diff options
| -rw-r--r-- | meta-integrity/README.md | 1 | ||||
| -rw-r--r-- | meta-integrity/classes/ima-evm-rootfs.bbclass | 5 |
2 files changed, 6 insertions, 0 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 6439729..6845c21 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
| @@ -95,6 +95,7 @@ the image, enable image signing in the local.conf like this: | |||
| 95 | 95 | ||
| 96 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" | 96 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
| 97 | IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" | 97 | IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" |
| 98 | IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>" | ||
| 98 | IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>" | 99 | IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>" |
| 99 | IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" | 100 | IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" |
| 100 | IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" | 101 | IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" |
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 4890ba6..7ec2751 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass | |||
| @@ -12,6 +12,9 @@ IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" | |||
| 12 | # --keyid <id> or --keyid-from-cert <filename>. | 12 | # --keyid <id> or --keyid-from-cert <filename>. |
| 13 | IMA_EVM_PRIVKEY_KEYID_OPT ?= "" | 13 | IMA_EVM_PRIVKEY_KEYID_OPT ?= "" |
| 14 | 14 | ||
| 15 | # Password for the private key | ||
| 16 | IMA_EVM_EVMCTL_KEY_PASSWORD ?= "" | ||
| 17 | |||
| 15 | # Public part of certificates (used for both IMA and EVM). | 18 | # Public part of certificates (used for both IMA and EVM). |
| 16 | # The default is okay when using the example key directory. | 19 | # The default is okay when using the example key directory. |
| 17 | IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" | 20 | IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" |
| @@ -72,6 +75,8 @@ ima_evm_sign_rootfs () { | |||
| 72 | exit 1 | 75 | exit 1 |
| 73 | fi | 76 | fi |
| 74 | 77 | ||
| 78 | export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD} | ||
| 79 | |||
| 75 | bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" | 80 | bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" |
| 76 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ | 81 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ |
| 77 | --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}" | 82 | --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}" |