mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
user-key-store: clean up the code style
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
@@ -63,8 +63,8 @@ def check_uefi_sb_user_keys(d):
|
|||||||
vprint("%s.key is unavailable" % _, d)
|
vprint("%s.key is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if not os.path.exists(dir + _ + '.pem'):
|
if not os.path.exists(dir + _ + '.crt'):
|
||||||
vprint("%s.pem is unavailable" % _, d)
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def uefi_sb_sign(input, output, d):
|
def uefi_sb_sign(input, output, d):
|
||||||
@@ -72,7 +72,7 @@ def uefi_sb_sign(input, output, d):
|
|||||||
return
|
return
|
||||||
|
|
||||||
_ = uefi_sb_keys_dir(d)
|
_ = uefi_sb_keys_dir(d)
|
||||||
sign_efi_image(_ + 'DB.key', _ + 'DB.pem', input, output, d)
|
sign_efi_image(_ + 'DB.key', _ + 'DB.crt', input, output, d)
|
||||||
|
|
||||||
def mok_sb_keys_dir(d):
|
def mok_sb_keys_dir(d):
|
||||||
if d.getVar('MOK_SB', True) != '1':
|
if d.getVar('MOK_SB', True) != '1':
|
||||||
@@ -87,11 +87,11 @@ def sb_sign(input, output, d):
|
|||||||
|
|
||||||
if uks_signing_model(d) in ('sample', 'user'):
|
if uks_signing_model(d) in ('sample', 'user'):
|
||||||
# Deal with MOK_SB firstly, as MOK_SB implies UEFI_SB == 1.
|
# Deal with MOK_SB firstly, as MOK_SB implies UEFI_SB == 1.
|
||||||
# On this scenario, bootloader is verified by shim_cert.pem
|
# On this scenario, bootloader is verified by shim_cert.crt
|
||||||
if d.getVar('MOK_SB', True) == '1':
|
if d.getVar('MOK_SB', True) == '1':
|
||||||
mok_sb_sign(input, output, d)
|
mok_sb_sign(input, output, d)
|
||||||
# UEFI_SB is defined, but MOK_SB is not defined
|
# UEFI_SB is defined, but MOK_SB is not defined
|
||||||
# On this scenario, shim is not used, and DB.pem is used to
|
# On this scenario, shim is not used, and DB.crt is used to
|
||||||
# verify bootloader directly.
|
# verify bootloader directly.
|
||||||
else:
|
else:
|
||||||
uefi_sb_sign(input, output, d)
|
uefi_sb_sign(input, output, d)
|
||||||
@@ -106,8 +106,8 @@ def check_mok_sb_user_keys(d):
|
|||||||
vprint("%s.key is unavailable" % _, d)
|
vprint("%s.key is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if not os.path.exists(dir + _ + '.pem'):
|
if not os.path.exists(dir + _ + '.crt'):
|
||||||
vprint("%s.pem is unavailable" % _, d)
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def mok_sb_sign(input, output, d):
|
def mok_sb_sign(input, output, d):
|
||||||
@@ -115,7 +115,7 @@ def mok_sb_sign(input, output, d):
|
|||||||
return
|
return
|
||||||
|
|
||||||
_ = mok_sb_keys_dir(d)
|
_ = mok_sb_keys_dir(d)
|
||||||
sign_efi_image(_ + 'vendor_cert.key', _ + 'vendor_cert.pem', input, output, d)
|
sign_efi_image(_ + 'vendor_cert.key', _ + 'vendor_cert.crt', input, output, d)
|
||||||
|
|
||||||
def sel_sign(key, cert, input, d):
|
def sel_sign(key, cert, input, d):
|
||||||
import bb.process
|
import bb.process
|
||||||
@@ -137,11 +137,11 @@ def uks_sel_sign(input, d):
|
|||||||
if d.getVar('MOK_SB', True) == '1':
|
if d.getVar('MOK_SB', True) == '1':
|
||||||
_ = mok_sb_keys_dir(d)
|
_ = mok_sb_keys_dir(d)
|
||||||
key = _ + 'vendor_cert.key'
|
key = _ + 'vendor_cert.key'
|
||||||
cert = _ + 'vendor_cert.pem'
|
cert = _ + 'vendor_cert.crt'
|
||||||
else:
|
else:
|
||||||
_ = uefi_sb_keys_dir(d)
|
_ = uefi_sb_keys_dir(d)
|
||||||
key = _ + 'DB.key'
|
key = _ + 'DB.key'
|
||||||
cert = _ + 'DB.pem'
|
cert = _ + 'DB.crt'
|
||||||
|
|
||||||
sel_sign(key, cert, input, d)
|
sel_sign(key, cert, input, d)
|
||||||
|
|
||||||
@@ -150,7 +150,7 @@ def check_ima_user_keys(d):
|
|||||||
|
|
||||||
for _ in ('key', 'der'):
|
for _ in ('key', 'der'):
|
||||||
if not os.path.exists(dir + 'x509_ima.' + _):
|
if not os.path.exists(dir + 'x509_ima.' + _):
|
||||||
vprint("%s.pem is unavailable" % _, d)
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def check_system_trusted_keys(d):
|
def check_system_trusted_keys(d):
|
||||||
@@ -161,8 +161,8 @@ def check_system_trusted_keys(d):
|
|||||||
vprint("%s.key is unavailable" % _, d)
|
vprint("%s.key is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if not os.path.exists(dir + _ + '.pem'):
|
if not os.path.exists(dir + _ + '.der'):
|
||||||
vprint("%s.pem is unavailable" % _, d)
|
vprint("%s.der is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# Convert the PEM to DER format.
|
# Convert the PEM to DER format.
|
||||||
@@ -185,10 +185,10 @@ __pem2esl() {
|
|||||||
|
|
||||||
# Blacklist the sample DB, shim_cert, vendor_cert by default.
|
# Blacklist the sample DB, shim_cert, vendor_cert by default.
|
||||||
__create_default_mok_sb_blacklist() {
|
__create_default_mok_sb_blacklist() {
|
||||||
__pem2esl "${SAMPLE_MOK_SB_KEYS_DIR}/shim_cert.pem" \
|
__pem2esl "${SAMPLE_MOK_SB_KEYS_DIR}/shim_cert.crt" \
|
||||||
"${TMPDIR}/sample_shim_cert.esl"
|
"${TMPDIR}/sample_shim_cert.esl"
|
||||||
|
|
||||||
__pem2esl "${SAMPLE_MOK_SB_KEYS_DIR}/vendor_cert.pem" \
|
__pem2esl "${SAMPLE_MOK_SB_KEYS_DIR}/vendor_cert.crt" \
|
||||||
"${TMPDIR}/sample_vendor_cert.esl"
|
"${TMPDIR}/sample_vendor_cert.esl"
|
||||||
|
|
||||||
# Cascade the sample DB, shim_cert and vendor_cert to
|
# Cascade the sample DB, shim_cert and vendor_cert to
|
||||||
@@ -198,7 +198,7 @@ __create_default_mok_sb_blacklist() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
__create_default_uefi_sb_blacklist() {
|
__create_default_uefi_sb_blacklist() {
|
||||||
__pem2esl "${SAMPLE_UEFI_SB_KEYS_DIR}/DB.pem" \
|
__pem2esl "${SAMPLE_UEFI_SB_KEYS_DIR}/DB.crt" \
|
||||||
"${TMPDIR}/sample_DB.esl"
|
"${TMPDIR}/sample_DB.esl"
|
||||||
|
|
||||||
cat "${TMPDIR}/sample_DB.esl" > "${TMPDIR}/blacklist.esl"
|
cat "${TMPDIR}/sample_DB.esl" > "${TMPDIR}/blacklist.esl"
|
||||||
@@ -284,70 +284,6 @@ def create_uefi_dbx(d):
|
|||||||
|
|
||||||
return dst
|
return dst
|
||||||
|
|
||||||
create_uefi_sb_user_keys() {
|
|
||||||
local deploy_dir="${DEPLOY_DIR_IMAGE}/user-keys/uefi_sb_keys"
|
|
||||||
|
|
||||||
install -d "$deploy_dir"
|
|
||||||
|
|
||||||
# PK is self-signed.
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" req -new -x509 -newkey rsa:2048 \
|
|
||||||
-sha256 -nodes -days 3650 \
|
|
||||||
-subj "/CN=PK Certificate for $USER@`hostname`/" \
|
|
||||||
-keyout "$deploy_dir/PK.key" \
|
|
||||||
-out "$deploy_dir/PK.pem"
|
|
||||||
|
|
||||||
# KEK is signed by PK.
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" req -new -newkey rsa:2048 \
|
|
||||||
-sha256 -nodes \
|
|
||||||
-subj "/CN=KEK Certificate for $USER@`hostname`" \
|
|
||||||
-keyout "$deploy_dir/KEK.key" \
|
|
||||||
-out "${TMPDIR}/KEK.csr"
|
|
||||||
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" x509 -req -in "${TMPDIR}/KEK.csr" \
|
|
||||||
-CA "$deploy_dir/PK.pem" -CAkey "$deploy_dir/PK.key" \
|
|
||||||
-set_serial 1 -days 3650 -out "$deploy_dir/KEK.pem"
|
|
||||||
|
|
||||||
# DB is signed by KEK.
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" req -new -newkey rsa:2048 \
|
|
||||||
-sha256 -nodes \
|
|
||||||
-subj "/CN=DB Certificate for $USER@`hostname`" \
|
|
||||||
-keyout "$deploy_dir/DB.key" \
|
|
||||||
-out "${TMPDIR}/DB.csr"
|
|
||||||
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" x509 -req -in "${TMPDIR}/DB.csr" \
|
|
||||||
-CA "$deploy_dir/KEK.pem" -CAkey "$deploy_dir/KEK.key" \
|
|
||||||
-set_serial 1 -days 3650 -out "$deploy_dir/DB.pem"
|
|
||||||
}
|
|
||||||
|
|
||||||
create_mok_sb_user_keys() {
|
|
||||||
local deploy_dir="${DEPLOY_DIR_IMAGE}/user-keys/mok_sb_keys"
|
|
||||||
|
|
||||||
install -d "$deploy_dir"
|
|
||||||
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" req -new -x509 -newkey rsa:2048 \
|
|
||||||
-sha256 -nodes -days 3650 -subj "/CN=Shim Certificate for $USER@`hostname`/" \
|
|
||||||
-keyout "$deploy_dir/shim_cert.key" -out "$deploy_dir/shim_cert.pem"
|
|
||||||
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" req -new -x509 -newkey rsa:2048 \
|
|
||||||
-sha256 -nodes -days 3650 -subj "/CN=Vendor Certificate for $USER@`hostname`/" \
|
|
||||||
-keyout "$deploy_dir/vendor_cert.key" -out "$deploy_dir/vendor_cert.pem" \
|
|
||||||
}
|
|
||||||
|
|
||||||
create_ima_user_keys() {
|
|
||||||
local deploy_dir="${DEPLOY_DIR_IMAGE}/user-keys/ima_keys"
|
|
||||||
|
|
||||||
install -d "$deploy_dir"
|
|
||||||
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" genrsa -out "$deploy_dir/ima_privkey.pem" 2048
|
|
||||||
|
|
||||||
"${STAGING_BINDIR_NATIVE}/openssl" rsa -in "$deploy_dir/ima_privkey.pem" -pubout \
|
|
||||||
-out "$deploy_dir/ima_pubkey.pem"
|
|
||||||
}
|
|
||||||
|
|
||||||
def create_user_keys(name, d):
|
|
||||||
vprint('Creating the user keys for %s ...' % name, d)
|
|
||||||
bb.build.exec_func('create_' + name.lower() + '_user_keys', d)
|
|
||||||
|
|
||||||
deploy_uefi_sb_keys() {
|
deploy_uefi_sb_keys() {
|
||||||
local deploy_dir="${DEPLOY_KEYS_DIR}/uefi_sb_keys"
|
local deploy_dir="${DEPLOY_KEYS_DIR}/uefi_sb_keys"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user