6 files changed, 39 insertions, 39 deletions
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass
index 03e1b2c..a0cecab 100644
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d
 MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
 IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
 SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
-EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
+SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
 RPM = '1'
 def vprint(str, d):
@@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d):
    set_keys_dir('SYSTEM_TRUSTED', d)
    return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
-def uks_extra_system_trusted_keys_dir(d):
+def uks_secondary_trusted_keys_dir(d):
-    set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
+    set_keys_dir('SECONDARY_TRUSTED', d)
-    return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
+    return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/'
 def uks_modsign_keys_dir(d):
    set_keys_dir('MODSIGN', d)
@@ -173,10 +173,10 @@ def check_system_trusted_keys(d):
        vprint("%s.crt is unavailable" % _, d)
        return False
-def check_extra_system_trusted_keys(d):
+def check_secondary_trusted_keys(d):
-    dir = uks_extra_system_trusted_keys_dir(d)
+    dir = uks_secondary_trusted_keys_dir(d)
-    _ = 'extra_system_trusted_key'
+    _ = 'secondary_trusted_key'
    if not os.path.exists(dir + _ + '.key'):
        vprint("%s.key is unavailable" % _, d)
        return False
@@ -379,13 +379,13 @@ deploy_system_trusted_keys() {
    fi
 }
-deploy_extra_system_trusted_keys() {
+deploy_secondary_trusted_keys() {
-    local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
+    local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys"
-    if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
+    if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
        install -d "$deploy_dir"
-        cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
+        cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
    fi
 }
@@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d):
        _ = check_ima_user_keys(d)
    elif name == 'SYSTEM_TRUSTED':
        _ = check_system_trusted_keys(d)
-    elif name == 'EXTRA_SYSTEM_TRUSTED':
+    elif name == 'SECONDARY_TRUSTED':
-        _ = check_extra_system_trusted_keys(d)
+        _ = check_secondary_trusted_keys(d)
    elif name == 'MODSIGN':
        _ = check_modsign_keys(d)
    elif name == 'RPM':
@@ -440,7 +440,7 @@ def set_keys_dir(name, d):
        d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
 python check_deploy_keys() {
-    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
+    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'):
        if d.getVar(_, True) != "1":
            continue
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf
index 939f71a..e067f6b 100644
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample"
 SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
 SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
 SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
-SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
+SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys"
 SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
 SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
 SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
 UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
 SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
-EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
+SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}"
 MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
 IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
 RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
 BB_HASHBASE_WHITELIST_append += "\
    SYSTEM_TRUSTED_KEYS_DIR \
-    EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
+    SECONDARY_TRUSTED_KEYS_DIR \
    MODSIGN_KEYS_DIR \
    IMA_KEYS_DIR \
    RPM_KEYS_DIR \
diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt
index b7c3493..b7c3493 100644
--- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt
+++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt
diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key
index 0bf56cf..0bf56cf 100644
--- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key
+++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 8dd9637..66691cc 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
 # For ${PN}-system-trusted-privkey
 SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
-# For ${PN}-extra-system-trusted-privkey
+# For ${PN}-secondary-trusted-privkey
-EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
+SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
 # For ${PN}-modsign-privkey
 MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
@@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
-# For ${PN}-extra-system-trusted-cert
+# For ${PN}-secondary-trusted-cert
-EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
+SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
 # For ${PN}-modsign-cert
 MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
@@ -47,10 +47,10 @@ python () {
    d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
    d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
-    pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
+    pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
    d.setVar('PACKAGES_prepend', pn + ' ')
-    d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
-    d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
    pn = d.getVar('PN', True) + '-modsign-privkey'
    d.setVar('PACKAGES_prepend', pn + ' ')
@@ -96,13 +96,13 @@ do_install() {
        install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
    fi
-    key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
+    key_dir="${@uks_secondary_trusted_keys_dir(d)}"
-    install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
+    install -m 0644 "$key_dir/secondary_trusted_key.crt" \
-        "${D}${EXTRA_SYSTEM_CERT}"
+        "${D}${SECONDARY_TRUSTED_CERT}"
    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
-        install -m 0400 "$key_dir/extra_system_trusted_key.key" \
+        install -m 0400 "$key_dir/secondary_trusted_key.key" \
-            "${D}${EXTRA_SYSTEM_PRIV_KEY}"
+            "${D}${SECONDARY_TRUSTED_PRIV_KEY}"
    fi
    key_dir="${@uks_modsign_keys_dir(d)}"
@@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() {
 PACKAGES = "\
    ${PN}-system-trusted-cert \
-    ${PN}-extra-system-trusted-cert \
+    ${PN}-secondary-trusted-cert \
    ${PN}-modsign-cert \
    ${PN}-ima-cert \
 "
@@ -158,7 +158,7 @@ PACKAGES = "\
 # Note any private key is not available if user key signing model used.
 PACKAGES_DYNAMIC = "\
    ${PN}-system-trusted-privkey \
-    ${PN}-extra-system-trusted-privkey \
+    ${PN}-secondary-trusted-privkey \
    ${PN}-modsign-privkey \
    ${PN}-ima-privkey \
    ${PN}-rpm-pubkey \
@@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\
 FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
-FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
-CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
 FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
 CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh
index ddcd31a..eea52df 100755
--- a/meta-signing-key/scripts/create-user-key-store.sh
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
 IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
 RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
 MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
-EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys"
+SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
 pem2der() {
    local src="$1"
@@ -201,12 +201,12 @@ create_modsign_user_key() {
        "/CN=MODSIGN Certificate/"
 }
-create_extra_system_user_key() {
+create_secondary_user_key() {
-    local key_dir="$EXTRA_SYSTEM_KEYS_DIR"
+    local key_dir="$SECONDARY_TRUSTED_KEYS_DIR"
    [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
-    ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
+    ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
        "/CN=Extra System Trusted Certificate/"
 }
@@ -297,8 +297,8 @@ create_user_keys() {
    echo "Creating the user key for system"
    create_system_user_key
-    echo "Creating the user key for system extra"
+    echo "Creating the user key for system secondary trust"
-    create_extra_system_user_key
+    create_secondary_user_key
    echo "Creating the user key for modsign"
    create_modsign_user_key

diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 03e1b2c..a0cecab 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d
12	MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'	12	MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
13	IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'	13	IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
14	SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'	14	SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
15	EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'	15	SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
16	RPM = '1'	16	RPM = '1'
17		17
18	def vprint(str, d):	18	def vprint(str, d):
@@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d):
26	set_keys_dir('SYSTEM_TRUSTED', d)	26	set_keys_dir('SYSTEM_TRUSTED', d)
27	return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'	27	return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
28		28
29	def uks_extra_system_trusted_keys_dir(d):	29	def uks_secondary_trusted_keys_dir(d):
30	set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)	30	set_keys_dir('SECONDARY_TRUSTED', d)
31	return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'	31	return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/'
32		32
33	def uks_modsign_keys_dir(d):	33	def uks_modsign_keys_dir(d):
34	set_keys_dir('MODSIGN', d)	34	set_keys_dir('MODSIGN', d)
@@ -173,10 +173,10 @@ def check_system_trusted_keys(d):
173	vprint("%s.crt is unavailable" % _, d)	173	vprint("%s.crt is unavailable" % _, d)
174	return False	174	return False
175		175
176	def check_extra_system_trusted_keys(d):	176	def check_secondary_trusted_keys(d):
177	dir = uks_extra_system_trusted_keys_dir(d)	177	dir = uks_secondary_trusted_keys_dir(d)
178		178
179	_ = 'extra_system_trusted_key'	179	_ = 'secondary_trusted_key'
180	if not os.path.exists(dir + _ + '.key'):	180	if not os.path.exists(dir + _ + '.key'):
181	vprint("%s.key is unavailable" % _, d)	181	vprint("%s.key is unavailable" % _, d)
182	return False	182	return False
@@ -379,13 +379,13 @@ deploy_system_trusted_keys() {
379	fi	379	fi
380	}	380	}
381		381
382	deploy_extra_system_trusted_keys() {	382	deploy_secondary_trusted_keys() {
383	local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"	383	local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys"
384		384
385	if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then	385	if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
386	install -d "$deploy_dir"	386	install -d "$deploy_dir"
387		387
388	cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"	388	cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
389	fi	389	fi
390	}	390	}
391		391
@@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d):
413	_ = check_ima_user_keys(d)	413	_ = check_ima_user_keys(d)
414	elif name == 'SYSTEM_TRUSTED':	414	elif name == 'SYSTEM_TRUSTED':
415	_ = check_system_trusted_keys(d)	415	_ = check_system_trusted_keys(d)
416	elif name == 'EXTRA_SYSTEM_TRUSTED':	416	elif name == 'SECONDARY_TRUSTED':
417	_ = check_extra_system_trusted_keys(d)	417	_ = check_secondary_trusted_keys(d)
418	elif name == 'MODSIGN':	418	elif name == 'MODSIGN':
419	_ = check_modsign_keys(d)	419	_ = check_modsign_keys(d)
420	elif name == 'RPM':	420	elif name == 'RPM':
@@ -440,7 +440,7 @@ def set_keys_dir(name, d):
440	d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')	440	d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
441		441
442	python check_deploy_keys() {	442	python check_deploy_keys() {
443	for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):	443	for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'):
444	if d.getVar(_, True) != "1":	444	if d.getVar(_, True) != "1":
445	continue	445	continue
446		446


diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 939f71a..e067f6b 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf
@@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample"
17	SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"	17	SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
18	SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"	18	SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
19	SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"	19	SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
20	SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"	20	SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys"
21	SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"	21	SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
22	SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"	22	SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
23	SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"	23	SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
33	MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"	33	MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
34	UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"	34	UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
35	SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"	35	SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
36	EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"	36	SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}"
37	MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"	37	MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
38	IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"	38	IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
39	RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"	39	RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
50		50
51	BB_HASHBASE_WHITELIST_append += "\	51	BB_HASHBASE_WHITELIST_append += "\
52	SYSTEM_TRUSTED_KEYS_DIR \	52	SYSTEM_TRUSTED_KEYS_DIR \
53	EXTRA_SYSTEM_TRUSTED_KEYS_DIR \	53	SECONDARY_TRUSTED_KEYS_DIR \
54	MODSIGN_KEYS_DIR \	54	MODSIGN_KEYS_DIR \
55	IMA_KEYS_DIR \	55	IMA_KEYS_DIR \
56	RPM_KEYS_DIR \	56	RPM_KEYS_DIR \


diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt index b7c3493..b7c3493 100644 --- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt +++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt


diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key index 0bf56cf..0bf56cf 100644 --- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key +++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key


diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 8dd9637..66691cc 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
17	# For ${PN}-system-trusted-privkey	17	# For ${PN}-system-trusted-privkey
18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"	18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
19		19
20	# For ${PN}-extra-system-trusted-privkey	20	# For ${PN}-secondary-trusted-privkey
21	EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"	21	SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
22		22
23	# For ${PN}-modsign-privkey	23	# For ${PN}-modsign-privkey
24	MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"	24	MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
@@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
29	# For ${PN}-system-trusted-cert	29	# For ${PN}-system-trusted-cert
30	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"	30	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
31		31
32	# For ${PN}-extra-system-trusted-cert	32	# For ${PN}-secondary-trusted-cert
33	EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"	33	SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt"
34		34
35	# For ${PN}-modsign-cert	35	# For ${PN}-modsign-cert
36	MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"	36	MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
@@ -47,10 +47,10 @@ python () {
47	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))	47	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
48	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))	48	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
49		49
50	pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'	50	pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
51	d.setVar('PACKAGES_prepend', pn + ' ')	51	d.setVar('PACKAGES_prepend', pn + ' ')
52	d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))	52	d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
53	d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))	53	d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
54		54
55	pn = d.getVar('PN', True) + '-modsign-privkey'	55	pn = d.getVar('PN', True) + '-modsign-privkey'
56	d.setVar('PACKAGES_prepend', pn + ' ')	56	d.setVar('PACKAGES_prepend', pn + ' ')
@@ -96,13 +96,13 @@ do_install() {
96	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"	96	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
97	fi	97	fi
98		98
99	key_dir="${@uks_extra_system_trusted_keys_dir(d)}"	99	key_dir="${@uks_secondary_trusted_keys_dir(d)}"
100	install -m 0644 "$key_dir/extra_system_trusted_key.crt" \	100	install -m 0644 "$key_dir/secondary_trusted_key.crt" \
101	"${D}${EXTRA_SYSTEM_CERT}"	101	"${D}${SECONDARY_TRUSTED_CERT}"
102		102
103	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then	103	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
104	install -m 0400 "$key_dir/extra_system_trusted_key.key" \	104	install -m 0400 "$key_dir/secondary_trusted_key.key" \
105	"${D}${EXTRA_SYSTEM_PRIV_KEY}"	105	"${D}${SECONDARY_TRUSTED_PRIV_KEY}"
106	fi	106	fi
107		107
108	key_dir="${@uks_modsign_keys_dir(d)}"	108	key_dir="${@uks_modsign_keys_dir(d)}"
@@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() {
150		150
151	PACKAGES = "\	151	PACKAGES = "\
152	${PN}-system-trusted-cert \	152	${PN}-system-trusted-cert \
153	${PN}-extra-system-trusted-cert \	153	${PN}-secondary-trusted-cert \
154	${PN}-modsign-cert \	154	${PN}-modsign-cert \
155	${PN}-ima-cert \	155	${PN}-ima-cert \
156	"	156	"
@@ -158,7 +158,7 @@ PACKAGES = "\
158	# Note any private key is not available if user key signing model used.	158	# Note any private key is not available if user key signing model used.
159	PACKAGES_DYNAMIC = "\	159	PACKAGES_DYNAMIC = "\
160	${PN}-system-trusted-privkey \	160	${PN}-system-trusted-privkey \
161	${PN}-extra-system-trusted-privkey \	161	${PN}-secondary-trusted-privkey \
162	${PN}-modsign-privkey \	162	${PN}-modsign-privkey \
163	${PN}-ima-privkey \	163	${PN}-ima-privkey \
164	${PN}-rpm-pubkey \	164	${PN}-rpm-pubkey \
@@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\
167	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	167	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
168	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	168	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
169		169
170	FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"	170	FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
171	CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"	171	CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}"
172		172
173	FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"	173	FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
174	CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"	174	CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"


diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index ddcd31a..eea52df 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
98	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"	98	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
99	RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"	99	RPM_KEYS_DIR="$KEYS_DIR/rpm_keys"
100	MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"	100	MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys"
101	EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys"	101	SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys"
102		102
103	pem2der() {	103	pem2der() {
104	local src="$1"	104	local src="$1"
@@ -201,12 +201,12 @@ create_modsign_user_key() {
201	"/CN=MODSIGN Certificate/"	201	"/CN=MODSIGN Certificate/"
202	}	202	}
203		203
204	create_extra_system_user_key() {	204	create_secondary_user_key() {
205	local key_dir="$EXTRA_SYSTEM_KEYS_DIR"	205	local key_dir="$SECONDARY_TRUSTED_KEYS_DIR"
206		206
207	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"	207	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
208		208
209	ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \	209	ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \
210	"/CN=Extra System Trusted Certificate/"	210	"/CN=Extra System Trusted Certificate/"
211	}	211	}
212		212
@@ -297,8 +297,8 @@ create_user_keys() {
297	echo "Creating the user key for system"	297	echo "Creating the user key for system"
298	create_system_user_key	298	create_system_user_key
299		299
300	echo "Creating the user key for system extra"	300	echo "Creating the user key for system secondary trust"
301	create_extra_system_user_key	301	create_secondary_user_key
302		302
303	echo "Creating the user key for modsign"	303	echo "Creating the user key for modsign"
304	create_modsign_user_key	304	create_modsign_user_key