meta-integrity: enable modsign support in kernel

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
This commit is contained in:
Jia Zhang
2017-11-21 09:32:12 -05:00
parent bd0f4cbe40
commit 59ca43808c
3 changed files with 30 additions and 5 deletions
@@ -1,19 +1,32 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
MODSIGN_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', '1', '0', d)}"
DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}"
DEPENDS += "${@'key-store openssl-native' \
if d.getVar('IMA_ENABLED', True) == '1' or \
d.getVar('MODSIGN_ENABLED', True) == '1' \
else ''}"
SRC_URI += "\
${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \
${@'file://ima.scc file://ima.cfg' \
if d.getVar('IMA_ENABLED', True) == '1' else ''} \
${@'file://modsign.scc file://modsign.cfg' \
if d.getVar('MODSIGN_ENABLED', True) == '1' else ''} \
"
do_configure_prepend() {
cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key"
modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt"
if [ -f "$cert" ]; then
install -m 0644 "$cert" "${B}"
if [ -f "$sys_cert" ]; then
install -m 0644 "$sys_cert" "${B}"
fi
if [ -f "$modsign_key" -a -f "$modsign_cert" ]; then
cat "$modsign_key" "$modsign_cert" \
> "${B}/modsign_key.pem"
else
true
fi
@@ -0,0 +1,7 @@
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_KEY="modsign_key.pem"
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_MODULE_SIG_SHA256=y
CONFIG_CRYPTO_SHA256=y
CONFIG_MODULE_SIG_ALL=y
@@ -0,0 +1,5 @@
define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
define KFEATURE_COMPATIBILITY all
include integrity.scc
kconf non-hardware modsign.cfg