13 Commits

Author SHA1 Message Date
Yunguo Wei 37a59625e5 key-store: rename ima private key and certificate on target
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2018-11-07 14:22:47 +08:00
Tom Rini a8419d577a meta-integrity, meta-signing-key: Populate the secondary keyring
Currently we provide a secondary trusted key that is signed by the
primary key.  We do not however DER encode this certificate.  Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Tom Rini b7b42cdec7 meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us.  In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Jia Zhang 04c1072d8f init.ima: Fix up the syntax error
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 22:46:19 -04:00
Jia Zhang f13d2e0ef8 init.ima: Fix the failure when importing the external policy from real rootfs
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 17:04:03 -04:00
Yunguo Wei 1259958f3c initrdscripts: rename expected ima certificate (#28)
evmctl is able to import DER format certificate only.

Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2017-11-12 09:43:48 +08:00
Jia Zhang b69537380c meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MIT
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-02 11:11:44 +08:00
Lans Zhang eb08a619d8 init.ima: clean up and allow to load extra IMA policies from the real rootfs
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-15 16:15:38 +08:00
Lans Zhang 77640af54c IMA: move the default policy file to /etc/ima directory
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-25 09:37:59 +08:00
Lans Zhang 7c83acd861 Clean up RDEPENDS
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-05 10:52:10 +08:00
Lans Zhang b736677f3f initrdscripts-ima: clean up code style and RDEPENDS
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:20:59 +08:00
Lans Zhang dda0659b71 init.ima: code style cleanup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:20:07 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00