mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity

meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctl

Browse Source 
Introduce IMA_EVM_PRIVKEY_KEY_OPT to pass additional options to evmctl
when signing files. An example is --keyid <id> that makes evmctl use
a specific key id when signing files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Stefan Berger
2024-06-19 10:15:54 -04:00
committed by Armin Kuster
parent d2d125de92
commit 06bd46276f
2 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
meta-integrity/README.md
View File

@@ -95,6 +95,7 @@ the image, enable image signing in the local.conf like this:
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"

10
meta-integrity/classes/ima-evm-rootfs.bbclass
View File

@@ -8,6 +8,10 @@ IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
# using the example key directory.
IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
# Additional option when signing. Allows to for example provide
# --keyid <id> or --keyid-from-cert <filename>.
IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
# Public part of certificates (used for both IMA and EVM).
# The default is okay when using the example key directory.
IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -69,7 +73,8 @@ ima_evm_sign_rootfs () {
fi
bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
--key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"
# check signing key and signature verification key
evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
@@ -82,7 +87,8 @@ ima_evm_sign_rootfs () {
install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
--key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} "${IMAGE_ROOTFS}/etc/ima/ima-policy"
fi
# Optionally write the file names and ima and evm signatures into files