From 51b2da4a417aef67618c1471f5df1854b89a740d Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 16 Sep 2019 14:06:06 +0300 Subject: key-store: drop private keys packages Having a private key package might allow one to pull it into rootfs which is really, really bad. So drop all private key packages. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-support/key-store/key-store_0.1.bb | 54 ---------------------- 1 file changed, 54 deletions(-) diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index d83b79c..9dc7cae 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -14,18 +14,6 @@ KEY_DIR = "${sysconfdir}/keys" # For RPM verification RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" -# For ${PN}-system-trusted-privkey -SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" - -# For ${PN}-secondary-trusted-privkey -SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key" - -# For ${PN}-modsign-privkey -MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" - -# For ${PN}-ima-privkey -IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key" - # For ${PN}-system-trusted-cert SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" @@ -43,26 +31,6 @@ python () { if not (uks_signing_model(d) in "sample", "user"): return - pn = d.getVar('PN', True) + '-system-trusted-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - - pn = d.getVar('PN', True) + '-secondary-trusted-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) - - pn = d.getVar('PN', True) + '-modsign-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) - - pn = d.getVar('PN', True) + '-ima-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) - pn = d.getVar('PN', True) + '-rpm-pubkey' d.setVar('PACKAGES_prepend', pn + ' ') d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True)) @@ -93,36 +61,18 @@ do_install() { key_dir="${@uks_system_trusted_keys_dir(d)}" install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}" - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" - fi - key_dir="${@uks_secondary_trusted_keys_dir(d)}" install -m 0644 "$key_dir/secondary_trusted_key.crt" \ "${D}${SECONDARY_TRUSTED_CERT}" openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \ -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}" - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/secondary_trusted_key.key" \ - "${D}${SECONDARY_TRUSTED_PRIV_KEY}" - fi - key_dir="${@uks_modsign_keys_dir(d)}" install -m 0644 "$key_dir/modsign_key.crt" \ "${D}${MODSIGN_CERT}" - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/modsign_key.key" \ - "${D}${MODSIGN_PRIV_KEY}" - fi - key_dir="${@uks_ima_keys_dir(d)}" install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" - - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/x509_ima.key" "${D}${IMA_PRIV_KEY}" - fi } do_install[prefuncs] += "check_deploy_keys" @@ -158,10 +108,6 @@ PACKAGES = "\ # Note any private key is not available if user key signing model used. PACKAGES_DYNAMIC = "\ - ${PN}-system-trusted-privkey \ - ${PN}-secondary-trusted-privkey \ - ${PN}-modsign-privkey \ - ${PN}-ima-privkey \ ${PN}-rpm-pubkey \ " -- cgit v1.2.3-54-g00ecf From 24d27e9f97ea661678d7efe856b00a92789c7f77 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 16 Sep 2019 14:07:11 +0300 Subject: packagegroup-ima: RRECOMMEND certificates rather than private keys Do not even try pulling private keys into rootfs. Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb index e8885cc..7755a87 100644 --- a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb +++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb @@ -15,6 +15,6 @@ RDEPENDS_${PN} += "\ # Note any private key is not available if user key signing model used. RRECOMMENDS_${PN} += "\ - key-store-ima-privkey \ - key-store-system-trusted-privkey \ + key-store-ima-cert \ + key-store-system-trusted-cert \ " -- cgit v1.2.3-54-g00ecf From b41010c80c98ed5d0f987a97cb927660bc494821 Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 16 Sep 2019 16:00:09 +0300 Subject: linux-yocto-integrity: fix modsign key path Use modsign key directly from uks_modsign_keys_path(d), rather than from installed package. Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc index b950acd..829c485 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc @@ -17,9 +17,11 @@ SRC_URI += "\ INHIBIT_PACKAGE_STRIP = "${@'1' if d.getVar('MODSIGN_ENABLED', True) == '1' else '0'}" +inherit ${@'user-key-store' if d.getVar('MODSIGN_ENABLED', True) == '1' else ''} + do_configure_prepend() { sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt" - modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key" + modsign_key="${@uks_modsign_keys_dir(d)}/modsign_key.key" modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt" if [ -f "$sys_cert" ]; then -- cgit v1.2.3-54-g00ecf From f2db9e0de6934f3533449056eadd646784833d1f Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 30 Sep 2019 17:10:15 +0300 Subject: meta-integrity: fix documentation Signed-off-by: Dmitry Eremin-Solenikov --- meta-integrity/README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index ad17c05..32365e9 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -110,14 +110,15 @@ default, the sample keys are used for the purpose of development and demonstration. Please ensure you know what your risk is to use the sample keys in your product, because they are completely public. -If sample keys are used, the private IMA key is installed as /etc/keys/x509_ima.key. +Private keys are not installed into the target image. If you understand your +risks, you can copy them to your target file system or to an external storage. -A typical signing command is as following: +If you do so, a typical signing command is as following: - # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass= /path/to/file + # evmctl ima_sign --hashalgo sha256 --key path/to/x509_ima.key --pass= /path/to/file or - # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass= -r /path/to/directory + # evmctl ima_sign --hashalgo sha256 --key /path/to/x509_ima.key --pass= -r /path/to/directory The following command can be used to verify a file's IMA signature with specified certificate: -- cgit v1.2.3-54-g00ecf