mirror of https://git.yoctoproject.org/meta-security synced 2026-01-12 03:10:13 +00:00

Files

Stefan Berger 0652c9fd74 ima: Document and replace keys and adapt scripts for EC keys

For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2023-05-06 07:54:09 -04:00

ima-local-ca.pem

ima: Document and replace keys and adapt scripts for EC keys

2023-05-06 07:54:09 -04:00

ima-local-ca.priv

ima: Document and replace keys and adapt scripts for EC keys

2023-05-06 07:54:09 -04:00

privkey_ima.pem

ima: Document and replace keys and adapt scripts for EC keys

2023-05-06 07:54:09 -04:00

privkey_modsign.pem

kernel-modsign.bbclass: add support for kernel modules signing

2019-08-07 07:09:43 -07:00

README.md

ima: Document and replace keys and adapt scripts for EC keys

2023-05-06 07:54:09 -04:00

x509_ima.der

ima: Document and replace keys and adapt scripts for EC keys

2023-05-06 07:54:09 -04:00

x509_modsign.crt

kernel-modsign.bbclass: add support for kernel modules signing

2019-08-07 07:09:43 -07:00

README.md

EVM & IMA keys

The following IMA & EVM debug/test keys are in this directory

ima-local-ca.priv: The CA's private key (password: 1234)
ima-local-ca.pem: The CA's self-signed certificate
privkey_ima.pem: IMA & EVM private key used for signing files
x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures

The CA's (self-signed) certificate can be used to verify the validity of the x509_ima.der certificate. Since the CA certificate will be built into the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must pass this test:

  openssl verify -CAfile ima-local-ca.pem x509_ima.der