From 353a003f1bd422ea71ed7009e2d7ed04476bc6e2 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Mon, 3 Jul 2017 15:50:59 +0800 Subject: Use the DER-formatted system trusted key Signed-off-by: Lans Zhang --- .../recipes-kernel/linux/linux-yocto-integrity.inc | 7 ++++--- .../recipes-support/key-store/key-store_0.1.bb | 6 +++--- meta-signing-key/scripts/create-user-key-store.sh | 24 +++++++++++++++++++++- 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc index 247ae55..2e636cf 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc @@ -11,9 +11,10 @@ SRC_URI += "\ " do_configure_append() { - if [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ]; then - openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \ - -outform DER -out "${B}/system_trusted_cert.x509" + cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.der" + + if [ -f "$cert" ]; then + install -m 0644 "$cert" "${B}/system_trusted_cert.x509" else true fi diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 7b9572e..41e6797 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -29,10 +29,10 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" # For ${PN}-ima-privkey -IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.pem" +IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" # For ${PN}-system-trusted-cert -SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.pem" +SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der" FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" @@ -83,7 +83,7 @@ do_install() { install -d "${D}${KEY_DIR}" key_dir="${@uks_system_trusted_keys_dir(d)}" - install -m 0644 "$key_dir/system_trusted_key.pem" "${D}${SYSTEM_CERT}" + install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}" if [ "${@uks_signing_model(d)}" = "sample" ]; then install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index fc871a7..b8cce9e 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh @@ -47,6 +47,13 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys" SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys" IMA_KEYS_DIR="$KEYS_DIR/ima_keys" +pem2der() { + local src="$1" + local dst="${src/.crt/.der}" + + openssl x509 -in "$src" -outform DER -out "$dst" +} + ca_sign() { local key_dir="$1" local key_name="$2" @@ -68,8 +75,17 @@ ca_sign() { -keyout "$key_dir/$key_name.key" \ -out "$key_dir/$key_name.csr" + local ca_cert="$ca_key_dir/$ca_key_name.crt" + local ca_cert_form="PEM" + + [ ! -s "$ca_cert" ] && { + ca_cert="$ca_key_dir/$ca_key_name.der" + ca_cert_form="DER" + } + openssl x509 -req -in "$key_dir/$key_name.csr" \ - -CA "$ca_key_dir/$ca_key_name.crt" \ + -CA "$ca_cert" \ + -CAform "$ca_cert_form" \ -CAkey "$ca_key_dir/$ca_key_name.key" \ -set_serial 1 -days 3650 \ -out "$key_dir/$key_name.crt" @@ -109,6 +125,9 @@ create_system_user_key() { ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \ "/CN=System Trusted Certificate for $USER@`hostname`/" + + pem2der "$key_dir/system_trusted_key.crt" + rm -f "$key_dir/system_trusted_key.crt" } create_ima_user_key() { @@ -118,6 +137,9 @@ create_ima_user_key() { ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \ "/CN=IMA Trusted Certificate for $USER@`hostname`/" + + pem2der "$key_dir/x509_ima.crt" + rm -f "$key_dir/x509_ima.crt" } create_user_keys() { -- cgit v1.2.3-54-g00ecf