From 51b2da4a417aef67618c1471f5df1854b89a740d Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Mon, 16 Sep 2019 14:06:06 +0300 Subject: key-store: drop private keys packages Having a private key package might allow one to pull it into rootfs which is really, really bad. So drop all private key packages. Signed-off-by: Dmitry Eremin-Solenikov --- .../recipes-support/key-store/key-store_0.1.bb | 54 ---------------------- 1 file changed, 54 deletions(-) diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index d83b79c..9dc7cae 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -14,18 +14,6 @@ KEY_DIR = "${sysconfdir}/keys" # For RPM verification RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" -# For ${PN}-system-trusted-privkey -SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" - -# For ${PN}-secondary-trusted-privkey -SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key" - -# For ${PN}-modsign-privkey -MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" - -# For ${PN}-ima-privkey -IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key" - # For ${PN}-system-trusted-cert SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" @@ -43,26 +31,6 @@ python () { if not (uks_signing_model(d) in "sample", "user"): return - pn = d.getVar('PN', True) + '-system-trusted-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - - pn = d.getVar('PN', True) + '-secondary-trusted-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) - - pn = d.getVar('PN', True) + '-modsign-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) - - pn = d.getVar('PN', True) + '-ima-privkey' - d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) - pn = d.getVar('PN', True) + '-rpm-pubkey' d.setVar('PACKAGES_prepend', pn + ' ') d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True)) @@ -93,36 +61,18 @@ do_install() { key_dir="${@uks_system_trusted_keys_dir(d)}" install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}" - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" - fi - key_dir="${@uks_secondary_trusted_keys_dir(d)}" install -m 0644 "$key_dir/secondary_trusted_key.crt" \ "${D}${SECONDARY_TRUSTED_CERT}" openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \ -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}" - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/secondary_trusted_key.key" \ - "${D}${SECONDARY_TRUSTED_PRIV_KEY}" - fi - key_dir="${@uks_modsign_keys_dir(d)}" install -m 0644 "$key_dir/modsign_key.crt" \ "${D}${MODSIGN_CERT}" - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/modsign_key.key" \ - "${D}${MODSIGN_PRIV_KEY}" - fi - key_dir="${@uks_ima_keys_dir(d)}" install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" - - if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/x509_ima.key" "${D}${IMA_PRIV_KEY}" - fi } do_install[prefuncs] += "check_deploy_keys" @@ -158,10 +108,6 @@ PACKAGES = "\ # Note any private key is not available if user key signing model used. PACKAGES_DYNAMIC = "\ - ${PN}-system-trusted-privkey \ - ${PN}-secondary-trusted-privkey \ - ${PN}-modsign-privkey \ - ${PN}-ima-privkey \ ${PN}-rpm-pubkey \ " -- cgit v1.2.3-54-g00ecf