summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-integrity/README.md1
-rw-r--r--meta-integrity/classes/ima-evm-rootfs.bbclass10
2 files changed, 9 insertions, 2 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 6845c21..79635a0 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -97,6 +97,7 @@ the image, enable image signing in the local.conf like this:
97 IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" 97 IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
98 IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>" 98 IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
99 IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>" 99 IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
100 IMA_EVM_IMA_XATTR_OPT = "<whether to sign or hash for IMA>"
100 IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" 101 IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
101 IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" 102 IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
102 103
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index d50a025..14639cf 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -15,6 +15,10 @@ IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
15# Password for the private key 15# Password for the private key
16IMA_EVM_EVMCTL_KEY_PASSWORD ?= "" 16IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""
17 17
18# Whether to create IMA signatures (--imasig) or hashes (--imahash).
19# Hashes are sufficient for IMA when EVM uses signatures.
20IMA_EVM_IMA_XATTR_OPT ?= "--imasig"
21
18# Public part of certificates (used for both IMA and EVM). 22# Public part of certificates (used for both IMA and EVM).
19# The default is okay when using the example key directory. 23# The default is okay when using the example key directory.
20IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" 24IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -78,11 +82,13 @@ ima_evm_sign_rootfs () {
78 export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD} 82 export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}
79 83
80 bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" 84 bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
81 evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ 85 evmctl sign ${IMA_EVM_IMA_XATTR_OPT} ${evmctl_param} --portable -a sha256 \
82 --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}" 86 --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"
83 87
84 # check signing key and signature verification key 88 # check signing key and signature verification key
85 evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 89 if [ "${IMA_EVM_IMA_XATTR_OPT}" = "--imasig" ]; then
90 evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
91 fi
86 evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 92 evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
87 93
88 # Optionally install custom policy for loading by systemd. 94 # Optionally install custom policy for loading by systemd.
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-13 11:27:21 +0000