From 37a59625e5cc1cebb95427fdbc86826e02d7e065 Mon Sep 17 00:00:00 2001 From: Yunguo Wei Date: Fri, 26 Oct 2018 10:16:42 +0800 Subject: key-store: rename ima private key and certificate on target If sample keys are selected, key-store service will deploy IMA private key during first boot, but beople may be confused if we deploy a sample private key like "xxx.crt", so this commit is making sure key/cert on target are consistent with key files on build system. Signed-off-by: Yunguo Wei --- meta-integrity/README.md | 13 +++++++++++++ meta-integrity/recipes-core/initrdscripts/files/init.ima | 4 ++-- meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg | 2 +- meta-signing-key/recipes-support/key-store/key-store_0.1.bb | 4 ++-- 4 files changed, 18 insertions(+), 5 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 8ffd484..ad17c05 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -110,6 +110,19 @@ default, the sample keys are used for the purpose of development and demonstration. Please ensure you know what your risk is to use the sample keys in your product, because they are completely public. +If sample keys are used, the private IMA key is installed as /etc/keys/x509_ima.key. + +A typical signing command is as following: + + # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass= /path/to/file +or + + # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass= -r /path/to/directory + +The following command can be used to verify a file's IMA signature with specified certificate: + + # evmctl ima_verify --key /etc/keys/x509_ima.der /path/to/file + ### RPM File Signing The payloads in a RPM are signed by the private key during the build, and each IMA signatures for the corresponding payload file will be eventually written diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima index c663817..8934cfc 100755 --- a/meta-integrity/recipes-core/initrdscripts/files/init.ima +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima @@ -110,10 +110,10 @@ for cert in ${ROOT_DIR}/etc/keys/x509_secondary_*.der; do fi done -# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was +# The trusted IMA certificate /etc/keys/x509_ima.der in initramfs was # automatically loaded by kernel already. Here is the opportunity to load # a custom IMA certificate from the real rootfs. -for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do +for cert in ${ROOT_DIR}/etc/keys/x509_ima*.der; do [ ! -s "$cert" ] && continue name=`basename $cert` diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg index 9cd609b..0d7e66c 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg @@ -19,5 +19,5 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_TRUSTED_KEYRING=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_BLACKLIST_KEYRING=y -CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der" +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index f5c3e75..d83b79c 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -24,7 +24,7 @@ SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key" MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" # For ${PN}-ima-privkey -IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" +IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key" # For ${PN}-system-trusted-cert SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" @@ -37,7 +37,7 @@ SECONDARY_TRUSTED_DER_ENC_CERT = "${KEY_DIR}/x509_secondary_system_trusted_key.d MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" # For ${PN}-ima-cert -IMA_CERT = "${KEY_DIR}/x509_evm.der" +IMA_CERT = "${KEY_DIR}/x509_ima.der" python () { if not (uks_signing_model(d) in "sample", "user"): -- cgit v1.2.3-54-g00ecf