meta-signing-key: Rename "extra trusted" to "secondary"

The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create.  To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".

Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
Tom Rini
2018-05-16 13:37:54 -04:00
committed by Jia Zhang
parent b7b42cdec7
commit c804f25914
6 changed files with 39 additions and 39 deletions
+14 -14
View File
@@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d
MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
RPM = '1'
def vprint(str, d):
@@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d):
set_keys_dir('SYSTEM_TRUSTED', d)
return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
def uks_extra_system_trusted_keys_dir(d):
set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
def uks_secondary_trusted_keys_dir(d):
set_keys_dir('SECONDARY_TRUSTED', d)
return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/'
def uks_modsign_keys_dir(d):
set_keys_dir('MODSIGN', d)
@@ -173,10 +173,10 @@ def check_system_trusted_keys(d):
vprint("%s.crt is unavailable" % _, d)
return False
def check_extra_system_trusted_keys(d):
dir = uks_extra_system_trusted_keys_dir(d)
def check_secondary_trusted_keys(d):
dir = uks_secondary_trusted_keys_dir(d)
_ = 'extra_system_trusted_key'
_ = 'secondary_trusted_key'
if not os.path.exists(dir + _ + '.key'):
vprint("%s.key is unavailable" % _, d)
return False
@@ -379,13 +379,13 @@ deploy_system_trusted_keys() {
fi
}
deploy_extra_system_trusted_keys() {
local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
deploy_secondary_trusted_keys() {
local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys"
if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
install -d "$deploy_dir"
cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
fi
}
@@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d):
_ = check_ima_user_keys(d)
elif name == 'SYSTEM_TRUSTED':
_ = check_system_trusted_keys(d)
elif name == 'EXTRA_SYSTEM_TRUSTED':
_ = check_extra_system_trusted_keys(d)
elif name == 'SECONDARY_TRUSTED':
_ = check_secondary_trusted_keys(d)
elif name == 'MODSIGN':
_ = check_modsign_keys(d)
elif name == 'RPM':
@@ -440,7 +440,7 @@ def set_keys_dir(name, d):
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
python check_deploy_keys() {
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'):
if d.getVar(_, True) != "1":
continue
+3 -3
View File
@@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample"
SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys"
SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}"
MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
BB_HASHBASE_WHITELIST_append += "\
SYSTEM_TRUSTED_KEYS_DIR \
EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
SECONDARY_TRUSTED_KEYS_DIR \
MODSIGN_KEYS_DIR \
IMA_KEYS_DIR \
RPM_KEYS_DIR \
@@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
# For ${PN}-system-trusted-privkey
SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
# For ${PN}-extra-system-trusted-privkey
EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
# For ${PN}-secondary-trusted-privkey
SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
# For ${PN}-modsign-privkey
MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
@@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
# For ${PN}-system-trusted-cert
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
# For ${PN}-extra-system-trusted-cert
EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
# For ${PN}-secondary-trusted-cert
SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
# For ${PN}-modsign-cert
MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
@@ -47,10 +47,10 @@ python () {
d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
d.setVar('PACKAGES_prepend', pn + ' ')
d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
pn = d.getVar('PN', True) + '-modsign-privkey'
d.setVar('PACKAGES_prepend', pn + ' ')
@@ -96,13 +96,13 @@ do_install() {
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
fi
key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
"${D}${EXTRA_SYSTEM_CERT}"
key_dir="${@uks_secondary_trusted_keys_dir(d)}"
install -m 0644 "$key_dir/secondary_trusted_key.crt" \
"${D}${SECONDARY_TRUSTED_CERT}"
if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
install -m 0400 "$key_dir/extra_system_trusted_key.key" \
"${D}${EXTRA_SYSTEM_PRIV_KEY}"
install -m 0400 "$key_dir/secondary_trusted_key.key" \
"${D}${SECONDARY_TRUSTED_PRIV_KEY}"
fi
key_dir="${@uks_modsign_keys_dir(d)}"
@@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() {
PACKAGES = "\
${PN}-system-trusted-cert \
${PN}-extra-system-trusted-cert \
${PN}-secondary-trusted-cert \
${PN}-modsign-cert \
${PN}-ima-cert \
"
@@ -158,7 +158,7 @@ PACKAGES = "\
# Note any private key is not available if user key signing model used.
PACKAGES_DYNAMIC = "\
${PN}-system-trusted-privkey \
${PN}-extra-system-trusted-privkey \
${PN}-secondary-trusted-privkey \
${PN}-modsign-privkey \
${PN}-ima-privkey \
${PN}-rpm-pubkey \
@@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
@@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys"
SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
pem2der() {
local src="$1"
@@ -201,12 +201,12 @@ create_modsign_user_key() {
"/CN=MODSIGN Certificate/"
}
create_extra_system_user_key() {
local key_dir="$EXTRA_SYSTEM_KEYS_DIR"
create_secondary_user_key() {
local key_dir="$SECONDARY_TRUSTED_KEYS_DIR"
[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
"/CN=Extra System Trusted Certificate/"
}
@@ -297,8 +297,8 @@ create_user_keys() {
echo "Creating the user key for system"
create_system_user_key
echo "Creating the user key for system extra"
create_extra_system_user_key
echo "Creating the user key for system secondary trust"
create_secondary_user_key
echo "Creating the user key for modsign"
create_modsign_user_key