create-user-key-store.sh: Update for OSTree and ease of use

The create-user-key-store.sh was changed in a number ways to improve the usability with other layers that will consume the key services provided by meta-secure-core. New features: * A safety check was added that keys can only be written to a fresh empty directory. * The script can be run non-iteractively or interactively for the ease of use. * gpg 1.x support and gpg 2.x support work with the passphrases * A keys.conf is generated to allow a single line to be written into the local.conf with all the keys. An interactive session looks like: ================================== ./create-user-key-store.sh -d /tmp/test KEYS_DIR: /tmp/test Enter RPM/OSTree GPG keyname (use dashes instead of spaces) [default: PKG-SecureCore]: PKG-Sample-Man Enter RPM/OSTree GPG e-mail address [default: SecureCore@foo.com]: sample.man@sample.com Enter RPM/OSTREE GPG comment [default: Signing Key]: Sample Signing Key Using boot loader gpg name: BOOT-Sample-Man Using boot loader gpg email: sample.man@sample.com Using boot loader gpg comment: Sample Signing Key Press control-c now if and use -bn -bm -bc arguments if you want different values other than listed above Enter RPM/OSTREE passphrase: abc1234 Enter IMA passphrase: 1234pass Enter boot loader GPG passphrase: bootup Enter boot loader locked configuration password(e.g. grub pw): root MASTER_KEYS_DIR = "/tmp/test" IMA_KEYS_DIR = "${MASTER_KEYS_DIR}/ima_keys" IMA_EVM_KEY_DIR = "${MASTER_KEYS_DIR}/ima_keys" RPM_KEYS_DIR = "${MASTER_KEYS_DIR}/rpm_keys" BOOT_KEYS_DIR = "${MASTER_KEYS_DIR}/boot_keys" MOK_SB_KEYS_DIR = "${MASTER_KEYS_DIR}/mok_sb_keys" SYSTEM_TRUSTED_KEYS_DIR = "${MASTER_KEYS_DIR}/system_trusted_keys" UEFI_SB_KEYS_DIR = "${MASTER_KEYS_DIR}/uefi_sb_keys" GRUB_PUB_KEY = "${MASTER_KEYS_DIR}/boot_keys/boot_pub_key" GRUB_PW_FILE = "${MASTER_KEYS_DIR}/boot_keys/boot_cfg_pw" OSTREE_GPGDIR = "${MASTER_KEYS_DIR}/rpm_keys" RPM_GPG_NAME = "PKG-Sample-Man" RPM_GPG_PASSPHRASE = "abc1234" RPM_FSK_PASSWORD = "1234pass" BOOT_GPG_NAME = "BOOT-Sample-Man" BOOT_GPG_PASSPHRASE = "bootup" OSTREE_GPGID = "PKG-Sample-Man" OSTREE_GPG_PASSPHRASE = "abc1234" OSTREE_GRUB_PW_FILE = "${GRUB_PW_FILE}" [ Issue: LINUXEXEC-2450 ] Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
author: Jason Wessel <jason.wessel@windriver.com> 2019-08-13 14:50:45 -0700
committer: Jia Zhang <zhang.jia@linux.alibaba.com> 2019-11-08 13:27:23 +0800
commit: c0b514f1aca78a84891c3202e3417a8fe98c6ad5 (patch)
tree: 8fd661366b1c7e4e8b2471f355ec3024eb500984
parent: 01f67e4c7e4cb33acfa5a7a0c3d634cb6489278a (diff)
download: meta-secure-core-c0b514f1aca78a84891c3202e3417a8fe98c6ad5.tar.gz
1 files changed, 306 insertions, 71 deletions
diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh
index eea52df..7d224fc 100755
--- a/meta-signing-key/scripts/create-user-key-store.sh
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -7,6 +7,20 @@ ROOT_DIR="`cd "$_D" && pwd`"
 KEYS_DIR="$ROOT_DIR/user-keys"
 GPG_KEYNAME=
 GPG_EMAIL=
+GPG_COMMENT=
+BOOT_GPG_KEYNAME=
+BOOT_GPG_EMAIL=
+BOOT_GPG_COMMENT=
+EMPTY_PW=0
+GPG_PASS=
+GPG_BIN=${GPG_BIN=gpg}
+IMA_PASS=
+gpg_key_name="PKG-SecureCore"
+gpg_email="SecureCore@foo.com"
+gpg_comment="Signing Key"
+boot_gpg_key_name="BOOT-SecureCore"
+boot_gpg_email="SecureCore@foo.com"
+boot_gpg_comment="Bootloader Signing Key"
 function show_help()
 {
@@ -14,6 +28,7 @@ function show_help()
 $1 - creation tool for user key store
 (C)Copyright 2017, Jia Zhang <lans.zhang2008@gmail.com>
+(C)Copyright 2019, Jason Wessel <jason.wessel@windriver.com> Wind River Systems, Inc.
 Usage: $1 options...
@@ -21,21 +36,37 @@ Options:
 -d <dir>
    Set the path to save the generated user keys.
    Default: `pwd`/user-keys
+ -c <gpg key comment>
+    Set the RPM/OStree gpg's key name
+    Default: $gpg_comment
 -n <gpg key name>
-    Set the gpg's key name
+    Set the RPM/OStree gpg's key name
-    Default: SecureCore
+    Default: $gpg_key_name
+ -m <gpg key owner's email address>
- -m <gpg key ower's email address>
+    Set the RPM/OStree owner's email address of the gpg key
-    Set the ower's email address of the gpg key
+    Default: $gpg_email
-    Default: SecureCore@foo.com
+ -rp <OSTree/RPM GPG passphrase>
+ -bgp <Boot Loader GPG passphrase>
- -h|--help
+ -bp <Boot loader config password>
-    Show this help information.
+ -ip <IMA passphrase>
+ -h|--help       Show this help information.
+Overides:
+ -bc <gpg key comment>
+    Force set the gpg key comment for the boot loader
+ -bn <gpg key name>
+    Force set the gpg key name for the boot loader
+ -bm <gpg key owner's email address>
+    Force set the gpg email address for the boot loader
 EOF
 }
+print_fatal() {
+    printf "\033[1;35m"
+    echo "$@"
+    printf "\033[0m"
+    exit 1
+}
 print_critical() {
    printf "\033[1;35m"
    echo "$@"
@@ -72,19 +103,42 @@ while [ $# -gt 0 ]; do
        -d)
            shift && KEYS_DIR="$1"
            ;;
+        -c)
+            shift && GPG_COMMENT="$1"
+            ;;
+        -bc)
+            shift && BOOT_GPG_COMMENT="$1"
+            ;;
        -n)
            shift && GPG_KEYNAME="$1"
            ;;
+        -bn)
+            shift && BOOT_GPG_KEYNAME="$1"
+            ;;
        -m)
            shift && GPG_EMAIL="$1"
            ;;
+        -bm)
+            shift && BOOT_GPG_EMAIL="$1"
+            ;;
+        -rp)
+            shift && GPG_PASS="$1"
+            ;;
+        -bgp)
+            shift && BOOT_GPG_PASS="$1"
+            ;;
+        -bp)
+            shift && BOOT_PASS="$1"
+            ;;
+        -ip)
+            shift && IMA_PASS="$1"
+            ;;
        -h|--help)
            show_help `basename $0`
            exit 0
            ;;
        *)
-            echo "Unsupported option $opt"
+            print_fatal "Unsupported option $opt"
-            exit 1
            ;;
    esac
    shift
@@ -97,6 +151,7 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
 SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
 IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
 RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
+BOOT_KEYS_DIR="$KEYS_DIR/boot_keys"
 MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
 SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
@@ -121,22 +176,39 @@ ca_sign() {
            -sha256 -nodes -days 3650 \
            -subj "$subject" \
            -keyout "$key_dir/$key_name.key" \
-            -out "$key_dir/$key_name.crt"
+            -out "$key_dir/$key_name.crt" \
+                || print_fatal "openssl failure"
    else
        if [ -z "$encrypted" ]; then
            openssl req -new -newkey rsa:2048 \
                -sha256 -nodes \
                -subj "$subject" \
                -keyout "$key_dir/$key_name.key" \
-                -out "$key_dir/$key_name.csr"
+                -out "$key_dir/$key_name.csr" \
+                    || print_fatal "openssl failure"
        else
            # Prompt user to type the password
-            openssl genrsa -des3 -out "$key_dir/$key_name.key" 2048
+            if [ "$IMA_PASS" = "" ] ; then
+                openssl genrsa -des3 -out "$key_dir/$key_name.key" 2048 \
+                        || print_fatal "openssl failure"
+                openssl req -new -sha256 \
+                    -subj "$subject" \
+                    -key "$key_dir/$key_name.key" \
+                    -out "$key_dir/$key_name.csr" \
+                        || print_fatal "openssl failure"
+            else
+                openssl genrsa -des3 -passout "pass:$IMA_PASS" \
+                    -out "$key_dir/$key_name.key" 2048 \
+                        || print_fatal "openssl failure"
+                openssl req -new -sha256 -passin "pass:$IMA_PASS" \
+                    -subj "$subject" \
+                    -key "$key_dir/$key_name.key" \
+                    -out "$key_dir/$key_name.csr" \
+                        || print_fatal "openssl failure"
+            fi
-            openssl req -new -sha256 \
-                -subj "$subject" \
-                -key "$key_dir/$key_name.key" \
-                -out "$key_dir/$key_name.csr"
        fi
        local ca_cert="$ca_key_dir/$ca_key_name.crt"
@@ -153,7 +225,8 @@ ca_sign() {
            -CAkey "$ca_key_dir/$ca_key_name.key" \
            -set_serial 1 -days 3650 \
            -extfile "$ROOT_DIR/openssl.cnf" -extensions v3_req \
-            -out "$key_dir/$key_name.crt"
+            -out "$key_dir/$key_name.crt" \
+                || print_fatal "openssl failure"
        rm -f "$key_dir/$key_name.csr"
    fi
@@ -222,69 +295,74 @@ create_ima_user_key() {
    rm -f "$key_dir/x509_ima.crt"
 }
-create_rpm_user_key() {
+create_boot_pw_key() {
-    local gpg_ver=`gpg --version | head -1 | awk '{ print $3 }' | awk -F. '{ print $1 }'`
+        local bootprog=`which grub-mkpasswd-pbkdf2`
-    local key_dir="$RPM_KEYS_DIR"
+        if [ "$bootprog" = "" ] ; then
+                print_fatal "ERROR could not locate \"grub-mkpasswd-pbkdf2\" please install it or set the path to the host native sysroot"
-    [ ! -d "$key_dir" ] && mkdir -m 0700 -p "$key_dir"
+        fi
+        (echo "$BOOT_PASS"; echo "$BOOT_PASS") | $bootprog > $BOOT_KEYS_DIR/boot_cfg_pw.tmp
-    local gpg_key_name="SecureCore"
+        if [ $? != 0 ] ; then
-    local gpg_email="SecureCore@foo.com"
+            print_fatal "ERROR failed to run grub-mkpasswd-mpkdf2 to generate password"
+        fi
-    if [ ! -z $GPG_KEYNAME ]; then
+        cat $BOOT_KEYS_DIR/boot_cfg_pw.tmp |grep grub.pbkdf2 |sed -e 's/.*grub.pbkdf2/grub.pbkdf2/' > $BOOT_KEYS_DIR/boot_cfg_pw
-            gpg_key_name=$GPG_KEYNAME
+        rm -f $BOOT_KEYS_DIR/boot_cfg_pw.tmp
-    fi
-    if [ ! -z $GPG_EMAIL ]; then
-            gpg_email=$GPG_EMAIL
-    fi
-    local priv_key="$key_dir/RPM-GPG-PRIVKEY-$gpg_key_name"
+}
-    local pub_key="$key_dir/RPM-GPG-KEY-$gpg_key_name"
-    if [ "$gpg_ver" == "2" ]; then
+create_gpg_user_key() {
-        gpg --homedir "$key_dir" --quick-generate-key --batch \
+    local gpg_ver=`$GPG_BIN --version | head -1 | awk '{ print $3 }' | awk -F. '{ print $1 }'`
-            "$gpg_key_name" default default never
+    local key_dir="$1"
-        gpg --homedir "$key_dir" --export --armor "$gpg_key_name" > "$pub_key"
+    [ ! -d "$key_dir" ] && mkdir -m 0700 -p "$key_dir"
-        gpg --homedir "$key_dir" --export-secret-keys --armor "$gpg_key_name" > "$priv_key"
+    local priv_key="$key_dir/$2-GPG-PRIVKEY-$3"
+    local pub_key="$key_dir/$2-GPG-KEY-$3"
+    local name_real="$3"
+    local USE_PW="Passphrase: $4"
+    local pw="$4"
+    local comment="$5"
+    local email="$6"
-        cd "$key_dir"
+    if [ "$gpg_ver" != "1" -a "$gpg_ver" != "2" ]; then
-        rm -rf openpgp-revocs.d private-keys-v1.d pubring.kbx* \
+        print_fatal "ERROR: GPG Version 1 or 2 are required for key generation and signing"
-            trustdb.gpg
+    fi
-        cd -
+    cat >"$key_dir/gen_keyring" <<EOF
-    else
-        cat >"$key_dir/gen_rpm_keyring" <<EOF
 Key-Type: RSA
-Key-Length: 2048
+Key-Length: 4096
-Name-Real: $gpg_key_name
+Name-Real: $name_real
-Name-Comment: RPM Signing Certificate
+Name-Comment: $comment
-Name-Email: $gpg_email
+Name-Email: $email
 Expire-Date: 0
-%pubring $pub_key.pub
+$USE_PW
-%secring $priv_key.sec
 %commit
-%echo RPM keyring $gpg_key_name created
+%echo keyring $name_real created
 EOF
-        gpg --batch --gen-key "$key_dir/gen_rpm_keyring"
+    pinentry=""
+    if [ "$gpg_ver" = "2" ] ; then
-        gpg="gpg --no-default-keyring --secret-keyring \
+            pinentry="--pinentry-mode=loopback"
-            $priv_key.sec --keyring $pub_key.pub"
+            echo "allow-loopback-pinentry" > $key_dir/gpg-agent.conf
+            gpg-connect-agent --homedir "$key_dir" reloadagent /bye
-        $gpg --list-secret-keys
+    fi
+    $GPG_BIN --homedir "$key_dir" --batch --yes --gen-key "$key_dir/gen_keyring"
+    if [ $? != 0 ] ; then
+            print_fatal "Error with keyring generation"
+    fi
-        print_error "Please type passwd to modify the passphrase, and type quit to exit"
+    $GPG_BIN --homedir "$key_dir" -k
-        $gpg --edit-key "$gpg_key_name"
+    $GPG_BIN --homedir "$key_dir" --export --armor "$name_real" > "$pub_key" || print_fatal "gpg export failed"
+    if [ "$2" = "BOOT" ] ; then
+            $GPG_BIN --homedir "$key_dir" --export "$name_real" > "$key_dir/boot_pub_key" || print_fatal "gpg export failed"
+    fi
-        $gpg --export --armor "$gpg_key_name" > "$pub_key"
+    $GPG_BIN --homedir "$key_dir" --export-secret-keys $pinentry --passphrase "$pw" --armor "$3" > "$priv_key" || print_fatal "gpg export failed"
-        $gpg --export-secret-keys --armor "$gpg_key_name" > "$priv_key"
-        rm -f "$key_dir/gen_rpm_keyring"
+    rm -f "$key_dir/gen_keyring"
-        rm -f "$priv_key.sec" "$pub_key.pub"
+    cd "$key_dir"
-    fi
+    rm -rf openpgp-revocs.d private-keys-v1.d pubring.kbx* \
+            trustdb.gpg* random_seed pubring.gpg* secring.gpg* gpg-agent.conf
+    cd -
 }
 create_user_keys() {
@@ -306,9 +384,166 @@ create_user_keys() {
    echo "Creating the user key for IMA appraisal"
    create_ima_user_key
-    echo "Creating the user key for RPM"
+    echo "Creating the gpg key for RPM/OSTree"
-    create_rpm_user_key
+    create_gpg_user_key "$RPM_KEYS_DIR" RPM "$gpg_key_name" "$GPG_PASS" "$gpg_comment" "$gpg_email"
+    echo "Creating the gpg key for boot loader"
+    create_gpg_user_key "$BOOT_KEYS_DIR" BOOT "$boot_gpg_key_name" "$BOOT_GPG_PASS" "$boot_gpg_comment" "$boot_gpg_email"
+    echo "Creating the password salt for boot"
+    create_boot_pw_key
 }
+if [ -d "$KEYS_DIR" ] ; then
+    print_fatal "ERROR: $KEYS_DIR already exists, please remove it, to allow for the creation of new keys."
+fi
+if [ ! -z "$GPG_KEYNAME" ]; then
+    gpg_key_name="$GPG_KEYNAME"
+else
+    echo -n "Enter RPM/OSTree GPG keyname (use dashes instead of spaces) [default: $gpg_key_name]: "
+    read val
+    if [ ! -z "$val" ] ; then
+        gpg_key_name=$val
+    fi
+fi
+if [ ! -z "$GPG_EMAIL" ]; then
+    gpg_email=$GPG_EMAIL
+else
+    echo -n "Enter RPM/OSTree GPG e-mail address [default: $gpg_email]: "
+    read val
+    if [ ! -z "$val" ] ; then
+        gpg_email=$val
+    fi
+fi
+if [ ! -z "$GPG_COMMENT" ]; then
+    gpg_comment=$GPG_COMMENT
+else
+    echo -n "Enter RPM/OSTREE GPG comment [default: $gpg_comment]: "
+    read val
+    if [ ! -z "$val" ] ; then
+        gpg_comment=$val
+    fi
+fi
+boot_gpg_key_name="BOOT-${gpg_key_name#PKG-}"
+boot_gpg_email="$gpg_email"
+boot_gpg_comment="$gpg_comment"
+if [ ! -z "$BOOT_GPG_KEYNAME" ]; then
+    boot_gpg_key_name="$BOOT_GPG_KEYNAME"
+fi
+if [ ! -z "$BOOT_GPG_EMAIL" ]; then
+    boot_gpg_email=$BOOT_GPG_EMAIL
+fi
+if [ ! -z "$BOOT_GPG_COMMENT" ]; then
+    boot_gpg_comment=$BOOT_GPG_COMMENT
+fi
+echo "  Using boot loader gpg name: $boot_gpg_key_name"
+echo "  Using boot loader gpg email: $boot_gpg_email"
+echo "  Using boot loader gpg comment: $boot_gpg_comment"
+echo "    Press control-c now if and use -bn -bm -bc arguments if you want"
+echo "    different values other than listed above"
+# Sanity checks on values so far
+if [ "$boot_gpg_key_name" = "$gpg_key_name" ] ; then
+    echo "==================================="
+    echo " RPM_GPG_NAME = \"$gpg_key_name\""
+    echo " BOOT_GPG_NAME = \"$boot_gpg_key_name\""
+    print_fatal "ERROR: The gpg key names must be unique"
+fi
+if [ "$boot_gpg_key_name" != "${boot_gpg_key_name/$gpg_key_name/}" ] ; then
+    echo "==================================="
+    echo " RPM_GPG_NAME = \"$gpg_key_name\""
+    echo " BOOT_GPG_NAME = \"$boot_gpg_key_name\""
+    print_fatal "ERROR: The RPM/OSTree gpg key name cannot be a subset of the boot loader gpg key name"
+fi
+if [ "$gpg_key_name" != "${gpg_key_name/$boot_gpg_key_name/}" ] ; then
+    echo "==================================="
+    echo " RPM_GPG_NAME = \"$gpg_key_name\""
+    echo " BOOT_GPG_NAME = \"$boot_gpg_key_name\""
+    print_fatal "ERROR: The boot loader gpg key name cannot be a subset of the RPM/OSTREE gpg key name"
+fi
+# Passwor section next
+if [ -z $GPG_PASS ]; then
+    while [ 1 ] ; do
+        echo -n "Enter RPM/OSTREE passphrase: "
+        read val
+        if [ ! -z "$val" ] ; then
+            GPG_PASS=$val
+            break
+        fi
+    done
+fi
+if [ -z $IMA_PASS ]; then
+    while [ 1 ] ; do
+        echo -n "Enter IMA passphrase: "
+        read val
+        if [ ! -z "$val" ] ; then
+            IMA_PASS=$val
+            break
+        fi
+    done
+fi
+if [ -z $BOOT_GPG_PASS ]; then
+    while [ 1 ] ; do
+        echo -n "Enter boot loader GPG passphrase: "
+        read val
+        if [ ! -z "$val" ] ; then
+            BOOT_GPG_PASS=$val
+            break
+        fi
+    done
+fi
+if [ -z $BOOT_PASS ]; then
+    while [ 1 ] ; do
+        echo -n "Enter boot loader locked configuration password(e.g. grub pw): "
+        read val
+        if [ ! -z "$val" ] ; then
+            BOOT_PASS=$val
+            break
+        fi
+    done
+fi
 create_user_keys
+cat <<EOF>$KEYS_DIR/keys.conf
+MASTER_KEYS_DIR = "$(readlink -f $KEYS_DIR)"
+IMA_KEYS_DIR = "\${MASTER_KEYS_DIR}/ima_keys"
+IMA_EVM_KEY_DIR = "\${MASTER_KEYS_DIR}/ima_keys"
+RPM_KEYS_DIR = "\${MASTER_KEYS_DIR}/rpm_keys"
+BOOT_KEYS_DIR = "\${MASTER_KEYS_DIR}/boot_keys"
+MOK_SB_KEYS_DIR = "\${MASTER_KEYS_DIR}/mok_sb_keys"
+SYSTEM_TRUSTED_KEYS_DIR = "\${MASTER_KEYS_DIR}/system_trusted_keys"
+UEFI_SB_KEYS_DIR = "\${MASTER_KEYS_DIR}/uefi_sb_keys"
+GRUB_PUB_KEY = "\${MASTER_KEYS_DIR}/boot_keys/boot_pub_key"
+GRUB_PW_FILE = "\${MASTER_KEYS_DIR}/boot_keys/boot_cfg_pw"
+OSTREE_GPGDIR = "\${MASTER_KEYS_DIR}/rpm_keys"
+RPM_GPG_NAME = "$gpg_key_name"
+RPM_GPG_PASSPHRASE = "$GPG_PASS"
+RPM_FSK_PASSWORD = "$IMA_PASS"
+BOOT_GPG_NAME = "$boot_gpg_key_name"
+BOOT_GPG_PASSPHRASE = "$BOOT_GPG_PASS"
+OSTREE_GPGID = "$gpg_key_name"
+OSTREE_GPG_PASSPHRASE = "$GPG_PASS"
+OSTREE_GRUB_PW_FILE = "\${GRUB_PW_FILE}"
+EOF
+cat<<EOF
+## The following variables need to be entered into your local.conf
+## in order to use the new signing keys:
+$(cat $KEYS_DIR/keys.conf)
+## Please save the values above to your local.conf
+## Or copy and uncomment the following line:
+# require $(readlink -f $KEYS_DIR/keys.conf)
+EOF
author	Jason Wessel <jason.wessel@windriver.com>	2019-08-13 14:50:45 -0700
committer	Jia Zhang <zhang.jia@linux.alibaba.com>	2019-11-08 13:27:23 +0800
commit	c0b514f1aca78a84891c3202e3417a8fe98c6ad5 (patch)
tree	8fd661366b1c7e4e8b2471f355ec3024eb500984
parent	01f67e4c7e4cb33acfa5a7a0c3d634cb6489278a (diff)
download	meta-secure-core-c0b514f1aca78a84891c3202e3417a8fe98c6ad5.tar.gz

diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index eea52df..7d224fc 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -7,6 +7,20 @@ ROOT_DIR="`cd "$_D" && pwd`"
7	KEYS_DIR="$ROOT_DIR/user-keys"	7	KEYS_DIR="$ROOT_DIR/user-keys"
8	GPG_KEYNAME=	8	GPG_KEYNAME=
9	GPG_EMAIL=	9	GPG_EMAIL=
		10	GPG_COMMENT=
		11	BOOT_GPG_KEYNAME=
		12	BOOT_GPG_EMAIL=
		13	BOOT_GPG_COMMENT=
		14	EMPTY_PW=0
		15	GPG_PASS=
		16	GPG_BIN=${GPG_BIN=gpg}
		17	IMA_PASS=
		18	gpg_key_name="PKG-SecureCore"
		19	gpg_email="SecureCore@foo.com"
		20	gpg_comment="Signing Key"
		21	boot_gpg_key_name="BOOT-SecureCore"
		22	boot_gpg_email="SecureCore@foo.com"
		23	boot_gpg_comment="Bootloader Signing Key"
10		24
11	function show_help()	25	function show_help()
12	{	26	{
@@ -14,6 +28,7 @@ function show_help()
14	$1 - creation tool for user key store	28	$1 - creation tool for user key store
15		29
16	(C)Copyright 2017, Jia Zhang <lans.zhang2008@gmail.com>	30	(C)Copyright 2017, Jia Zhang <lans.zhang2008@gmail.com>
		31	(C)Copyright 2019, Jason Wessel <jason.wessel@windriver.com> Wind River Systems, Inc.
17		32
18	Usage: $1 options...	33	Usage: $1 options...
19		34
@@ -21,21 +36,37 @@ Options:
21	-d <dir>	36	-d <dir>
22	Set the path to save the generated user keys.	37	Set the path to save the generated user keys.
23	Default: `pwd`/user-keys	38	Default: `pwd`/user-keys
24		39	-c <gpg key comment>
		40	Set the RPM/OStree gpg's key name
		41	Default: $gpg_comment
25	-n <gpg key name>	42	-n <gpg key name>
26	Set the gpg's key name	43	Set the RPM/OStree gpg's key name
27	Default: SecureCore	44	Default: $gpg_key_name
28		45	-m <gpg key owner's email address>
29	-m <gpg key ower's email address>	46	Set the RPM/OStree owner's email address of the gpg key
30	Set the ower's email address of the gpg key	47	Default: $gpg_email
31	Default: SecureCore@foo.com	48	-rp <OSTree/RPM GPG passphrase>
32		49	-bgp <Boot Loader GPG passphrase>
33	-h\|--help	50	-bp <Boot loader config password>
34	Show this help information.	51	-ip <IMA passphrase>
		52	-h\|--help Show this help information.
		53	Overides:
		54	-bc <gpg key comment>
		55	Force set the gpg key comment for the boot loader
		56	-bn <gpg key name>
		57	Force set the gpg key name for the boot loader
		58	-bm <gpg key owner's email address>
		59	Force set the gpg email address for the boot loader
35		60
36	EOF	61	EOF
37	}	62	}
38		63
		64	print_fatal() {
		65	printf "\033[1;35m"
		66	echo "$@"
		67	printf "\033[0m"
		68	exit 1
		69	}
39	print_critical() {	70	print_critical() {
40	printf "\033[1;35m"	71	printf "\033[1;35m"
41	echo "$@"	72	echo "$@"
@@ -72,19 +103,42 @@ while [ $# -gt 0 ]; do
72	-d)	103	-d)
73	shift && KEYS_DIR="$1"	104	shift && KEYS_DIR="$1"
74	;;	105	;;
		106	-c)
		107	shift && GPG_COMMENT="$1"
		108	;;
		109	-bc)
		110	shift && BOOT_GPG_COMMENT="$1"
		111	;;
75	-n)	112	-n)
76	shift && GPG_KEYNAME="$1"	113	shift && GPG_KEYNAME="$1"
77	;;	114	;;
		115	-bn)
		116	shift && BOOT_GPG_KEYNAME="$1"
		117	;;
78	-m)	118	-m)
79	shift && GPG_EMAIL="$1"	119	shift && GPG_EMAIL="$1"
80	;;	120	;;
		121	-bm)
		122	shift && BOOT_GPG_EMAIL="$1"
		123	;;
		124	-rp)
		125	shift && GPG_PASS="$1"
		126	;;
		127	-bgp)
		128	shift && BOOT_GPG_PASS="$1"
		129	;;
		130	-bp)
		131	shift && BOOT_PASS="$1"
		132	;;
		133	-ip)
		134	shift && IMA_PASS="$1"
		135	;;
81	-h\|--help)	136	-h\|--help)
82	show_help `basename $0`	137	show_help `basename $0`
83	exit 0	138	exit 0
84	;;	139	;;
85	*)	140	*)
86	echo "Unsupported option $opt"	141	print_fatal "Unsupported option $opt"
87	exit 1
88	;;	142	;;
89	esac	143	esac
90	shift	144	shift
@@ -97,6 +151,7 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
97	SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"	151	SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
98	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"	152	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
99	RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"	153	RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
		154	BOOT_KEYS_DIR="$KEYS_DIR/boot_keys"
100	MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"	155	MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
101	SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"	156	SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
102		157
@@ -121,22 +176,39 @@ ca_sign() {
121	-sha256 -nodes -days 3650 \	176	-sha256 -nodes -days 3650 \
122	-subj "$subject" \	177	-subj "$subject" \
123	-keyout "$key_dir/$key_name.key" \	178	-keyout "$key_dir/$key_name.key" \
124	-out "$key_dir/$key_name.crt"	179	-out "$key_dir/$key_name.crt" \
		180	\|\| print_fatal "openssl failure"
125	else	181	else
126	if [ -z "$encrypted" ]; then	182	if [ -z "$encrypted" ]; then
127	openssl req -new -newkey rsa:2048 \	183	openssl req -new -newkey rsa:2048 \
128	-sha256 -nodes \	184	-sha256 -nodes \
129	-subj "$subject" \	185	-subj "$subject" \
130	-keyout "$key_dir/$key_name.key" \	186	-keyout "$key_dir/$key_name.key" \
131	-out "$key_dir/$key_name.csr"	187	-out "$key_dir/$key_name.csr" \
		188	\|\| print_fatal "openssl failure"
132	else	189	else
133	# Prompt user to type the password	190	# Prompt user to type the password
134	openssl genrsa -des3 -out "$key_dir/$key_name.key" 2048	191	if [ "$IMA_PASS" = "" ] ; then
		192	openssl genrsa -des3 -out "$key_dir/$key_name.key" 2048 \
		193	\|\| print_fatal "openssl failure"
		194
		195	openssl req -new -sha256 \
		196	-subj "$subject" \
		197	-key "$key_dir/$key_name.key" \
		198	-out "$key_dir/$key_name.csr" \
		199	\|\| print_fatal "openssl failure"
		200	else
		201	openssl genrsa -des3 -passout "pass:$IMA_PASS" \
		202	-out "$key_dir/$key_name.key" 2048 \
		203	\|\| print_fatal "openssl failure"
		204
		205	openssl req -new -sha256 -passin "pass:$IMA_PASS" \
		206	-subj "$subject" \
		207	-key "$key_dir/$key_name.key" \
		208	-out "$key_dir/$key_name.csr" \
		209	\|\| print_fatal "openssl failure"
		210	fi
135		211
136	openssl req -new -sha256 \
137	-subj "$subject" \
138	-key "$key_dir/$key_name.key" \
139	-out "$key_dir/$key_name.csr"
140	fi	212	fi
141		213
142	local ca_cert="$ca_key_dir/$ca_key_name.crt"	214	local ca_cert="$ca_key_dir/$ca_key_name.crt"
@@ -153,7 +225,8 @@ ca_sign() {
153	-CAkey "$ca_key_dir/$ca_key_name.key" \	225	-CAkey "$ca_key_dir/$ca_key_name.key" \
154	-set_serial 1 -days 3650 \	226	-set_serial 1 -days 3650 \
155	-extfile "$ROOT_DIR/openssl.cnf" -extensions v3_req \	227	-extfile "$ROOT_DIR/openssl.cnf" -extensions v3_req \
156	-out "$key_dir/$key_name.crt"	228	-out "$key_dir/$key_name.crt" \
		229	\|\| print_fatal "openssl failure"
157		230
158	rm -f "$key_dir/$key_name.csr"	231	rm -f "$key_dir/$key_name.csr"
159	fi	232	fi
@@ -222,69 +295,74 @@ create_ima_user_key() {
222	rm -f "$key_dir/x509_ima.crt"	295	rm -f "$key_dir/x509_ima.crt"
223	}	296	}
224		297
225	create_rpm_user_key() {	298	create_boot_pw_key() {
226	local gpg_ver=`gpg --version \| head -1 \| awk '{ print $3 }' \| awk -F. '{ print $1 }'`	299	local bootprog=`which grub-mkpasswd-pbkdf2`
227	local key_dir="$RPM_KEYS_DIR"	300	if [ "$bootprog" = "" ] ; then
228		301	print_fatal "ERROR could not locate \"grub-mkpasswd-pbkdf2\" please install it or set the path to the host native sysroot"
229	[ ! -d "$key_dir" ] && mkdir -m 0700 -p "$key_dir"	302	fi
230		303	(echo "$BOOT_PASS"; echo "$BOOT_PASS") \| $bootprog > $BOOT_KEYS_DIR/boot_cfg_pw.tmp
231	local gpg_key_name="SecureCore"	304	if [ $? != 0 ] ; then
232	local gpg_email="SecureCore@foo.com"	305	print_fatal "ERROR failed to run grub-mkpasswd-mpkdf2 to generate password"
233		306	fi
234	if [ ! -z $GPG_KEYNAME ]; then	307	cat $BOOT_KEYS_DIR/boot_cfg_pw.tmp \|grep grub.pbkdf2 \|sed -e 's/.*grub.pbkdf2/grub.pbkdf2/' > $BOOT_KEYS_DIR/boot_cfg_pw
235	gpg_key_name=$GPG_KEYNAME	308	rm -f $BOOT_KEYS_DIR/boot_cfg_pw.tmp
236	fi
237
238	if [ ! -z $GPG_EMAIL ]; then
239	gpg_email=$GPG_EMAIL
240	fi
241		309
242	local priv_key="$key_dir/RPM-GPG-PRIVKEY-$gpg_key_name"	310	}
243	local pub_key="$key_dir/RPM-GPG-KEY-$gpg_key_name"
244		311
245	if [ "$gpg_ver" == "2" ]; then	312	create_gpg_user_key() {
246	gpg --homedir "$key_dir" --quick-generate-key --batch \	313	local gpg_ver=`$GPG_BIN --version \| head -1 \| awk '{ print $3 }' \| awk -F. '{ print $1 }'`
247	"$gpg_key_name" default default never	314	local key_dir="$1"
248		315
249	gpg --homedir "$key_dir" --export --armor "$gpg_key_name" > "$pub_key"	316	[ ! -d "$key_dir" ] && mkdir -m 0700 -p "$key_dir"
250		317
251	gpg --homedir "$key_dir" --export-secret-keys --armor "$gpg_key_name" > "$priv_key"	318	local priv_key="$key_dir/$2-GPG-PRIVKEY-$3"
		319	local pub_key="$key_dir/$2-GPG-KEY-$3"
		320	local name_real="$3"
		321	local USE_PW="Passphrase: $4"
		322	local pw="$4"
		323	local comment="$5"
		324	local email="$6"
252		325
253	cd "$key_dir"	326	if [ "$gpg_ver" != "1" -a "$gpg_ver" != "2" ]; then
254	rm -rf openpgp-revocs.d private-keys-v1.d pubring.kbx* \	327	print_fatal "ERROR: GPG Version 1 or 2 are required for key generation and signing"
255	trustdb.gpg	328	fi
256	cd -	329	cat >"$key_dir/gen_keyring" <<EOF
257	else
258	cat >"$key_dir/gen_rpm_keyring" <<EOF
259	Key-Type: RSA	330	Key-Type: RSA
260	Key-Length: 2048	331	Key-Length: 4096
261	Name-Real: $gpg_key_name	332	Name-Real: $name_real
262	Name-Comment: RPM Signing Certificate	333	Name-Comment: $comment
263	Name-Email: $gpg_email	334	Name-Email: $email
264	Expire-Date: 0	335	Expire-Date: 0
265	%pubring $pub_key.pub	336	$USE_PW
266	%secring $priv_key.sec
267	%commit	337	%commit
268	%echo RPM keyring $gpg_key_name created	338	%echo keyring $name_real created
269	EOF	339	EOF
270		340
271	gpg --batch --gen-key "$key_dir/gen_rpm_keyring"	341	pinentry=""
272		342	if [ "$gpg_ver" = "2" ] ; then
273	gpg="gpg --no-default-keyring --secret-keyring \	343	pinentry="--pinentry-mode=loopback"
274	$priv_key.sec --keyring $pub_key.pub"	344	echo "allow-loopback-pinentry" > $key_dir/gpg-agent.conf
275		345	gpg-connect-agent --homedir "$key_dir" reloadagent /bye
276	$gpg --list-secret-keys	346	fi
		347	$GPG_BIN --homedir "$key_dir" --batch --yes --gen-key "$key_dir/gen_keyring"
		348	if [ $? != 0 ] ; then
		349	print_fatal "Error with keyring generation"
		350	fi
277		351
278	print_error "Please type passwd to modify the passphrase, and type quit to exit"	352	$GPG_BIN --homedir "$key_dir" -k
279		353
280	$gpg --edit-key "$gpg_key_name"	354	$GPG_BIN --homedir "$key_dir" --export --armor "$name_real" > "$pub_key" \|\| print_fatal "gpg export failed"
		355	if [ "$2" = "BOOT" ] ; then
		356	$GPG_BIN --homedir "$key_dir" --export "$name_real" > "$key_dir/boot_pub_key" \|\| print_fatal "gpg export failed"
		357	fi
281		358
282	$gpg --export --armor "$gpg_key_name" > "$pub_key"	359	$GPG_BIN --homedir "$key_dir" --export-secret-keys $pinentry --passphrase "$pw" --armor "$3" > "$priv_key" \|\| print_fatal "gpg export failed"
283	$gpg --export-secret-keys --armor "$gpg_key_name" > "$priv_key"
284		360
285	rm -f "$key_dir/gen_rpm_keyring"	361	rm -f "$key_dir/gen_keyring"
286	rm -f "$priv_key.sec" "$pub_key.pub"	362	cd "$key_dir"
287	fi	363	rm -rf openpgp-revocs.d private-keys-v1.d pubring.kbx* \
		364	trustdb.gpg* random_seed pubring.gpg* secring.gpg* gpg-agent.conf
		365	cd -
288	}	366	}
289		367
290	create_user_keys() {	368	create_user_keys() {
@@ -306,9 +384,166 @@ create_user_keys() {
306	echo "Creating the user key for IMA appraisal"	384	echo "Creating the user key for IMA appraisal"
307	create_ima_user_key	385	create_ima_user_key
308		386
309	echo "Creating the user key for RPM"	387	echo "Creating the gpg key for RPM/OSTree"
310	create_rpm_user_key	388	create_gpg_user_key "$RPM_KEYS_DIR" RPM "$gpg_key_name" "$GPG_PASS" "$gpg_comment" "$gpg_email"
		389
		390	echo "Creating the gpg key for boot loader"
		391	create_gpg_user_key "$BOOT_KEYS_DIR" BOOT "$boot_gpg_key_name" "$BOOT_GPG_PASS" "$boot_gpg_comment" "$boot_gpg_email"
		392
		393	echo "Creating the password salt for boot"
		394	create_boot_pw_key
311	}	395	}
312		396
		397	if [ -d "$KEYS_DIR" ] ; then
		398	print_fatal "ERROR: $KEYS_DIR already exists, please remove it, to allow for the creation of new keys."
		399	fi
		400
		401	if [ ! -z "$GPG_KEYNAME" ]; then
		402	gpg_key_name="$GPG_KEYNAME"
		403	else
		404	echo -n "Enter RPM/OSTree GPG keyname (use dashes instead of spaces) [default: $gpg_key_name]: "
		405	read val
		406	if [ ! -z "$val" ] ; then
		407	gpg_key_name=$val
		408	fi
		409	fi
		410
		411	if [ ! -z "$GPG_EMAIL" ]; then
		412	gpg_email=$GPG_EMAIL
		413	else
		414	echo -n "Enter RPM/OSTree GPG e-mail address [default: $gpg_email]: "
		415	read val
		416	if [ ! -z "$val" ] ; then
		417	gpg_email=$val
		418	fi
		419	fi
		420
		421	if [ ! -z "$GPG_COMMENT" ]; then
		422	gpg_comment=$GPG_COMMENT
		423	else
		424	echo -n "Enter RPM/OSTREE GPG comment [default: $gpg_comment]: "
		425	read val
		426	if [ ! -z "$val" ] ; then
		427	gpg_comment=$val
		428	fi
		429	fi
		430
		431	boot_gpg_key_name="BOOT-${gpg_key_name#PKG-}"
		432	boot_gpg_email="$gpg_email"
		433	boot_gpg_comment="$gpg_comment"
		434	if [ ! -z "$BOOT_GPG_KEYNAME" ]; then
		435	boot_gpg_key_name="$BOOT_GPG_KEYNAME"
		436	fi
		437	if [ ! -z "$BOOT_GPG_EMAIL" ]; then
		438	boot_gpg_email=$BOOT_GPG_EMAIL
		439	fi
		440	if [ ! -z "$BOOT_GPG_COMMENT" ]; then
		441	boot_gpg_comment=$BOOT_GPG_COMMENT
		442	fi
		443
		444	echo " Using boot loader gpg name: $boot_gpg_key_name"
		445	echo " Using boot loader gpg email: $boot_gpg_email"
		446	echo " Using boot loader gpg comment: $boot_gpg_comment"
		447	echo " Press control-c now if and use -bn -bm -bc arguments if you want"
		448	echo " different values other than listed above"
		449
		450	# Sanity checks on values so far
		451
		452	if [ "$boot_gpg_key_name" = "$gpg_key_name" ] ; then
		453	echo "==================================="
		454	echo " RPM_GPG_NAME = \"$gpg_key_name\""
		455	echo " BOOT_GPG_NAME = \"$boot_gpg_key_name\""
		456	print_fatal "ERROR: The gpg key names must be unique"
		457	fi
		458	if [ "$boot_gpg_key_name" != "${boot_gpg_key_name/$gpg_key_name/}" ] ; then
		459	echo "==================================="
		460	echo " RPM_GPG_NAME = \"$gpg_key_name\""
		461	echo " BOOT_GPG_NAME = \"$boot_gpg_key_name\""
		462	print_fatal "ERROR: The RPM/OSTree gpg key name cannot be a subset of the boot loader gpg key name"
		463	fi
		464	if [ "$gpg_key_name" != "${gpg_key_name/$boot_gpg_key_name/}" ] ; then
		465	echo "==================================="
		466	echo " RPM_GPG_NAME = \"$gpg_key_name\""
		467	echo " BOOT_GPG_NAME = \"$boot_gpg_key_name\""
		468	print_fatal "ERROR: The boot loader gpg key name cannot be a subset of the RPM/OSTREE gpg key name"
		469	fi
		470
		471	# Passwor section next
		472	if [ -z $GPG_PASS ]; then
		473	while [ 1 ] ; do
		474	echo -n "Enter RPM/OSTREE passphrase: "
		475	read val
		476	if [ ! -z "$val" ] ; then
		477	GPG_PASS=$val
		478	break
		479	fi
		480	done
		481	fi
		482	if [ -z $IMA_PASS ]; then
		483	while [ 1 ] ; do
		484	echo -n "Enter IMA passphrase: "
		485	read val
		486	if [ ! -z "$val" ] ; then
		487	IMA_PASS=$val
		488	break
		489	fi
		490	done
		491	fi
		492	if [ -z $BOOT_GPG_PASS ]; then
		493	while [ 1 ] ; do
		494	echo -n "Enter boot loader GPG passphrase: "
		495	read val
		496	if [ ! -z "$val" ] ; then
		497	BOOT_GPG_PASS=$val
		498	break
		499	fi
		500	done
		501	fi
		502	if [ -z $BOOT_PASS ]; then
		503	while [ 1 ] ; do
		504	echo -n "Enter boot loader locked configuration password(e.g. grub pw): "
		505	read val
		506	if [ ! -z "$val" ] ; then
		507	BOOT_PASS=$val
		508	break
		509	fi
		510	done
		511	fi
		512
313	create_user_keys	513	create_user_keys
314		514
		515	cat <<EOF>$KEYS_DIR/keys.conf
		516	MASTER_KEYS_DIR = "$(readlink -f $KEYS_DIR)"
		517
		518	IMA_KEYS_DIR = "\${MASTER_KEYS_DIR}/ima_keys"
		519	IMA_EVM_KEY_DIR = "\${MASTER_KEYS_DIR}/ima_keys"
		520	RPM_KEYS_DIR = "\${MASTER_KEYS_DIR}/rpm_keys"
		521	BOOT_KEYS_DIR = "\${MASTER_KEYS_DIR}/boot_keys"
		522	MOK_SB_KEYS_DIR = "\${MASTER_KEYS_DIR}/mok_sb_keys"
		523	SYSTEM_TRUSTED_KEYS_DIR = "\${MASTER_KEYS_DIR}/system_trusted_keys"
		524	UEFI_SB_KEYS_DIR = "\${MASTER_KEYS_DIR}/uefi_sb_keys"
		525	GRUB_PUB_KEY = "\${MASTER_KEYS_DIR}/boot_keys/boot_pub_key"
		526	GRUB_PW_FILE = "\${MASTER_KEYS_DIR}/boot_keys/boot_cfg_pw"
		527	OSTREE_GPGDIR = "\${MASTER_KEYS_DIR}/rpm_keys"
		528
		529	RPM_GPG_NAME = "$gpg_key_name"
		530	RPM_GPG_PASSPHRASE = "$GPG_PASS"
		531	RPM_FSK_PASSWORD = "$IMA_PASS"
		532	BOOT_GPG_NAME = "$boot_gpg_key_name"
		533	BOOT_GPG_PASSPHRASE = "$BOOT_GPG_PASS"
		534	OSTREE_GPGID = "$gpg_key_name"
		535	OSTREE_GPG_PASSPHRASE = "$GPG_PASS"
		536	OSTREE_GRUB_PW_FILE = "\${GRUB_PW_FILE}"
		537	EOF
		538
		539	cat<<EOF
		540	## The following variables need to be entered into your local.conf
		541	## in order to use the new signing keys:
		542
		543	$(cat $KEYS_DIR/keys.conf)
		544
		545	## Please save the values above to your local.conf
		546	## Or copy and uncomment the following line:
		547	# require $(readlink -f $KEYS_DIR/keys.conf)
		548	EOF
		549