mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
meta-signing-key: support to build key-store with modsign and extra system trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
This commit is contained in:
@@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1"
|
|||||||
|
|
||||||
UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
|
UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
|
||||||
MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
|
MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
|
||||||
|
MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
|
||||||
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
|
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
|
||||||
SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
|
SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
|
||||||
|
EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
|
||||||
RPM = '1'
|
RPM = '1'
|
||||||
|
|
||||||
def vprint(str, d):
|
def vprint(str, d):
|
||||||
@@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d):
|
|||||||
set_keys_dir('SYSTEM_TRUSTED', d)
|
set_keys_dir('SYSTEM_TRUSTED', d)
|
||||||
return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
|
return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
|
||||||
|
|
||||||
|
def uks_extra_system_trusted_keys_dir(d):
|
||||||
|
set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
|
||||||
|
return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
|
||||||
|
|
||||||
|
def uks_modsign_keys_dir(d):
|
||||||
|
set_keys_dir('MODSIGN', d)
|
||||||
|
return d.getVar('MODSIGN_KEYS_DIR', True) + '/'
|
||||||
|
|
||||||
def uks_ima_keys_dir(d):
|
def uks_ima_keys_dir(d):
|
||||||
set_keys_dir('IMA', d)
|
set_keys_dir('IMA', d)
|
||||||
return d.getVar('IMA_KEYS_DIR', True) + '/'
|
return d.getVar('IMA_KEYS_DIR', True) + '/'
|
||||||
@@ -163,6 +173,30 @@ def check_system_trusted_keys(d):
|
|||||||
vprint("%s.crt is unavailable" % _, d)
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
def check_extra_system_trusted_keys(d):
|
||||||
|
dir = uks_extra_system_trusted_keys_dir(d)
|
||||||
|
|
||||||
|
_ = 'extra_system_trusted_key'
|
||||||
|
if not os.path.exists(dir + _ + '.key'):
|
||||||
|
vprint("%s.key is unavailable" % _, d)
|
||||||
|
return False
|
||||||
|
|
||||||
|
if not os.path.exists(dir + _ + '.crt'):
|
||||||
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
|
return False
|
||||||
|
|
||||||
|
def check_modsign_keys(d):
|
||||||
|
dir = uks_modsign_keys_dir(d)
|
||||||
|
|
||||||
|
_ = 'modsign_key'
|
||||||
|
if not os.path.exists(dir + _ + '.key'):
|
||||||
|
vprint("%s.key is unavailable" % _, d)
|
||||||
|
return False
|
||||||
|
|
||||||
|
if not os.path.exists(dir + _ + '.crt'):
|
||||||
|
vprint("%s.crt is unavailable" % _, d)
|
||||||
|
return False
|
||||||
|
|
||||||
def check_rpm_keys(d):
|
def check_rpm_keys(d):
|
||||||
dir = uks_rpm_keys_dir(d)
|
dir = uks_rpm_keys_dir(d)
|
||||||
|
|
||||||
@@ -345,6 +379,26 @@ deploy_system_trusted_keys() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
deploy_extra_system_trusted_keys() {
|
||||||
|
local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
|
||||||
|
|
||||||
|
if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
|
||||||
|
install -d "$deploy_dir"
|
||||||
|
|
||||||
|
cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
deploy_modsign_keys() {
|
||||||
|
local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys"
|
||||||
|
|
||||||
|
if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then
|
||||||
|
install -d "$deploy_dir"
|
||||||
|
|
||||||
|
cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
def deploy_keys(name, d):
|
def deploy_keys(name, d):
|
||||||
d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \
|
d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \
|
||||||
d.getVar('SIGNING_MODEL', True) + '-keys')
|
d.getVar('SIGNING_MODEL', True) + '-keys')
|
||||||
@@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d):
|
|||||||
_ = check_ima_user_keys(d)
|
_ = check_ima_user_keys(d)
|
||||||
elif name == 'SYSTEM_TRUSTED':
|
elif name == 'SYSTEM_TRUSTED':
|
||||||
_ = check_system_trusted_keys(d)
|
_ = check_system_trusted_keys(d)
|
||||||
|
elif name == 'EXTRA_SYSTEM_TRUSTED':
|
||||||
|
_ = check_extra_system_trusted_keys(d)
|
||||||
|
elif name == 'MODSIGN':
|
||||||
|
_ = check_modsign_keys(d)
|
||||||
elif name == 'RPM':
|
elif name == 'RPM':
|
||||||
_ = check_rpm_keys(d)
|
_ = check_rpm_keys(d)
|
||||||
else:
|
else:
|
||||||
@@ -382,7 +440,7 @@ def set_keys_dir(name, d):
|
|||||||
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
|
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
|
||||||
|
|
||||||
python check_deploy_keys() {
|
python check_deploy_keys() {
|
||||||
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'):
|
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
|
||||||
if d.getVar(_, True) != "1":
|
if d.getVar(_, True) != "1":
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
|||||||
@@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample"
|
|||||||
SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
|
SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
|
||||||
SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
|
SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
|
||||||
SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
|
SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
|
||||||
|
SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
|
||||||
|
SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
|
||||||
SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
|
SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
|
||||||
SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
|
SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
|
||||||
|
|
||||||
@@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
|
|||||||
MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
|
MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
|
||||||
UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
|
UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
|
||||||
SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
|
SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
|
||||||
|
EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
|
||||||
|
MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
|
||||||
IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
|
IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
|
||||||
RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
|
RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
|
||||||
|
|
||||||
@@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
|
|||||||
|
|
||||||
BB_HASHBASE_WHITELIST_append += "\
|
BB_HASHBASE_WHITELIST_append += "\
|
||||||
SYSTEM_TRUSTED_KEYS_DIR \
|
SYSTEM_TRUSTED_KEYS_DIR \
|
||||||
|
EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
|
||||||
|
MODSIGN_KEYS_DIR \
|
||||||
IMA_KEYS_DIR \
|
IMA_KEYS_DIR \
|
||||||
RPM_KEYS_DIR \
|
RPM_KEYS_DIR \
|
||||||
UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \
|
UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \
|
||||||
|
|||||||
@@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
|
|||||||
# For ${PN}-system-trusted-privkey
|
# For ${PN}-system-trusted-privkey
|
||||||
SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
|
SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
|
||||||
|
|
||||||
|
# For ${PN}-extra-system-trusted-privkey
|
||||||
|
EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
|
||||||
|
|
||||||
|
# For ${PN}-modsign-privkey
|
||||||
|
MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
|
||||||
|
|
||||||
# For ${PN}-ima-privkey
|
# For ${PN}-ima-privkey
|
||||||
IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
|
IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
|
||||||
|
|
||||||
# For ${PN}-system-trusted-cert
|
# For ${PN}-system-trusted-cert
|
||||||
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
|
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
|
||||||
|
|
||||||
|
# For ${PN}-extra-system-trusted-cert
|
||||||
|
EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
|
||||||
|
|
||||||
|
# For ${PN}-modsign-cert
|
||||||
|
MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
|
||||||
|
|
||||||
# For ${PN}-ima-cert
|
# For ${PN}-ima-cert
|
||||||
IMA_CERT = "${KEY_DIR}/x509_evm.der"
|
IMA_CERT = "${KEY_DIR}/x509_evm.der"
|
||||||
|
|
||||||
@@ -35,7 +47,17 @@ python () {
|
|||||||
d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
|
d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
|
||||||
d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
|
d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
|
||||||
|
|
||||||
pn = d.getVar('PN', True) + '-ima-privkey'
|
pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
|
||||||
|
d.setVar('PACKAGES_prepend', pn + ' ')
|
||||||
|
d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
|
||||||
|
d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
|
||||||
|
|
||||||
|
pn = d.getVar('PN', True) + '-modsign-privkey'
|
||||||
|
d.setVar('PACKAGES_prepend', pn + ' ')
|
||||||
|
d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
|
||||||
|
d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
|
||||||
|
|
||||||
|
pn = d.getVar('PN', True) + 'ima-privkey'
|
||||||
d.setVar('PACKAGES_prepend', pn + ' ')
|
d.setVar('PACKAGES_prepend', pn + ' ')
|
||||||
d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
|
d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
|
||||||
d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
|
d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
|
||||||
@@ -74,6 +96,24 @@ do_install() {
|
|||||||
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
|
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
|
||||||
|
install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
|
||||||
|
"${D}${EXTRA_SYSTEM_CERT}"
|
||||||
|
|
||||||
|
if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
|
||||||
|
install -m 0400 "$key_dir/extra_system_trusted_key.key" \
|
||||||
|
"${D}${EXTRA_SYSTEM_PRIV_KEY}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
key_dir="${@uks_modsign_keys_dir(d)}"
|
||||||
|
install -m 0644 "$key_dir/modsign_key.crt" \
|
||||||
|
"${D}${MODSIGN_CERT}"
|
||||||
|
|
||||||
|
if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
|
||||||
|
install -m 0400 "$key_dir/modsign_key.key" \
|
||||||
|
"${D}${MODSIGN_PRIV_KEY}"
|
||||||
|
fi
|
||||||
|
|
||||||
key_dir="${@uks_ima_keys_dir(d)}"
|
key_dir="${@uks_ima_keys_dir(d)}"
|
||||||
install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
|
install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
|
||||||
|
|
||||||
@@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
PACKAGES =+ "\
|
PACKAGES = "\
|
||||||
${PN}-system-trusted-cert \
|
${PN}-system-trusted-cert \
|
||||||
|
${PN}-extra-system-trusted-cert \
|
||||||
|
${PN}-modsign-cert \
|
||||||
${PN}-ima-cert \
|
${PN}-ima-cert \
|
||||||
"
|
"
|
||||||
|
|
||||||
# Note any private key is not available if user key signing model used.
|
# Note any private key is not available if user key signing model used.
|
||||||
PACKAGES_DYNAMIC += "\
|
PACKAGES_DYNAMIC = "\
|
||||||
${PN}-ima-privkey \
|
|
||||||
${PN}-system-trusted-privkey \
|
${PN}-system-trusted-privkey \
|
||||||
|
${PN}-extra-system-trusted-privkey \
|
||||||
|
${PN}-modsign-privkey \
|
||||||
|
${PN}-ima-privkey \
|
||||||
${PN}-rpm-pubkey \
|
${PN}-rpm-pubkey \
|
||||||
"
|
"
|
||||||
|
|
||||||
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
||||||
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
||||||
|
|
||||||
|
FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
|
||||||
|
CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
|
||||||
|
|
||||||
|
FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
|
||||||
|
CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
|
||||||
|
|
||||||
FILES_${PN}-ima-cert = "${IMA_CERT}"
|
FILES_${PN}-ima-cert = "${IMA_CERT}"
|
||||||
CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
|
CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
|
||||||
|
|||||||
Reference in New Issue
Block a user