diff options
| -rw-r--r-- | meta-integrity/README.md | 1 | ||||
| -rw-r--r-- | meta-integrity/classes/ima-evm-rootfs.bbclass | 10 |
2 files changed, 9 insertions, 2 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 75dadd4..6439729 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
| @@ -95,6 +95,7 @@ the image, enable image signing in the local.conf like this: | |||
| 95 | 95 | ||
| 96 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" | 96 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
| 97 | IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" | 97 | IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" |
| 98 | IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>" | ||
| 98 | IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" | 99 | IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" |
| 99 | IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" | 100 | IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" |
| 100 | 101 | ||
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index bc07d58..4890ba6 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass | |||
| @@ -8,6 +8,10 @@ IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" | |||
| 8 | # using the example key directory. | 8 | # using the example key directory. |
| 9 | IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" | 9 | IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" |
| 10 | 10 | ||
| 11 | # Additional option when signing. Allows to for example provide | ||
| 12 | # --keyid <id> or --keyid-from-cert <filename>. | ||
| 13 | IMA_EVM_PRIVKEY_KEYID_OPT ?= "" | ||
| 14 | |||
| 11 | # Public part of certificates (used for both IMA and EVM). | 15 | # Public part of certificates (used for both IMA and EVM). |
| 12 | # The default is okay when using the example key directory. | 16 | # The default is okay when using the example key directory. |
| 13 | IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" | 17 | IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" |
| @@ -69,7 +73,8 @@ ima_evm_sign_rootfs () { | |||
| 69 | fi | 73 | fi |
| 70 | 74 | ||
| 71 | bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" | 75 | bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" |
| 72 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" | 76 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ |
| 77 | --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}" | ||
| 73 | 78 | ||
| 74 | # check signing key and signature verification key | 79 | # check signing key and signature verification key |
| 75 | evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 | 80 | evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 |
| @@ -82,7 +87,8 @@ ima_evm_sign_rootfs () { | |||
| 82 | install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy | 87 | install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy |
| 83 | 88 | ||
| 84 | bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" | 89 | bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" |
| 85 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" | 90 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ |
| 91 | --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} "${IMAGE_ROOTFS}/etc/ima/ima-policy" | ||
| 86 | fi | 92 | fi |
| 87 | 93 | ||
| 88 | # Optionally write the file names and ima and evm signatures into files | 94 | # Optionally write the file names and ima and evm signatures into files |