diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2023-04-28 08:23:14 -0400 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-05-06 07:54:09 -0400 |
| commit | b9abf0e09bfea8f08cc7f2d68998f014abba5b3b (patch) | |
| tree | 0d593215195952055dddbcd6f09cd11cc7624a79 | |
| parent | 76f1f539a678725211283294c8b6735186055694 (diff) | |
| download | meta-security-b9abf0e09bfea8f08cc7f2d68998f014abba5b3b.tar.gz | |
integrity: Update the README for IMA support
Update the README describing how IMA support can be used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-integrity/README.md | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 816b40d..1a37280 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
| @@ -76,7 +76,7 @@ other layers needed. e.g.: | |||
| 76 | 76 | ||
| 77 | It has some dependencies on a suitable BSP; in particular the kernel | 77 | It has some dependencies on a suitable BSP; in particular the kernel |
| 78 | must have a recent enough IMA/EVM subsystem. The layer was tested with | 78 | must have a recent enough IMA/EVM subsystem. The layer was tested with |
| 79 | Linux 3.19 and uses some features (like loading X509 certificates | 79 | Linux 6.1 and uses some features (like loading X509 certificates |
| 80 | directly from the kernel) which were added in that release. Your | 80 | directly from the kernel) which were added in that release. Your |
| 81 | mileage may vary with older kernels. | 81 | mileage may vary with older kernels. |
| 82 | 82 | ||
| @@ -89,10 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during | |||
| 89 | compilation of the Linux kernel. To also activate it when building | 89 | compilation of the Linux kernel. To also activate it when building |
| 90 | the image, enable image signing in the local.conf like this: | 90 | the image, enable image signing in the local.conf like this: |
| 91 | 91 | ||
| 92 | DISTRO_FEATURES:append = " integrity ima" | ||
| 93 | |||
| 92 | IMAGE_CLASSES += "ima-evm-rootfs" | 94 | IMAGE_CLASSES += "ima-evm-rootfs" |
| 95 | |||
| 93 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" | 96 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
| 94 | IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" | 97 | IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" |
| 95 | IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" | 98 | IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" |
| 99 | IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" | ||
| 100 | |||
| 101 | # The following policy enforces IMA & EVM signatures | ||
| 102 | IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all" | ||
| 96 | 103 | ||
| 97 | This uses the default keys provided in the "data" directory of the layer. | 104 | This uses the default keys provided in the "data" directory of the layer. |
| 98 | Because everyone has access to these private keys, such an image | 105 | Because everyone has access to these private keys, such an image |
| @@ -113,10 +120,7 @@ for that are included in the layer. This is also how the | |||
| 113 | cd $IMA_EVM_KEY_DIR | 120 | cd $IMA_EVM_KEY_DIR |
| 114 | # In that shell, create the keys. Several options exist: | 121 | # In that shell, create the keys. Several options exist: |
| 115 | 122 | ||
| 116 | # 1. Self-signed keys. | 123 | # 1. Keys signed by a new CA. |
| 117 | $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh | ||
| 118 | |||
| 119 | # 2. Keys signed by a new CA. | ||
| 120 | # When asked for a PEM passphrase, that will be for the root CA. | 124 | # When asked for a PEM passphrase, that will be for the root CA. |
| 121 | # Signing images then will not require entering that passphrase, | 125 | # Signing images then will not require entering that passphrase, |
| 122 | # only creating new certificates does. Most likely the default | 126 | # only creating new certificates does. Most likely the default |
| @@ -125,13 +129,11 @@ for that are included in the layer. This is also how the | |||
| 125 | # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh | 129 | # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh |
| 126 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh | 130 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh |
| 127 | 131 | ||
| 128 | # 3. Keys signed by an existing CA. | 132 | # 2. Keys signed by an existing CA. |
| 129 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> | 133 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> |
| 130 | exit | 134 | exit |
| 131 | 135 | ||
| 132 | When using ``ima-self-signed.sh`` as described above, self-signed keys | 136 | The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA |
| 133 | are created. Alternatively, one can also use keys signed by a CA. The | ||
| 134 | ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA | ||
| 135 | and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then | 137 | and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then |
| 136 | supports adding tha CA's public key to the kernel's system keyring by | 138 | supports adding tha CA's public key to the kernel's system keyring by |
| 137 | compiling it directly into the kernel. Because it is unknown whether | 139 | compiling it directly into the kernel. Because it is unknown whether |