diff options
| author | Lans Zhang <jia.zhang@windriver.com> | 2017-07-03 15:47:53 +0800 |
|---|---|---|
| committer | Lans Zhang <jia.zhang@windriver.com> | 2017-07-03 15:47:53 +0800 |
| commit | 81553a81fb36e214479fb406e9f5214c4adeb45b (patch) | |
| tree | dd75f30b3cf50568a5fe91fa252256402abb9af1 | |
| parent | a93993cdc9bf8eb39a98f034cfb85a196ef6dff3 (diff) | |
| download | meta-secure-core-81553a81fb36e214479fb406e9f5214c4adeb45b.tar.gz | |
Rename .pem to .crt
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
| -rw-r--r-- | meta-efi-secure-boot/README.md | 26 | ||||
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb | 2 | ||||
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | 6 | ||||
| -rw-r--r-- | meta-signing-key/README.md | 8 | ||||
| -rw-r--r-- | meta-signing-key/conf/layer.conf | 6 | ||||
| -rw-r--r-- | meta-signing-key/files/mok_sb_keys/shim_cert.crt (renamed from meta-signing-key/files/mok_sb_keys/shim_cert.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/mok_sb_keys/vendor_cert.crt (renamed from meta-signing-key/files/mok_sb_keys/vendor_cert.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/mok_sb_keys/wosign_ev_cert.crt (renamed from meta-signing-key/files/mok_sb_keys/wosign_ev_cert.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/system_trusted_keys/system_trusted_key.pem | 19 | ||||
| -rw-r--r-- | meta-signing-key/files/uefi_sb_keys/DB.crt (renamed from meta-signing-key/files/uefi_sb_keys/DB.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/uefi_sb_keys/DBX/DBX.crt (renamed from meta-signing-key/files/uefi_sb_keys/DBX/DBX.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/uefi_sb_keys/KEK.crt (renamed from meta-signing-key/files/uefi_sb_keys/KEK.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/uefi_sb_keys/PK.crt (renamed from meta-signing-key/files/uefi_sb_keys/PK.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/uefi_sb_keys/ms-DB.crt (renamed from meta-signing-key/files/uefi_sb_keys/ms-DB.pem) | 0 | ||||
| -rw-r--r-- | meta-signing-key/files/uefi_sb_keys/ms-KEK.crt (renamed from meta-signing-key/files/uefi_sb_keys/ms-KEK.pem) | 0 |
15 files changed, 24 insertions, 43 deletions
diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index 6f32e7c..12a0c3d 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md | |||
| @@ -77,27 +77,27 @@ public.** | |||
| 77 | The sample keys used for UEFI Secure Boot are centrally placed under | 77 | The sample keys used for UEFI Secure Boot are centrally placed under |
| 78 | meta-signing-key/files/uefi_sb_keys/. | 78 | meta-signing-key/files/uefi_sb_keys/. |
| 79 | 79 | ||
| 80 | - PK.pem | 80 | - PK.crt |
| 81 | The X509 certificate enrolled to UEFI BIOS, used to update/delete PK/KEK. | 81 | The X509 certificate enrolled to UEFI BIOS, used to update/delete PK/KEK. |
| 82 | 82 | ||
| 83 | - PK.key | 83 | - PK.key |
| 84 | The private key corresponding to PK.pem, used to sign the EFI signature | 84 | The private key corresponding to PK.crt, used to sign the EFI signature |
| 85 | list for PK/KEK enrollment. | 85 | list for PK/KEK enrollment. |
| 86 | 86 | ||
| 87 | - KEK.pem | 87 | - KEK.crt |
| 88 | The X509 certificate enrolled to UEFI BIOS, used to update/delete | 88 | The X509 certificate enrolled to UEFI BIOS, used to update/delete |
| 89 | DB/DBX. | 89 | DB/DBX. |
| 90 | 90 | ||
| 91 | - KEK.key | 91 | - KEK.key |
| 92 | The private key corresponding to KEK.pem, used to sign the EFI signature | 92 | The private key corresponding to KEK.crt, used to sign the EFI signature |
| 93 | list for DB/DBX enrollment. | 93 | list for DB/DBX enrollment. |
| 94 | 94 | ||
| 95 | - DB.pem | 95 | - DB.crt |
| 96 | The X509 certificate enrolled to UEFI BIOS, used to verify the images | 96 | The X509 certificate enrolled to UEFI BIOS, used to verify the images |
| 97 | directly loaded by UEFI BIOS. | 97 | directly loaded by UEFI BIOS. |
| 98 | 98 | ||
| 99 | - DB.key | 99 | - DB.key |
| 100 | The private key corresponding to DB.pem, used to sign the images directly | 100 | The private key corresponding to DB.crt, used to sign the images directly |
| 101 | loaded by UEFI BIOS. | 101 | loaded by UEFI BIOS. |
| 102 | 102 | ||
| 103 | - DBX | 103 | - DBX |
| @@ -108,21 +108,21 @@ meta-signing-key/files/uefi_sb_keys/. | |||
| 108 | The sample keys used for MOK Secure Boot are centrally placed under | 108 | The sample keys used for MOK Secure Boot are centrally placed under |
| 109 | `meta-signing-key/files/mok_sb_keys/`. | 109 | `meta-signing-key/files/mok_sb_keys/`. |
| 110 | 110 | ||
| 111 | - shim_cert.pem | 111 | - shim_cert.crt |
| 112 | The X509 certificate embedded in shim, used to verify the images either | 112 | The X509 certificate embedded in shim, used to verify the images either |
| 113 | directly or indirectly loaded by shim. | 113 | directly or indirectly loaded by shim. |
| 114 | 114 | ||
| 115 | - shim_cert.key | 115 | - shim_cert.key |
| 116 | The private key corresponding to shim_cert.pem, used to sign the images | 116 | The private key corresponding to shim_cert.crt, used to sign the images |
| 117 | either directly or indirectly loaded by shim. | 117 | either directly or indirectly loaded by shim. |
| 118 | 118 | ||
| 119 | - vendor_cert.pem | 119 | - vendor_cert.crt |
| 120 | Used in the same way as shim_cert.pem. In addition, vendor certificate | 120 | Used in the same way as shim_cert.crt. In addition, vendor certificate |
| 121 | is the switch to enable shim verification protocol, which facilitates | 121 | is the switch to enable shim verification protocol, which facilitates |
| 122 | the verification for the SELoader. | 122 | the verification for the SELoader. |
| 123 | 123 | ||
| 124 | - vendor_cert.key | 124 | - vendor_cert.key |
| 125 | The private key corresponding to vendor_cert.pem, Same fuction as | 125 | The private key corresponding to vendor_cert.crt, Same fuction as |
| 126 | shim_cert.key. | 126 | shim_cert.key. |
| 127 | 127 | ||
| 128 | - vendor_dbx | 128 | - vendor_dbx |
| @@ -341,10 +341,10 @@ the database of shim. | |||
| 341 | where `<cert.cer>` is the MOK certificate corresponding to the private key used | 341 | where `<cert.cer>` is the MOK certificate corresponding to the private key used |
| 342 | to sign either grub or kernel. | 342 | to sign either grub or kernel. |
| 343 | 343 | ||
| 344 | To convert a PEM, for exmaple, the shim_cert.pem, to a DER formatted X509 | 344 | To convert a PEM, for exmaple, the shim_cert.crt, to a DER formatted X509 |
| 345 | certificate, type the command: | 345 | certificate, type the command: |
| 346 | ``` | 346 | ``` |
| 347 | $ openssl x509 -in shim_cert.pem -inform PEM -out shim_cert.cer -outform DER | 347 | $ openssl x509 -in shim_cert.crt -inform PEM -out shim_cert.cer -outform DER |
| 348 | ``` | 348 | ``` |
| 349 | 349 | ||
| 350 | ##### List the enrollment requests | 350 | ##### List the enrollment requests |
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb index 8d287a5..3970757 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb | |||
| @@ -44,7 +44,7 @@ python do_prepare_signing_keys() { | |||
| 44 | import shutil | 44 | import shutil |
| 45 | 45 | ||
| 46 | for _ in ('PK', 'KEK', 'DB'): | 46 | for _ in ('PK', 'KEK', 'DB'): |
| 47 | shutil.copyfile(dir + _ + '.pem', d.expand('${S}/') + _ + '.crt') | 47 | shutil.copyfile(dir + _ + '.crt', d.expand('${S}/') + _ + '.crt') |
| 48 | shutil.copyfile(dir + _ + '.key', d.expand('${S}/') + _ + '.key') | 48 | shutil.copyfile(dir + _ + '.key', d.expand('${S}/') + _ + '.key') |
| 49 | 49 | ||
| 50 | # Make sure LockDown.efi contains the DB and KEK from Microsoft. | 50 | # Make sure LockDown.efi contains the DB and KEK from Microsoft. |
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index f5e274b..3a3cfa7 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | |||
| @@ -84,13 +84,13 @@ python do_prepare_signing_keys() { | |||
| 84 | 84 | ||
| 85 | import shutil | 85 | import shutil |
| 86 | 86 | ||
| 87 | shutil.copyfile(dir + 'shim_cert.pem', d.getVar('S', True) + '/shim.crt') | 87 | shutil.copyfile(dir + 'shim_cert.crt', d.getVar('S', True) + '/shim.pem') |
| 88 | pem2der(dir + 'vendor_cert.pem', d.getVar('WORKDIR', True) + '/vendor_cert.cer', d) | 88 | pem2der(dir + 'vendor_cert.crt', d.getVar('WORKDIR', True) + '/vendor_cert.cer', d) |
| 89 | 89 | ||
| 90 | # Replace the shim certificate with EV certificate for speeding up | 90 | # Replace the shim certificate with EV certificate for speeding up |
| 91 | # the progress of MSFT signing. | 91 | # the progress of MSFT signing. |
| 92 | if d.expand('${MSFT}') == "1" and uks_signing_model(d) == "sample": | 92 | if d.expand('${MSFT}') == "1" and uks_signing_model(d) == "sample": |
| 93 | shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.crt')) | 93 | shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.pem')) |
| 94 | } | 94 | } |
| 95 | addtask prepare_signing_keys after do_configure before do_compile | 95 | addtask prepare_signing_keys after do_configure before do_compile |
| 96 | 96 | ||
diff --git a/meta-signing-key/README.md b/meta-signing-key/README.md index 2b26599..9767156 100644 --- a/meta-signing-key/README.md +++ b/meta-signing-key/README.md | |||
| @@ -17,15 +17,15 @@ user-keys | |||
| 17 | │ └── x509_ima.key | 17 | │ └── x509_ima.key |
| 18 | ├── mok_sb_keys | 18 | ├── mok_sb_keys |
| 19 | │ ├── shim_cert.key | 19 | │ ├── shim_cert.key |
| 20 | │ ├── shim_cert.pem | 20 | │ ├── shim_cert.crt |
| 21 | │ ├── vendor_cert.key | 21 | │ ├── vendor_cert.key |
| 22 | │ └── vendor_cert.pem | 22 | │ └── vendor_cert.crt |
| 23 | └── uefi_sb_keys | 23 | └── uefi_sb_keys |
| 24 | ├── DB.key | 24 | ├── DB.key |
| 25 | ├── KEK.key | 25 | ├── KEK.key |
| 26 | ├── KEK.pem | 26 | ├── KEK.crt |
| 27 | ├── PK.key | 27 | ├── PK.key |
| 28 | └── PK.pem | 28 | └── PK.crt |
| 29 | ``` | 29 | ``` |
| 30 | If the user plans to create the user keys by self, please consider to | 30 | If the user plans to create the user keys by self, please consider to |
| 31 | define the necessary variables mentioned below in local.conf, or construct | 31 | define the necessary variables mentioned below in local.conf, or construct |
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index c461fc0..eb1622d 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf | |||
| @@ -17,11 +17,11 @@ SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" | |||
| 17 | SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" | 17 | SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" |
| 18 | 18 | ||
| 19 | # Microsoft certificates | 19 | # Microsoft certificates |
| 20 | MSFT_DB_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-DB.pem" | 20 | MSFT_DB_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-DB.crt" |
| 21 | MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.pem" | 21 | MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.crt" |
| 22 | 22 | ||
| 23 | # EV certificate | 23 | # EV certificate |
| 24 | EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.pem" | 24 | EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt" |
| 25 | 25 | ||
| 26 | # By default the sample keys are used | 26 | # By default the sample keys are used |
| 27 | MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" | 27 | MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" |
diff --git a/meta-signing-key/files/mok_sb_keys/shim_cert.pem b/meta-signing-key/files/mok_sb_keys/shim_cert.crt index f6c0e23..f6c0e23 100644 --- a/meta-signing-key/files/mok_sb_keys/shim_cert.pem +++ b/meta-signing-key/files/mok_sb_keys/shim_cert.crt | |||
diff --git a/meta-signing-key/files/mok_sb_keys/vendor_cert.pem b/meta-signing-key/files/mok_sb_keys/vendor_cert.crt index 0200779..0200779 100644 --- a/meta-signing-key/files/mok_sb_keys/vendor_cert.pem +++ b/meta-signing-key/files/mok_sb_keys/vendor_cert.crt | |||
diff --git a/meta-signing-key/files/mok_sb_keys/wosign_ev_cert.pem b/meta-signing-key/files/mok_sb_keys/wosign_ev_cert.crt index a1fd851..a1fd851 100644 --- a/meta-signing-key/files/mok_sb_keys/wosign_ev_cert.pem +++ b/meta-signing-key/files/mok_sb_keys/wosign_ev_cert.crt | |||
diff --git a/meta-signing-key/files/system_trusted_keys/system_trusted_key.pem b/meta-signing-key/files/system_trusted_keys/system_trusted_key.pem deleted file mode 100644 index b730c97..0000000 --- a/meta-signing-key/files/system_trusted_keys/system_trusted_key.pem +++ /dev/null | |||
| @@ -1,19 +0,0 @@ | |||
| 1 | -----BEGIN CERTIFICATE----- | ||
| 2 | MIIDHTCCAgWgAwIBAgIJALu1KPLxuKZTMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV | ||
| 3 | BAMMGlN5c3RlbSBUcnVzdGVkIENlcnRpZmljYXRlMB4XDTE3MDYxMjAzNDU1OVoX | ||
| 4 | DTI3MDYxMDAzNDU1OVowJTEjMCEGA1UEAwwaU3lzdGVtIFRydXN0ZWQgQ2VydGlm | ||
| 5 | aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7aRl34d6FNFwN | ||
| 6 | /J9OuDG0vh7aOM4Acs46/4lDKzxeSGxfNCmxXWhEG6M3rDU6nfy09vqMhuLyLgMP | ||
| 7 | kMum47yFqufP4XRIb3aJYkjRYRUtzHo8CoZR80SoG778RlnvMekIE51yps/wR9/9 | ||
| 8 | AjY21PejZvXppkVXNtaiB4BP0tIu+a/5D8+jmiBus5ZtzkmFghUfTRuT+QdoQuC4 | ||
| 9 | gtqDBbz7WQTzryqESbIL9kkPLQFbOwETJwfur40hmkH+yDxlBURuod8A4Ne0jJt7 | ||
| 10 | gfFZBk3cgwlP/EOsJndlIAsnC8lgNfvji1lx9XOQGCj5X24wqRFstvkmpi/Ha7uJ | ||
| 11 | UEjn59KjAgMBAAGjUDBOMB0GA1UdDgQWBBQ+XtkvfIaRyIHPnU2eTlTgClRKZjAf | ||
| 12 | BgNVHSMEGDAWgBQ+XtkvfIaRyIHPnU2eTlTgClRKZjAMBgNVHRMEBTADAQH/MA0G | ||
| 13 | CSqGSIb3DQEBCwUAA4IBAQBtUkdB4iPnBXvJY9O68canmzryOby/RE5PLQiMvCy4 | ||
| 14 | 1zY9vH+VBZunAyijLkfP9jzuIIxBBU2QPVzAocOxoS2ie2lvfmbxRzX1d72mKdib | ||
| 15 | Oq7BJ8wyscbsSFhAb4UcTsfwYyzM2IIa5uh8nG7caiMPv93XVWdu7KWA4xM0BqIU | ||
| 16 | p1fV9+iUxdWrXDMQJPy+2qWdMTMo6hinyOx0CE7Hh9aTaH33C8/Tq6lDoSmVINog | ||
| 17 | 83+/bcbGObfkkFukhu2uynnkt7txxBQqdBkYGpvUpvF2CxZPhjwVjDx9W4Gujfqm | ||
| 18 | QpBhMoXL0b1JhwsJE9EWsaLRXmP+RTKdt0F8PYOqOT0g | ||
| 19 | -----END CERTIFICATE----- | ||
diff --git a/meta-signing-key/files/uefi_sb_keys/DB.pem b/meta-signing-key/files/uefi_sb_keys/DB.crt index 3517ddc..3517ddc 100644 --- a/meta-signing-key/files/uefi_sb_keys/DB.pem +++ b/meta-signing-key/files/uefi_sb_keys/DB.crt | |||
diff --git a/meta-signing-key/files/uefi_sb_keys/DBX/DBX.pem b/meta-signing-key/files/uefi_sb_keys/DBX/DBX.crt index b62663e..b62663e 100644 --- a/meta-signing-key/files/uefi_sb_keys/DBX/DBX.pem +++ b/meta-signing-key/files/uefi_sb_keys/DBX/DBX.crt | |||
diff --git a/meta-signing-key/files/uefi_sb_keys/KEK.pem b/meta-signing-key/files/uefi_sb_keys/KEK.crt index c27b01a..c27b01a 100644 --- a/meta-signing-key/files/uefi_sb_keys/KEK.pem +++ b/meta-signing-key/files/uefi_sb_keys/KEK.crt | |||
diff --git a/meta-signing-key/files/uefi_sb_keys/PK.pem b/meta-signing-key/files/uefi_sb_keys/PK.crt index db659a5..db659a5 100644 --- a/meta-signing-key/files/uefi_sb_keys/PK.pem +++ b/meta-signing-key/files/uefi_sb_keys/PK.crt | |||
diff --git a/meta-signing-key/files/uefi_sb_keys/ms-DB.pem b/meta-signing-key/files/uefi_sb_keys/ms-DB.crt index d7c29ef..d7c29ef 100644 --- a/meta-signing-key/files/uefi_sb_keys/ms-DB.pem +++ b/meta-signing-key/files/uefi_sb_keys/ms-DB.crt | |||
diff --git a/meta-signing-key/files/uefi_sb_keys/ms-KEK.pem b/meta-signing-key/files/uefi_sb_keys/ms-KEK.crt index 37c814a..37c814a 100644 --- a/meta-signing-key/files/uefi_sb_keys/ms-KEK.pem +++ b/meta-signing-key/files/uefi_sb_keys/ms-KEK.crt | |||