meta-signing-key: support to build key-store with modsign and extra system trusted key support

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
This commit is contained in:
Jia Zhang
2017-11-21 09:30:51 -05:00
parent a97b3363b6
commit bd0f4cbe40
3 changed files with 120 additions and 6 deletions
@@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1"
UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
RPM = '1' RPM = '1'
def vprint(str, d): def vprint(str, d):
@@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d):
set_keys_dir('SYSTEM_TRUSTED', d) set_keys_dir('SYSTEM_TRUSTED', d)
return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/' return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
def uks_extra_system_trusted_keys_dir(d):
set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
def uks_modsign_keys_dir(d):
set_keys_dir('MODSIGN', d)
return d.getVar('MODSIGN_KEYS_DIR', True) + '/'
def uks_ima_keys_dir(d): def uks_ima_keys_dir(d):
set_keys_dir('IMA', d) set_keys_dir('IMA', d)
return d.getVar('IMA_KEYS_DIR', True) + '/' return d.getVar('IMA_KEYS_DIR', True) + '/'
@@ -163,6 +173,30 @@ def check_system_trusted_keys(d):
vprint("%s.crt is unavailable" % _, d) vprint("%s.crt is unavailable" % _, d)
return False return False
def check_extra_system_trusted_keys(d):
dir = uks_extra_system_trusted_keys_dir(d)
_ = 'extra_system_trusted_key'
if not os.path.exists(dir + _ + '.key'):
vprint("%s.key is unavailable" % _, d)
return False
if not os.path.exists(dir + _ + '.crt'):
vprint("%s.crt is unavailable" % _, d)
return False
def check_modsign_keys(d):
dir = uks_modsign_keys_dir(d)
_ = 'modsign_key'
if not os.path.exists(dir + _ + '.key'):
vprint("%s.key is unavailable" % _, d)
return False
if not os.path.exists(dir + _ + '.crt'):
vprint("%s.crt is unavailable" % _, d)
return False
def check_rpm_keys(d): def check_rpm_keys(d):
dir = uks_rpm_keys_dir(d) dir = uks_rpm_keys_dir(d)
@@ -345,6 +379,26 @@ deploy_system_trusted_keys() {
fi fi
} }
deploy_extra_system_trusted_keys() {
local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
install -d "$deploy_dir"
cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
fi
}
deploy_modsign_keys() {
local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys"
if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then
install -d "$deploy_dir"
cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir"
fi
}
def deploy_keys(name, d): def deploy_keys(name, d):
d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \ d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \
d.getVar('SIGNING_MODEL', True) + '-keys') d.getVar('SIGNING_MODEL', True) + '-keys')
@@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d):
_ = check_ima_user_keys(d) _ = check_ima_user_keys(d)
elif name == 'SYSTEM_TRUSTED': elif name == 'SYSTEM_TRUSTED':
_ = check_system_trusted_keys(d) _ = check_system_trusted_keys(d)
elif name == 'EXTRA_SYSTEM_TRUSTED':
_ = check_extra_system_trusted_keys(d)
elif name == 'MODSIGN':
_ = check_modsign_keys(d)
elif name == 'RPM': elif name == 'RPM':
_ = check_rpm_keys(d) _ = check_rpm_keys(d)
else: else:
@@ -382,7 +440,7 @@ def set_keys_dir(name, d):
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
python check_deploy_keys() { python check_deploy_keys() {
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'): for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
if d.getVar(_, True) != "1": if d.getVar(_, True) != "1":
continue continue
+6
View File
@@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample"
SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys" SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys" SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}" SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
BB_HASHBASE_WHITELIST_append += "\ BB_HASHBASE_WHITELIST_append += "\
SYSTEM_TRUSTED_KEYS_DIR \ SYSTEM_TRUSTED_KEYS_DIR \
EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
MODSIGN_KEYS_DIR \
IMA_KEYS_DIR \ IMA_KEYS_DIR \
RPM_KEYS_DIR \ RPM_KEYS_DIR \
UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \ UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \
@@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
# For ${PN}-system-trusted-privkey # For ${PN}-system-trusted-privkey
SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
# For ${PN}-extra-system-trusted-privkey
EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
# For ${PN}-modsign-privkey
MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
# For ${PN}-ima-privkey # For ${PN}-ima-privkey
IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
# For ${PN}-system-trusted-cert # For ${PN}-system-trusted-cert
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
# For ${PN}-extra-system-trusted-cert
EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
# For ${PN}-modsign-cert
MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
# For ${PN}-ima-cert # For ${PN}-ima-cert
IMA_CERT = "${KEY_DIR}/x509_evm.der" IMA_CERT = "${KEY_DIR}/x509_evm.der"
@@ -35,7 +47,17 @@ python () {
d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
pn = d.getVar('PN', True) + '-ima-privkey' pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
d.setVar('PACKAGES_prepend', pn + ' ')
d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
pn = d.getVar('PN', True) + '-modsign-privkey'
d.setVar('PACKAGES_prepend', pn + ' ')
d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
pn = d.getVar('PN', True) + 'ima-privkey'
d.setVar('PACKAGES_prepend', pn + ' ') d.setVar('PACKAGES_prepend', pn + ' ')
d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
@@ -74,6 +96,24 @@ do_install() {
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
fi fi
key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
"${D}${EXTRA_SYSTEM_CERT}"
if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
install -m 0400 "$key_dir/extra_system_trusted_key.key" \
"${D}${EXTRA_SYSTEM_PRIV_KEY}"
fi
key_dir="${@uks_modsign_keys_dir(d)}"
install -m 0644 "$key_dir/modsign_key.crt" \
"${D}${MODSIGN_CERT}"
if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
install -m 0400 "$key_dir/modsign_key.key" \
"${D}${MODSIGN_PRIV_KEY}"
fi
key_dir="${@uks_ima_keys_dir(d)}" key_dir="${@uks_ima_keys_dir(d)}"
install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
@@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() {
fi fi
} }
PACKAGES =+ "\ PACKAGES = "\
${PN}-system-trusted-cert \ ${PN}-system-trusted-cert \
${PN}-extra-system-trusted-cert \
${PN}-modsign-cert \
${PN}-ima-cert \ ${PN}-ima-cert \
" "
# Note any private key is not available if user key signing model used. # Note any private key is not available if user key signing model used.
PACKAGES_DYNAMIC += "\ PACKAGES_DYNAMIC = "\
${PN}-ima-privkey \
${PN}-system-trusted-privkey \ ${PN}-system-trusted-privkey \
${PN}-extra-system-trusted-privkey \
${PN}-modsign-privkey \
${PN}-ima-privkey \
${PN}-rpm-pubkey \ ${PN}-rpm-pubkey \
" "
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
FILES_${PN}-ima-cert = "${IMA_CERT}" FILES_${PN}-ima-cert = "${IMA_CERT}"
CONFFILES_${PN}-ima-cert = "${IMA_CERT}" CONFFILES_${PN}-ima-cert = "${IMA_CERT}"