diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 03e1b2c..a0cecab 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass @@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}' IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}' -EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}' +SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}' RPM = '1' def vprint(str, d): @@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d): set_keys_dir('SYSTEM_TRUSTED', d) return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/' -def uks_extra_system_trusted_keys_dir(d): - set_keys_dir('EXTRA_SYSTEM_TRUSTED', d) - return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/' +def uks_secondary_trusted_keys_dir(d): + set_keys_dir('SECONDARY_TRUSTED', d) + return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/' def uks_modsign_keys_dir(d): set_keys_dir('MODSIGN', d) @@ -173,10 +173,10 @@ def check_system_trusted_keys(d): vprint("%s.crt is unavailable" % _, d) return False -def check_extra_system_trusted_keys(d): - dir = uks_extra_system_trusted_keys_dir(d) +def check_secondary_trusted_keys(d): + dir = uks_secondary_trusted_keys_dir(d) - _ = 'extra_system_trusted_key' + _ = 'secondary_trusted_key' if not os.path.exists(dir + _ + '.key'): vprint("%s.key is unavailable" % _, d) return False @@ -379,13 +379,13 @@ deploy_system_trusted_keys() { fi } -deploy_extra_system_trusted_keys() { - local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys" +deploy_secondary_trusted_keys() { + local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys" - if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then + if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then install -d "$deploy_dir" - cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir" + cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir" fi } @@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d): _ = check_ima_user_keys(d) elif name == 'SYSTEM_TRUSTED': _ = check_system_trusted_keys(d) - elif name == 'EXTRA_SYSTEM_TRUSTED': - _ = check_extra_system_trusted_keys(d) + elif name == 'SECONDARY_TRUSTED': + _ = check_secondary_trusted_keys(d) elif name == 'MODSIGN': _ = check_modsign_keys(d) elif name == 'RPM': @@ -440,7 +440,7 @@ def set_keys_dir(name, d): d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') python check_deploy_keys() { - for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'): + for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'): if d.getVar(_, True) != "1": continue diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 939f71a..e067f6b 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf @@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample" SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys" SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys" -SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys" +SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys" SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys" SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" @@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt" MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}" -EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" +SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}" MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}" IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" @@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore" BB_HASHBASE_WHITELIST_append += "\ SYSTEM_TRUSTED_KEYS_DIR \ - EXTRA_SYSTEM_TRUSTED_KEYS_DIR \ + SECONDARY_TRUSTED_KEYS_DIR \ MODSIGN_KEYS_DIR \ IMA_KEYS_DIR \ RPM_KEYS_DIR \ diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt similarity index 100% rename from meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt rename to meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key similarity index 100% rename from meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key rename to meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 8dd9637..66691cc 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" # For ${PN}-system-trusted-privkey SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" -# For ${PN}-extra-system-trusted-privkey -EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key" +# For ${PN}-secondary-trusted-privkey +SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key" # For ${PN}-modsign-privkey MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" @@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" # For ${PN}-system-trusted-cert SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" -# For ${PN}-extra-system-trusted-cert -EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt" +# For ${PN}-secondary-trusted-cert +SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt" # For ${PN}-modsign-cert MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" @@ -47,10 +47,10 @@ python () { d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - pn = d.getVar('PN', True) + '-extra-system-trusted-privkey' + pn = d.getVar('PN', True) + '-secondary-trusted-privkey' d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) + d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) + d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) pn = d.getVar('PN', True) + '-modsign-privkey' d.setVar('PACKAGES_prepend', pn + ' ') @@ -96,13 +96,13 @@ do_install() { install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" fi - key_dir="${@uks_extra_system_trusted_keys_dir(d)}" - install -m 0644 "$key_dir/extra_system_trusted_key.crt" \ - "${D}${EXTRA_SYSTEM_CERT}" + key_dir="${@uks_secondary_trusted_keys_dir(d)}" + install -m 0644 "$key_dir/secondary_trusted_key.crt" \ + "${D}${SECONDARY_TRUSTED_CERT}" if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/extra_system_trusted_key.key" \ - "${D}${EXTRA_SYSTEM_PRIV_KEY}" + install -m 0400 "$key_dir/secondary_trusted_key.key" \ + "${D}${SECONDARY_TRUSTED_PRIV_KEY}" fi key_dir="${@uks_modsign_keys_dir(d)}" @@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() { PACKAGES = "\ ${PN}-system-trusted-cert \ - ${PN}-extra-system-trusted-cert \ + ${PN}-secondary-trusted-cert \ ${PN}-modsign-cert \ ${PN}-ima-cert \ " @@ -158,7 +158,7 @@ PACKAGES = "\ # Note any private key is not available if user key signing model used. PACKAGES_DYNAMIC = "\ ${PN}-system-trusted-privkey \ - ${PN}-extra-system-trusted-privkey \ + ${PN}-secondary-trusted-privkey \ ${PN}-modsign-privkey \ ${PN}-ima-privkey \ ${PN}-rpm-pubkey \ @@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\ FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" -FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" -CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" +FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" +CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index ddcd31a..eea52df 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh @@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys" IMA_KEYS_DIR="$KEYS_DIR/ima_keys" RPM_KEYS_DIR="$KEYS_DIR/rpm_keys" MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys" -EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys" +SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys" pem2der() { local src="$1" @@ -201,12 +201,12 @@ create_modsign_user_key() { "/CN=MODSIGN Certificate/" } -create_extra_system_user_key() { - local key_dir="$EXTRA_SYSTEM_KEYS_DIR" +create_secondary_user_key() { + local key_dir="$SECONDARY_TRUSTED_KEYS_DIR" [ ! -d "$key_dir" ] && mkdir -p "$key_dir" - ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \ + ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \ "/CN=Extra System Trusted Certificate/" } @@ -297,8 +297,8 @@ create_user_keys() { echo "Creating the user key for system" create_system_user_key - echo "Creating the user key for system extra" - create_extra_system_user_key + echo "Creating the user key for system secondary trust" + create_secondary_user_key echo "Creating the user key for modsign" create_modsign_user_key