meta-integrity: Enable passing private key password

Allow users to pass the private key password using
IMA_EVM_EVMCTL_KEY_PASSWORD.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-integrity/README.md

@@ -95,6 +95,7 @@ the image, enable image signing in the local.conf like this:
 
     IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+    IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
     IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
     IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"

meta-integrity/classes/ima-evm-rootfs.bbclass

@@ -12,6 +12,9 @@ IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
 # --keyid <id> or --keyid-from-cert <filename>.
 IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
 
+# Password for the private key
+IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""
+
 # Public part of certificates (used for both IMA and EVM).
 # The default is okay when using the example key directory.
 IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -72,6 +75,8 @@ ima_evm_sign_rootfs () {
         exit 1
     fi
 
+    export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}
+
     bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
     evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
         --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"