mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
meta-signing-key: Rename "extra trusted" to "secondary"
The way that the create-user-key-store.sh script creates what it has been calling "extra_system_trusted_key" is really what would be considered a "secondary" trusted key as it is signed by the primary key that we create. To make this clearer, as there are other cases for an "extra trusted system key" that are not this key, update the variables, package names, etc, to reflect "secondary" not "extra system". Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com> Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
@@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d
|
||||
MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
|
||||
IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
|
||||
SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
|
||||
EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
|
||||
SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
|
||||
RPM = '1'
|
||||
|
||||
def vprint(str, d):
|
||||
@@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d):
|
||||
set_keys_dir('SYSTEM_TRUSTED', d)
|
||||
return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
|
||||
|
||||
def uks_extra_system_trusted_keys_dir(d):
|
||||
set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
|
||||
return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
|
||||
def uks_secondary_trusted_keys_dir(d):
|
||||
set_keys_dir('SECONDARY_TRUSTED', d)
|
||||
return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/'
|
||||
|
||||
def uks_modsign_keys_dir(d):
|
||||
set_keys_dir('MODSIGN', d)
|
||||
@@ -173,10 +173,10 @@ def check_system_trusted_keys(d):
|
||||
vprint("%s.crt is unavailable" % _, d)
|
||||
return False
|
||||
|
||||
def check_extra_system_trusted_keys(d):
|
||||
dir = uks_extra_system_trusted_keys_dir(d)
|
||||
def check_secondary_trusted_keys(d):
|
||||
dir = uks_secondary_trusted_keys_dir(d)
|
||||
|
||||
_ = 'extra_system_trusted_key'
|
||||
_ = 'secondary_trusted_key'
|
||||
if not os.path.exists(dir + _ + '.key'):
|
||||
vprint("%s.key is unavailable" % _, d)
|
||||
return False
|
||||
@@ -379,13 +379,13 @@ deploy_system_trusted_keys() {
|
||||
fi
|
||||
}
|
||||
|
||||
deploy_extra_system_trusted_keys() {
|
||||
local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
|
||||
deploy_secondary_trusted_keys() {
|
||||
local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys"
|
||||
|
||||
if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
|
||||
if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
|
||||
install -d "$deploy_dir"
|
||||
|
||||
cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
|
||||
cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d):
|
||||
_ = check_ima_user_keys(d)
|
||||
elif name == 'SYSTEM_TRUSTED':
|
||||
_ = check_system_trusted_keys(d)
|
||||
elif name == 'EXTRA_SYSTEM_TRUSTED':
|
||||
_ = check_extra_system_trusted_keys(d)
|
||||
elif name == 'SECONDARY_TRUSTED':
|
||||
_ = check_secondary_trusted_keys(d)
|
||||
elif name == 'MODSIGN':
|
||||
_ = check_modsign_keys(d)
|
||||
elif name == 'RPM':
|
||||
@@ -440,7 +440,7 @@ def set_keys_dir(name, d):
|
||||
d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
|
||||
|
||||
python check_deploy_keys() {
|
||||
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
|
||||
for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'):
|
||||
if d.getVar(_, True) != "1":
|
||||
continue
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample"
|
||||
SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
|
||||
SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
|
||||
SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
|
||||
SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
|
||||
SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys"
|
||||
SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
|
||||
SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
|
||||
SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
|
||||
@@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
|
||||
MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
|
||||
UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
|
||||
SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
|
||||
EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
|
||||
SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}"
|
||||
MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
|
||||
IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
|
||||
RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
|
||||
@@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
|
||||
|
||||
BB_HASHBASE_WHITELIST_append += "\
|
||||
SYSTEM_TRUSTED_KEYS_DIR \
|
||||
EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
|
||||
SECONDARY_TRUSTED_KEYS_DIR \
|
||||
MODSIGN_KEYS_DIR \
|
||||
IMA_KEYS_DIR \
|
||||
RPM_KEYS_DIR \
|
||||
|
||||
@@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
|
||||
# For ${PN}-system-trusted-privkey
|
||||
SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
|
||||
|
||||
# For ${PN}-extra-system-trusted-privkey
|
||||
EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
|
||||
# For ${PN}-secondary-trusted-privkey
|
||||
SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
|
||||
|
||||
# For ${PN}-modsign-privkey
|
||||
MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
|
||||
@@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
|
||||
# For ${PN}-system-trusted-cert
|
||||
SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
|
||||
|
||||
# For ${PN}-extra-system-trusted-cert
|
||||
EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
|
||||
# For ${PN}-secondary-trusted-cert
|
||||
SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
|
||||
|
||||
# For ${PN}-modsign-cert
|
||||
MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
|
||||
@@ -47,10 +47,10 @@ python () {
|
||||
d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
|
||||
d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
|
||||
|
||||
pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
|
||||
pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
|
||||
d.setVar('PACKAGES_prepend', pn + ' ')
|
||||
d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
|
||||
d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
|
||||
d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
|
||||
d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
|
||||
|
||||
pn = d.getVar('PN', True) + '-modsign-privkey'
|
||||
d.setVar('PACKAGES_prepend', pn + ' ')
|
||||
@@ -96,13 +96,13 @@ do_install() {
|
||||
install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
|
||||
fi
|
||||
|
||||
key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
|
||||
install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
|
||||
"${D}${EXTRA_SYSTEM_CERT}"
|
||||
key_dir="${@uks_secondary_trusted_keys_dir(d)}"
|
||||
install -m 0644 "$key_dir/secondary_trusted_key.crt" \
|
||||
"${D}${SECONDARY_TRUSTED_CERT}"
|
||||
|
||||
if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
|
||||
install -m 0400 "$key_dir/extra_system_trusted_key.key" \
|
||||
"${D}${EXTRA_SYSTEM_PRIV_KEY}"
|
||||
install -m 0400 "$key_dir/secondary_trusted_key.key" \
|
||||
"${D}${SECONDARY_TRUSTED_PRIV_KEY}"
|
||||
fi
|
||||
|
||||
key_dir="${@uks_modsign_keys_dir(d)}"
|
||||
@@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() {
|
||||
|
||||
PACKAGES = "\
|
||||
${PN}-system-trusted-cert \
|
||||
${PN}-extra-system-trusted-cert \
|
||||
${PN}-secondary-trusted-cert \
|
||||
${PN}-modsign-cert \
|
||||
${PN}-ima-cert \
|
||||
"
|
||||
@@ -158,7 +158,7 @@ PACKAGES = "\
|
||||
# Note any private key is not available if user key signing model used.
|
||||
PACKAGES_DYNAMIC = "\
|
||||
${PN}-system-trusted-privkey \
|
||||
${PN}-extra-system-trusted-privkey \
|
||||
${PN}-secondary-trusted-privkey \
|
||||
${PN}-modsign-privkey \
|
||||
${PN}-ima-privkey \
|
||||
${PN}-rpm-pubkey \
|
||||
@@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\
|
||||
FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
||||
CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
|
||||
|
||||
FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
|
||||
CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
|
||||
FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
|
||||
CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
|
||||
|
||||
FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
|
||||
CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
|
||||
|
||||
@@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
|
||||
IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
|
||||
RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
|
||||
MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
|
||||
EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys"
|
||||
SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
|
||||
|
||||
pem2der() {
|
||||
local src="$1"
|
||||
@@ -201,12 +201,12 @@ create_modsign_user_key() {
|
||||
"/CN=MODSIGN Certificate/"
|
||||
}
|
||||
|
||||
create_extra_system_user_key() {
|
||||
local key_dir="$EXTRA_SYSTEM_KEYS_DIR"
|
||||
create_secondary_user_key() {
|
||||
local key_dir="$SECONDARY_TRUSTED_KEYS_DIR"
|
||||
|
||||
[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
|
||||
|
||||
ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
|
||||
ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
|
||||
"/CN=Extra System Trusted Certificate/"
|
||||
}
|
||||
|
||||
@@ -297,8 +297,8 @@ create_user_keys() {
|
||||
echo "Creating the user key for system"
|
||||
create_system_user_key
|
||||
|
||||
echo "Creating the user key for system extra"
|
||||
create_extra_system_user_key
|
||||
echo "Creating the user key for system secondary trust"
|
||||
create_secondary_user_key
|
||||
|
||||
echo "Creating the user key for modsign"
|
||||
create_modsign_user_key
|
||||
|
||||
Reference in New Issue
Block a user