpDXWgZfGEewqY1JuraguZWtgo2Xd61pLAoGBAIft
|
t4k/45+ZF5OPwdwNxWIlKoDyLOWsv2DOfg172LccA6QKl1brRwBuiRcBAoGAQ7gw
|
||||||
4e2DND1vyWFRy8nwz0PxgmKj9fq2Sy7jf9tPi+IgDeqXn9WFy5gOo3MmQhsbOfVY
|
gd3d6CTGjMx1piMEtgySdxVfF/pNqsq7IKisMUVZSPrV4V90N+kNeaK/6kXBVmuU
|
||||||
6HNgCaNH7G8cT7m4iDflQY4yf6NFLhAASTCF7QufTtd8R1uewaXyoGVC/UH+X97N
|
lUHio2thypctmtCXDQYIv3b2mzb6v6bHYqUlKNGY26fEZUem+E/6MhtYPJ8z6cy8
|
||||||
qZ6z5PCHX5EsoFjXz7opPaj+ZYK5M4w8cF1aJNIBAoGAcpFShqUYLBKfSnpQEoTa
|
O/unWcLAofyzKnwtMq3DWtBEahyRgsOmZ2cQfFECgYEAhuZBWI8J42MAuuZq8wvk
|
||||||
cfxXzG/yst+5vGybft8g7TjFvHbnqP/+Nq+VcLZJWXGcdTob1q5+7IkCAAPEv53E
|
wtD0NugsqMAPzdbaMo6jPZrobO3CRqljr2F0bOj2t3wwM/pUAYZgmp3KrG4KNlTt
|
||||||
X7FCPMtFzGAL6++T2fsoFPbVpqJZMLd2NUopxwk73uXTdfcNlZse9UJsfE2PphJN
|
BoTUNooCJ3zvRKdDdRiwdc5cl4DAzwWN4HazAHf0uMSdtXxCc7EQs3yQHjjFHDBY
|
||||||
RGdmOUaX9YasTQGHidkbRYs=
|
hGDKUC0HjCAGOTDqnDJpk2g=
|
||||||
-----END PRIVATE KEY-----
|
-----END PRIVATE KEY-----
|
||||||
|
|||||||
@@ -1,7 +1,8 @@
|
|||||||
DESCRIPTION = "Key store for key installation"
|
DESCRIPTION = "Key store for key installation"
|
||||||
LICENSE = "MIT"
|
LICENSE = "MIT"
|
||||||
LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
|
LIC_FILES_CHKSUM = "\
|
||||||
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
|
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
|
||||||
|
"
|
||||||
|
|
||||||
inherit user-key-store
|
inherit user-key-store
|
||||||
|
|
||||||
@@ -9,17 +10,17 @@ S = "${WORKDIR}"
|
|||||||
|
|
||||||
ALLOW_EMPTY_${PN} = "1"
|
ALLOW_EMPTY_${PN} = "1"
|
||||||
|
|
||||||
PACKAGES =+ " \
|
PACKAGES =+ "\
|
||||||
${PN}-system-trusted-cert \
|
${PN}-system-trusted-cert \
|
||||||
${PN}-ima-cert \
|
${PN}-ima-cert \
|
||||||
"
|
"
|
||||||
|
|
||||||
# Note any private key is not available if user key signing model used.
|
# Note any private key is not available if user key signing model used.
|
||||||
PACKAGES_DYNAMIC += " \
|
PACKAGES_DYNAMIC += "\
|
||||||
${PN}-ima-privkey \
|
${PN}-ima-privkey \
|
||||||
${PN}-system-trusted-privkey \
|
${PN}-system-trusted-privkey \
|
||||||
${PN}-rpm-pubkey \
|
${PN}-rpm-pubkey \
|
||||||
"
|
"
|
||||||
|
|
||||||
KEY_DIR = "${sysconfdir}/keys"
|
KEY_DIR = "${sysconfdir}/keys"
|
||||||
# For RPM verification
|
# For RPM verification
|
||||||
@@ -32,14 +33,10 @@ SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
|
|||||||
IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
|
IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
|
||||||
|
|
||||||
# For ${PN}-system-trusted-cert
|
# For ${PN}-system-trusted-cert
|
||||||
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der"
|
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
|
||||||
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
|
||||||
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
|
||||||
|
|
||||||
# For ${PN}-ima-cert
|
# For ${PN}-ima-cert
|
||||||
IMA_CERT = "${KEY_DIR}/x509_evm.der"
|
IMA_CERT = "${KEY_DIR}/x509_evm.der"
|
||||||
FILES_${PN}-ima-cert = "${IMA_CERT}"
|
|
||||||
CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
|
|
||||||
|
|
||||||
python () {
|
python () {
|
||||||
if uks_signing_model(d) != "sample":
|
if uks_signing_model(d) != "sample":
|
||||||
@@ -83,7 +80,7 @@ do_install() {
|
|||||||
install -d "${D}${KEY_DIR}"
|
install -d "${D}${KEY_DIR}"
|
||||||
|
|
||||||
key_dir="${@uks_system_trusted_keys_dir(d)}"
|
key_dir="${@uks_system_trusted_keys_dir(d)}"
|
||||||
install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}"
|
install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}"
|
||||||
|
|
||||||
if [ "${@uks_signing_model(d)}" = "sample" ]; then
|
if [ "${@uks_signing_model(d)}" = "sample" ]; then
|
||||||
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
|
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
|
||||||
@@ -120,3 +117,9 @@ pkg_postinst_${PN}-rpm-pubkey() {
|
|||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
||||||
|
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
||||||
|
|
||||||
|
FILES_${PN}-ima-cert = "${IMA_CERT}"
|
||||||
|
CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
|
||||||
|
|||||||
@@ -1,6 +1,10 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
KEYS_DIR="`pwd`/user-keys"
|
_S="${BASH_SOURCE[0]}"
|
||||||
|
_D=`dirname "$_S"`
|
||||||
|
ROOT_DIR="`cd "$_D" && pwd`"
|
||||||
|
|
||||||
|
KEYS_DIR="$ROOT_DIR/user-keys"
|
||||||
|
|
||||||
function show_help()
|
function show_help()
|
||||||
{
|
{
|
||||||
@@ -88,7 +92,7 @@ ca_sign() {
|
|||||||
-CAform "$ca_cert_form" \
|
-CAform "$ca_cert_form" \
|
||||||
-CAkey "$ca_key_dir/$ca_key_name.key" \
|
-CAkey "$ca_key_dir/$ca_key_name.key" \
|
||||||
-set_serial 1 -days 3650 \
|
-set_serial 1 -days 3650 \
|
||||||
-extfile openssl.cnf -extensions v3_req \
|
-extfile "$ROOT_DIR/openssl.cnf" -extensions v3_req \
|
||||||
-out "$key_dir/$key_name.crt"
|
-out "$key_dir/$key_name.crt"
|
||||||
|
|
||||||
rm -f "$key_dir/$key_name.csr"
|
rm -f "$key_dir/$key_name.csr"
|
||||||
@@ -126,9 +130,6 @@ create_system_user_key() {
|
|||||||
|
|
||||||
ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
|
ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
|
||||||
"/CN=System Trusted Certificate for $USER@`hostname`/"
|
"/CN=System Trusted Certificate for $USER@`hostname`/"
|
||||||
|
|
||||||
pem2der "$key_dir/system_trusted_key.crt"
|
|
||||||
rm -f "$key_dir/system_trusted_key.crt"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
create_ima_user_key() {
|
create_ima_user_key() {
|
||||||
|
|||||||
@@ -1,2 +1,3 @@
|
|||||||
[v3_req]
|
[v3_req]
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
authorityKeyIdentifier=keyid:always
|
authorityKeyIdentifier=keyid:always
|
||||||
|
|||||||
Reference in New Issue
Block a user