When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:
qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.
Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>