mirror of
https://git.yoctoproject.org/meta-security
synced 2026-05-08 05:09:48 +00:00
ima: Document and replace keys and adapt scripts for EC keys
For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Stefan Berger
committed by
Armin Kuster
Armin Kuster
parent
3b5fa74e77
commit
0652c9fd74
@@ -0,0 +1,17 @@
|
||||
# EVM & IMA keys
|
||||
|
||||
The following IMA & EVM debug/test keys are in this directory
|
||||
|
||||
- ima-local-ca.priv: The CA's private key (password: 1234)
|
||||
- ima-local-ca.pem: The CA's self-signed certificate
|
||||
- privkey_ima.pem: IMA & EVM private key used for signing files
|
||||
- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
|
||||
|
||||
The CA's (self-signed) certificate can be used to verify the validity of
|
||||
the x509_ima.der certificate. Since the CA certificate will be built into
|
||||
the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
|
||||
pass this test:
|
||||
|
||||
```
|
||||
openssl verify -CAfile ima-local-ca.pem x509_ima.der
|
||||
````
|
||||
Reference in New Issue
Block a user