key-store: drop private keys packages

Having a private key package might allow one to pull it into rootfs which is really, really bad. So drop all private key packages. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
author: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> 2019-09-16 14:06:06 +0300
committer: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> 2019-09-16 14:06:06 +0300
commit: 51b2da4a417aef67618c1471f5df1854b89a740d (patch)
tree: 382178290c3219effdd750173f577eb7e42adc16
parent: 0cea6e869fe9b1597042b2febaa60c85710ba306 (diff)
download: meta-secure-core-51b2da4a417aef67618c1471f5df1854b89a740d.tar.gz
1 files changed, 0 insertions, 54 deletions
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index d83b79c..9dc7cae 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -14,18 +14,6 @@ KEY_DIR = "${sysconfdir}/keys"
 # For RPM verification
 RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
-# For ${PN}-system-trusted-privkey
-SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
-# For ${PN}-secondary-trusted-privkey
-SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
-# For ${PN}-modsign-privkey
-MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
-# For ${PN}-ima-privkey
-IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key"
 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
@@ -43,26 +31,6 @@ python () {
    if not (uks_signing_model(d) in "sample", "user"):
        return
-    pn = d.getVar('PN', True) + '-system-trusted-privkey'
-    d.setVar('PACKAGES_prepend', pn + ' ')
-    d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
-    d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
-    pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
-    d.setVar('PACKAGES_prepend', pn + ' ')
-    d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
-    d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
-    pn = d.getVar('PN', True) + '-modsign-privkey'
-    d.setVar('PACKAGES_prepend', pn + ' ')
-    d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
-    d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
-    pn = d.getVar('PN', True) + '-ima-privkey'
-    d.setVar('PACKAGES_prepend', pn + ' ')
-    d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
-    d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
    pn = d.getVar('PN', True) + '-rpm-pubkey'
    d.setVar('PACKAGES_prepend', pn + ' ')
    d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True))
@@ -93,36 +61,18 @@ do_install() {
    key_dir="${@uks_system_trusted_keys_dir(d)}"
    install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}"
-    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
-        install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
-    fi
    key_dir="${@uks_secondary_trusted_keys_dir(d)}"
    install -m 0644 "$key_dir/secondary_trusted_key.crt" \
        "${D}${SECONDARY_TRUSTED_CERT}"
    openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \
        -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}"
-    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
-        install -m 0400 "$key_dir/secondary_trusted_key.key" \
-            "${D}${SECONDARY_TRUSTED_PRIV_KEY}"
-    fi
    key_dir="${@uks_modsign_keys_dir(d)}"
    install -m 0644 "$key_dir/modsign_key.crt" \
        "${D}${MODSIGN_CERT}"
-    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
-        install -m 0400 "$key_dir/modsign_key.key" \
-            "${D}${MODSIGN_PRIV_KEY}"
-    fi
    key_dir="${@uks_ima_keys_dir(d)}"
    install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
-    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
-        install -m 0400 "$key_dir/x509_ima.key" "${D}${IMA_PRIV_KEY}"
-    fi
 }
 do_install[prefuncs] += "check_deploy_keys"
@@ -158,10 +108,6 @@ PACKAGES = "\
 # Note any private key is not available if user key signing model used.
 PACKAGES_DYNAMIC = "\
-    ${PN}-system-trusted-privkey \
-    ${PN}-secondary-trusted-privkey \
-    ${PN}-modsign-privkey \
-    ${PN}-ima-privkey \
    ${PN}-rpm-pubkey \
 "
author	Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>	2019-09-16 14:06:06 +0300
committer	Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>	2019-09-16 14:06:06 +0300
commit	51b2da4a417aef67618c1471f5df1854b89a740d (patch)
tree	382178290c3219effdd750173f577eb7e42adc16
parent	0cea6e869fe9b1597042b2febaa60c85710ba306 (diff)
download	meta-secure-core-51b2da4a417aef67618c1471f5df1854b89a740d.tar.gz

diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index d83b79c..9dc7cae 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -14,18 +14,6 @@ KEY_DIR = "${sysconfdir}/keys"
14	# For RPM verification	14	# For RPM verification
15	RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"	15	RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
16		16
17	# For ${PN}-system-trusted-privkey
18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
19
20	# For ${PN}-secondary-trusted-privkey
21	SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
22
23	# For ${PN}-modsign-privkey
24	MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
25
26	# For ${PN}-ima-privkey
27	IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key"
28
29	# For ${PN}-system-trusted-cert	17	# For ${PN}-system-trusted-cert
30	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"	18	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
31		19
@@ -43,26 +31,6 @@ python () {
43	if not (uks_signing_model(d) in "sample", "user"):	31	if not (uks_signing_model(d) in "sample", "user"):
44	return	32	return
45		33
46	pn = d.getVar('PN', True) + '-system-trusted-privkey'
47	d.setVar('PACKAGES_prepend', pn + ' ')
48	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
49	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
50
51	pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
52	d.setVar('PACKAGES_prepend', pn + ' ')
53	d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
54	d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
55
56	pn = d.getVar('PN', True) + '-modsign-privkey'
57	d.setVar('PACKAGES_prepend', pn + ' ')
58	d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
59	d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
60
61	pn = d.getVar('PN', True) + '-ima-privkey'
62	d.setVar('PACKAGES_prepend', pn + ' ')
63	d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
64	d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
65
66	pn = d.getVar('PN', True) + '-rpm-pubkey'	34	pn = d.getVar('PN', True) + '-rpm-pubkey'
67	d.setVar('PACKAGES_prepend', pn + ' ')	35	d.setVar('PACKAGES_prepend', pn + ' ')
68	d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True))	36	d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True))
@@ -93,36 +61,18 @@ do_install() {
93	key_dir="${@uks_system_trusted_keys_dir(d)}"	61	key_dir="${@uks_system_trusted_keys_dir(d)}"
94	install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}"	62	install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}"
95		63
96	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
97	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
98	fi
99
100	key_dir="${@uks_secondary_trusted_keys_dir(d)}"	64	key_dir="${@uks_secondary_trusted_keys_dir(d)}"
101	install -m 0644 "$key_dir/secondary_trusted_key.crt" \	65	install -m 0644 "$key_dir/secondary_trusted_key.crt" \
102	"${D}${SECONDARY_TRUSTED_CERT}"	66	"${D}${SECONDARY_TRUSTED_CERT}"
103	openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \	67	openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \
104	-out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}"	68	-out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}"
105		69
106	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
107	install -m 0400 "$key_dir/secondary_trusted_key.key" \
108	"${D}${SECONDARY_TRUSTED_PRIV_KEY}"
109	fi
110
111	key_dir="${@uks_modsign_keys_dir(d)}"	70	key_dir="${@uks_modsign_keys_dir(d)}"
112	install -m 0644 "$key_dir/modsign_key.crt" \	71	install -m 0644 "$key_dir/modsign_key.crt" \
113	"${D}${MODSIGN_CERT}"	72	"${D}${MODSIGN_CERT}"
114		73
115	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
116	install -m 0400 "$key_dir/modsign_key.key" \
117	"${D}${MODSIGN_PRIV_KEY}"
118	fi
119
120	key_dir="${@uks_ima_keys_dir(d)}"	74	key_dir="${@uks_ima_keys_dir(d)}"
121	install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"	75	install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
122
123	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
124	install -m 0400 "$key_dir/x509_ima.key" "${D}${IMA_PRIV_KEY}"
125	fi
126	}	76	}
127		77
128	do_install[prefuncs] += "check_deploy_keys"	78	do_install[prefuncs] += "check_deploy_keys"
@@ -158,10 +108,6 @@ PACKAGES = "\
158		108
159	# Note any private key is not available if user key signing model used.	109	# Note any private key is not available if user key signing model used.
160	PACKAGES_DYNAMIC = "\	110	PACKAGES_DYNAMIC = "\
161	${PN}-system-trusted-privkey \
162	${PN}-secondary-trusted-privkey \
163	${PN}-modsign-privkey \
164	${PN}-ima-privkey \
165	${PN}-rpm-pubkey \	111	${PN}-rpm-pubkey \
166	"	112	"
167		113