diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima index f11ff13..c663817 100755 --- a/meta-integrity/recipes-core/initrdscripts/files/init.ima +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima @@ -97,6 +97,19 @@ fi mount --move ${ROOT_DIR}/proc /proc +# If we have a secondary trusted keyring, here is the opportunity to load +# additional trusted keys from the real rootfs. +for cert in ${ROOT_DIR}/etc/keys/x509_secondary_*.der; do + [ ! -s "$cert" ] && continue + name=`basename $cert` + + if ! keyctl padd asymmetric "$name" %:.secondary_trusted_keys < $cert > ${ROOT_DIR}/dev/null; then + print_critical "Unable to load the secondary certificate $cert" + else + print_verbose "The secondary certificate $cert has been loaded" + fi +done + # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was # automatically loaded by kernel already. Here is the opportunity to load # a custom IMA certificate from the real rootfs. diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 66691cc..30485a7 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -31,6 +31,7 @@ SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" # For ${PN}-secondary-trusted-cert SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt" +SECONDARY_TRUSTED_DER_ENC_CERT = "${KEY_DIR}/x509_secondary_system_trusted_key.der" # For ${PN}-modsign-cert MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" @@ -99,6 +100,8 @@ do_install() { key_dir="${@uks_secondary_trusted_keys_dir(d)}" install -m 0644 "$key_dir/secondary_trusted_key.crt" \ "${D}${SECONDARY_TRUSTED_CERT}" + openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \ + -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}" if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then install -m 0400 "$key_dir/secondary_trusted_key.key" \ @@ -167,8 +170,14 @@ PACKAGES_DYNAMIC = "\ FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" -FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" -CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" +FILES_${PN}-secondary-trusted-cert = "\ + ${SECONDARY_TRUSTED_CERT} \ + ${SECONDARY_TRUSTED_DER_ENC_CERT} \ + " +CONFFILES_${PN}-secondary-trusted-cert = "\ + ${SECONDARY_TRUSTED_CERT} \ + ${SECONDARY_TRUSTED_DER_ENC_CERT} \ + " FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"