mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-04-24 12:48:43 +00:00
Code Issues Projects Releases Wiki Activity

meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE

Browse Source 
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
This commit is contained in:
Dmitry Eremin-Solenikov
2019-07-28 18:31:48 +03:00
committed by Armin Kuster
parent 0a73a14fbb
commit c9c4e6c228
4 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
meta-integrity/README.md
View File

@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
INHERIT += "ima-evm-rootfs"
IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the
# In that shell, create the keys. Several options exist:
# 1. Self-signed keys.
$IMA_EVM_BASE/scripts/ima-gen-self-signed.sh
$INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
# 2. Keys signed by a new CA.
# When asked for a PEM passphrase, that will be for the root CA.
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the
# only creating new certificates does. Most likely the default
# attributes for these certificates need to be adapted; modify
# the scripts as needed.
# $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh
# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
# 3. Keys signed by an existing CA.
# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
exit
When using ``ima-self-signed.sh`` as described above, self-signed keys
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"
IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`