diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2023-04-28 08:23:09 -0400 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-05-06 07:54:09 -0400 |
| commit | 0652c9fd7496d021f91759cc7489b6faad3e04bd (patch) | |
| tree | 066b2256385357814a5443a6ea7b49826cfde593 | |
| parent | 3b5fa74e77e5fe32606de77b1e9aebf63fc44012 (diff) | |
| download | meta-security-0652c9fd7496d021f91759cc7489b6faad3e04bd.tar.gz | |
ima: Document and replace keys and adapt scripts for EC keys
For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-integrity/data/debug-keys/README.md | 17 | ||||
| -rw-r--r-- | meta-integrity/data/debug-keys/ima-local-ca.pem | 15 | ||||
| -rw-r--r-- | meta-integrity/data/debug-keys/ima-local-ca.priv | 7 | ||||
| -rw-r--r-- | meta-integrity/data/debug-keys/privkey_ima.pem | 17 | ||||
| -rw-r--r-- | meta-integrity/data/debug-keys/x509_ima.der | bin | 707 -> 620 bytes | |||
| -rwxr-xr-x | meta-integrity/scripts/ima-gen-CA-signed.sh | 9 | ||||
| -rwxr-xr-x | meta-integrity/scripts/ima-gen-local-ca.sh | 6 | ||||
| -rwxr-xr-x | meta-integrity/scripts/ima-gen-self-signed.sh | 41 |
8 files changed, 50 insertions, 62 deletions
diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md new file mode 100644 index 0000000..e613968 --- /dev/null +++ b/meta-integrity/data/debug-keys/README.md | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | # EVM & IMA keys | ||
| 2 | |||
| 3 | The following IMA & EVM debug/test keys are in this directory | ||
| 4 | |||
| 5 | - ima-local-ca.priv: The CA's private key (password: 1234) | ||
| 6 | - ima-local-ca.pem: The CA's self-signed certificate | ||
| 7 | - privkey_ima.pem: IMA & EVM private key used for signing files | ||
| 8 | - x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures | ||
| 9 | |||
| 10 | The CA's (self-signed) certificate can be used to verify the validity of | ||
| 11 | the x509_ima.der certificate. Since the CA certificate will be built into | ||
| 12 | the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must | ||
| 13 | pass this test: | ||
| 14 | |||
| 15 | ``` | ||
| 16 | openssl verify -CAfile ima-local-ca.pem x509_ima.der | ||
| 17 | ```` | ||
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem new file mode 100644 index 0000000..4b48be4 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.pem | |||
| @@ -0,0 +1,15 @@ | |||
| 1 | -----BEGIN CERTIFICATE----- | ||
| 2 | MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9 | ||
| 3 | MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt | ||
| 4 | c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG | ||
| 5 | SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP | ||
| 6 | MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD | ||
| 7 | DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp | ||
| 8 | Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ | ||
| 9 | MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU | ||
| 10 | rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG | ||
| 11 | A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud | ||
| 12 | IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO | ||
| 13 | PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu | ||
| 14 | clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw== | ||
| 15 | -----END CERTIFICATE----- | ||
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv new file mode 100644 index 0000000..e13de23 --- /dev/null +++ b/meta-integrity/data/debug-keys/ima-local-ca.priv | |||
| @@ -0,0 +1,7 @@ | |||
| 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- | ||
| 2 | MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw | ||
| 3 | DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK | ||
| 4 | x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems | ||
| 5 | lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY | ||
| 6 | LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw= | ||
| 7 | -----END ENCRYPTED PRIVATE KEY----- | ||
diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem index 502a0b6..8362cfe 100644 --- a/meta-integrity/data/debug-keys/privkey_ima.pem +++ b/meta-integrity/data/debug-keys/privkey_ima.pem | |||
| @@ -1,16 +1,5 @@ | |||
| 1 | -----BEGIN PRIVATE KEY----- | 1 | -----BEGIN PRIVATE KEY----- |
| 2 | MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU | 2 | MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm |
| 3 | Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 | 3 | SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj |
| 4 | IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p | 4 | cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv |
| 5 | OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 | ||
| 6 | lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW | ||
| 7 | HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV | ||
| 8 | aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA | ||
| 9 | TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue | ||
| 10 | WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb | ||
| 11 | SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 | ||
| 12 | xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ | ||
| 13 | CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q | ||
| 14 | 1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ | ||
| 15 | 3vVaxg2EfqB1 | ||
| 16 | -----END PRIVATE KEY----- | 5 | -----END PRIVATE KEY----- |
diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der index 087ca6b..3f6f24e 100644 --- a/meta-integrity/data/debug-keys/x509_ima.der +++ b/meta-integrity/data/debug-keys/x509_ima.der | |||
| Binary files differ | |||
diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh index 5f3a728..b10b1ba 100755 --- a/meta-integrity/scripts/ima-gen-CA-signed.sh +++ b/meta-integrity/scripts/ima-gen-CA-signed.sh | |||
| @@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv} | |||
| 20 | 20 | ||
| 21 | cat << __EOF__ >$GENKEY | 21 | cat << __EOF__ >$GENKEY |
| 22 | [ req ] | 22 | [ req ] |
| 23 | default_bits = 1024 | ||
| 24 | distinguished_name = req_distinguished_name | 23 | distinguished_name = req_distinguished_name |
| 25 | prompt = no | 24 | prompt = no |
| 26 | string_mask = utf8only | 25 | string_mask = utf8only |
| @@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE | |||
| 36 | #basicConstraints=CA:FALSE | 35 | #basicConstraints=CA:FALSE |
| 37 | keyUsage=digitalSignature | 36 | keyUsage=digitalSignature |
| 38 | #keyUsage = nonRepudiation, digitalSignature, keyEncipherment | 37 | #keyUsage = nonRepudiation, digitalSignature, keyEncipherment |
| 38 | extendedKeyUsage=critical,codeSigning | ||
| 39 | subjectKeyIdentifier=hash | 39 | subjectKeyIdentifier=hash |
| 40 | authorityKeyIdentifier=keyid | 40 | authorityKeyIdentifier=keyid |
| 41 | #authorityKeyIdentifier=keyid,issuer | 41 | #authorityKeyIdentifier=keyid,issuer |
| 42 | __EOF__ | 42 | __EOF__ |
| 43 | 43 | ||
| 44 | openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ | 44 | openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \ |
| 45 | -out csr_ima.pem -keyout privkey_ima.pem | 45 | -out csr_ima.pem -keyout privkey_ima.pem \ |
| 46 | openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ | 46 | -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 |
| 47 | openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \ | ||
| 47 | -CA $CA -CAkey $CAKEY -CAcreateserial \ | 48 | -CA $CA -CAkey $CAKEY -CAcreateserial \ |
| 48 | -outform DER -out x509_ima.der | 49 | -outform DER -out x509_ima.der |
diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh index b600761..339d3e3 100755 --- a/meta-integrity/scripts/ima-gen-local-ca.sh +++ b/meta-integrity/scripts/ima-gen-local-ca.sh | |||
| @@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey | |||
| 18 | 18 | ||
| 19 | cat << __EOF__ >$GENKEY | 19 | cat << __EOF__ >$GENKEY |
| 20 | [ req ] | 20 | [ req ] |
| 21 | default_bits = 2048 | ||
| 22 | distinguished_name = req_distinguished_name | 21 | distinguished_name = req_distinguished_name |
| 23 | prompt = no | 22 | prompt = no |
| 24 | string_mask = utf8only | 23 | string_mask = utf8only |
| @@ -33,10 +32,11 @@ emailAddress = john.doe@example.com | |||
| 33 | basicConstraints=CA:TRUE | 32 | basicConstraints=CA:TRUE |
| 34 | subjectKeyIdentifier=hash | 33 | subjectKeyIdentifier=hash |
| 35 | authorityKeyIdentifier=keyid:always,issuer | 34 | authorityKeyIdentifier=keyid:always,issuer |
| 36 | # keyUsage = cRLSign, keyCertSign | 35 | keyUsage = cRLSign, keyCertSign |
| 37 | __EOF__ | 36 | __EOF__ |
| 38 | 37 | ||
| 39 | openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ | 38 | openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \ |
| 39 | -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ | ||
| 40 | -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv | 40 | -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv |
| 41 | 41 | ||
| 42 | openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem | 42 | openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem |
diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh deleted file mode 100755 index 5ee876c..0000000 --- a/meta-integrity/scripts/ima-gen-self-signed.sh +++ /dev/null | |||
| @@ -1,41 +0,0 @@ | |||
| 1 | #!/bin/sh | ||
| 2 | # | ||
| 3 | # Copied from ima-evm-utils. | ||
| 4 | # | ||
| 5 | # This program is free software; you can redistribute it and/or | ||
| 6 | # modify it under the terms of the GNU General Public License | ||
| 7 | # version 2 as published by the Free Software Foundation. | ||
| 8 | # | ||
| 9 | # This program is distributed in the hope that it will be useful, | ||
| 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| 12 | # GNU General Public License for more details. | ||
| 13 | # | ||
| 14 | # You should have received a copy of the GNU General Public License | ||
| 15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| 16 | |||
| 17 | GENKEY=ima.genkey | ||
| 18 | |||
| 19 | cat << __EOF__ >$GENKEY | ||
| 20 | [ req ] | ||
| 21 | default_bits = 1024 | ||
| 22 | distinguished_name = req_distinguished_name | ||
| 23 | prompt = no | ||
| 24 | string_mask = utf8only | ||
| 25 | x509_extensions = myexts | ||
| 26 | |||
| 27 | [ req_distinguished_name ] | ||
| 28 | O = example.com | ||
| 29 | CN = meta-intel-iot-security example signing key | ||
| 30 | emailAddress = john.doe@example.com | ||
| 31 | |||
| 32 | [ myexts ] | ||
| 33 | basicConstraints=critical,CA:FALSE | ||
| 34 | keyUsage=digitalSignature | ||
| 35 | subjectKeyIdentifier=hash | ||
| 36 | authorityKeyIdentifier=keyid | ||
| 37 | __EOF__ | ||
| 38 | |||
| 39 | openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ | ||
| 40 | -x509 -config $GENKEY \ | ||
| 41 | -outform DER -out x509_ima.der -keyout privkey_ima.pem | ||