Rename .pem to .crt

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2026-01-12 01:00:15 +00:00 · 2017-07-03 15:47:53 +08:00
parent a93993cdc9
commit 81553a81fb
15 changed files with 24 additions and 43 deletions
--- a/meta-efi-secure-boot/README.md
+++ b/meta-efi-secure-boot/README.md
@@ -77,27 +77,27 @@ public.**
 The sample keys used for UEFI Secure Boot are centrally placed under
 meta-signing-key/files/uefi_sb_keys/.

- PK.pem  
+- PK.crt  
  The X509 certificate enrolled to UEFI BIOS, used to update/delete PK/KEK.

 - PK.key  
-  The private key corresponding to PK.pem, used to sign the EFI signature
+  The private key corresponding to PK.crt, used to sign the EFI signature
  list for PK/KEK enrollment.

- KEK.pem  
+- KEK.crt  
  The X509 certificate enrolled to UEFI BIOS, used to update/delete
  DB/DBX.

 - KEK.key  
-  The private key corresponding to KEK.pem, used to sign the EFI signature
+  The private key corresponding to KEK.crt, used to sign the EFI signature
  list for DB/DBX enrollment.

- DB.pem  
+- DB.crt  
  The X509 certificate enrolled to UEFI BIOS, used to verify the images
  directly loaded by UEFI BIOS.

 - DB.key  
-  The private key corresponding to DB.pem, used to sign the images directly
+  The private key corresponding to DB.crt, used to sign the images directly
  loaded by UEFI BIOS.

 - DBX  
@@ -108,21 +108,21 @@ meta-signing-key/files/uefi_sb_keys/.
 The sample keys used for MOK Secure Boot are centrally placed under
 `meta-signing-key/files/mok_sb_keys/`.

- shim_cert.pem  
+- shim_cert.crt  
  The X509 certificate embedded in shim, used to verify the images either
  directly or indirectly loaded by shim.

 - shim_cert.key  
-  The private key corresponding to shim_cert.pem, used to sign the images
+  The private key corresponding to shim_cert.crt, used to sign the images
  either directly or indirectly loaded by shim.

- vendor_cert.pem  
-  Used in the same way as shim_cert.pem. In addition, vendor certificate
+- vendor_cert.crt  
+  Used in the same way as shim_cert.crt. In addition, vendor certificate
  is the switch to enable shim verification protocol, which facilitates
  the verification for the SELoader.

 - vendor_cert.key  
-  The private key corresponding to vendor_cert.pem, Same fuction as
+  The private key corresponding to vendor_cert.crt, Same fuction as
  shim_cert.key.

 - vendor_dbx  
@@ -341,10 +341,10 @@ the database of shim.
 where `<cert.cer>` is the MOK certificate corresponding to the private key used
 to sign either grub or kernel.

-To convert a PEM, for exmaple, the shim_cert.pem, to a DER formatted X509
+To convert a PEM, for exmaple, the shim_cert.crt, to a DER formatted X509
 certificate, type the command:
 ```
-$ openssl x509 -in shim_cert.pem -inform PEM -out shim_cert.cer -outform DER
+$ openssl x509 -in shim_cert.crt -inform PEM -out shim_cert.cer -outform DER
 ```

 ##### List the enrollment requests
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
@@ -44,7 +44,7 @@ python do_prepare_signing_keys() {
    import shutil

    for _ in ('PK', 'KEK', 'DB'):
-        shutil.copyfile(dir + _ + '.pem', d.expand('${S}/') + _ + '.crt')
+        shutil.copyfile(dir + _ + '.crt', d.expand('${S}/') + _ + '.crt')
        shutil.copyfile(dir + _ + '.key', d.expand('${S}/') + _ + '.key')

    # Make sure LockDown.efi contains the DB and KEK from Microsoft.
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
@@ -84,13 +84,13 @@ python do_prepare_signing_keys() {

    import shutil

-    shutil.copyfile(dir + 'shim_cert.pem', d.getVar('S', True) + '/shim.crt')
-    pem2der(dir + 'vendor_cert.pem', d.getVar('WORKDIR', True) + '/vendor_cert.cer', d)
+    shutil.copyfile(dir + 'shim_cert.crt', d.getVar('S', True) + '/shim.pem')
+    pem2der(dir + 'vendor_cert.crt', d.getVar('WORKDIR', True) + '/vendor_cert.cer', d)

    # Replace the shim certificate with EV certificate for speeding up
    # the progress of MSFT signing.
    if d.expand('${MSFT}') == "1" and uks_signing_model(d) == "sample":
-        shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.crt'))
+        shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.pem'))
 }
 addtask prepare_signing_keys after do_configure before do_compile

--- a/meta-signing-key/README.md
+++ b/meta-signing-key/README.md
@@ -17,15 +17,15 @@ user-keys
 │   └── x509_ima.key
 ├── mok_sb_keys
 │   ├── shim_cert.key
-│   ├── shim_cert.pem
+│   ├── shim_cert.crt
 │   ├── vendor_cert.key
-│   └── vendor_cert.pem
+│   └── vendor_cert.crt
 └── uefi_sb_keys
    ├── DB.key
    ├── KEK.key
-    ├── KEK.pem
+    ├── KEK.crt
    ├── PK.key
-    └── PK.pem
+    └── PK.crt
 ```
 If the user plans to create the user keys by self, please consider to
 define the necessary variables mentioned below in local.conf, or construct
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -17,11 +17,11 @@ SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
 SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"

 # Microsoft certificates
-MSFT_DB_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-DB.pem"
-MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.pem"
+MSFT_DB_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-DB.crt"
+MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.crt"

 # EV certificate
-EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.pem"
+EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"

 # By default the sample keys are used
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
--- a/meta-signing-key/files/mok_sb_keys/shim_cert.crt
+++ b/meta-signing-key/files/mok_sb_keys/shim_cert.crt
--- a/meta-signing-key/files/mok_sb_keys/vendor_cert.crt
+++ b/meta-signing-key/files/mok_sb_keys/vendor_cert.crt
--- a/meta-signing-key/files/mok_sb_keys/wosign_ev_cert.crt
+++ b/meta-signing-key/files/mok_sb_keys/wosign_ev_cert.crt
--- a/meta-signing-key/files/system_trusted_keys/system_trusted_key.pem
+++ b/meta-signing-key/files/system_trusted_keys/system_trusted_key.pem
@@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDHTCCAgWgAwIBAgIJALu1KPLxuKZTMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV
-BAMMGlN5c3RlbSBUcnVzdGVkIENlcnRpZmljYXRlMB4XDTE3MDYxMjAzNDU1OVoX
-DTI3MDYxMDAzNDU1OVowJTEjMCEGA1UEAwwaU3lzdGVtIFRydXN0ZWQgQ2VydGlm
-aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7aRl34d6FNFwN
-/J9OuDG0vh7aOM4Acs46/4lDKzxeSGxfNCmxXWhEG6M3rDU6nfy09vqMhuLyLgMP
-kMum47yFqufP4XRIb3aJYkjRYRUtzHo8CoZR80SoG778RlnvMekIE51yps/wR9/9
-AjY21PejZvXppkVXNtaiB4BP0tIu+a/5D8+jmiBus5ZtzkmFghUfTRuT+QdoQuC4
-gtqDBbz7WQTzryqESbIL9kkPLQFbOwETJwfur40hmkH+yDxlBURuod8A4Ne0jJt7
-gfFZBk3cgwlP/EOsJndlIAsnC8lgNfvji1lx9XOQGCj5X24wqRFstvkmpi/Ha7uJ
-UEjn59KjAgMBAAGjUDBOMB0GA1UdDgQWBBQ+XtkvfIaRyIHPnU2eTlTgClRKZjAf
-BgNVHSMEGDAWgBQ+XtkvfIaRyIHPnU2eTlTgClRKZjAMBgNVHRMEBTADAQH/MA0G
-CSqGSIb3DQEBCwUAA4IBAQBtUkdB4iPnBXvJY9O68canmzryOby/RE5PLQiMvCy4
-1zY9vH+VBZunAyijLkfP9jzuIIxBBU2QPVzAocOxoS2ie2lvfmbxRzX1d72mKdib
-Oq7BJ8wyscbsSFhAb4UcTsfwYyzM2IIa5uh8nG7caiMPv93XVWdu7KWA4xM0BqIU
-p1fV9+iUxdWrXDMQJPy+2qWdMTMo6hinyOx0CE7Hh9aTaH33C8/Tq6lDoSmVINog
-83+/bcbGObfkkFukhu2uynnkt7txxBQqdBkYGpvUpvF2CxZPhjwVjDx9W4Gujfqm
-QpBhMoXL0b1JhwsJE9EWsaLRXmP+RTKdt0F8PYOqOT0g
-----END CERTIFICATE-----
--- a/meta-signing-key/files/uefi_sb_keys/DB.crt
+++ b/meta-signing-key/files/uefi_sb_keys/DB.crt
--- a/meta-signing-key/files/uefi_sb_keys/DBX/DBX.crt
+++ b/meta-signing-key/files/uefi_sb_keys/DBX/DBX.crt
--- a/meta-signing-key/files/uefi_sb_keys/KEK.crt
+++ b/meta-signing-key/files/uefi_sb_keys/KEK.crt
--- a/meta-signing-key/files/uefi_sb_keys/PK.crt
+++ b/meta-signing-key/files/uefi_sb_keys/PK.crt
--- a/meta-signing-key/files/uefi_sb_keys/ms-DB.crt
+++ b/meta-signing-key/files/uefi_sb_keys/ms-DB.crt
--- a/meta-signing-key/files/uefi_sb_keys/ms-KEK.crt
+++ b/meta-signing-key/files/uefi_sb_keys/ms-KEK.crt