From 06bd46276fbba42019f1327ecd8c4caf6a963a6f Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Wed, 19 Jun 2024 10:15:54 -0400
Subject: meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctl

Introduce IMA_EVM_PRIVKEY_KEY_OPT to pass additional options to evmctl
when signing files. An example is --keyid <id> that makes evmctl use
a specific key id when signing files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-integrity/README.md                      |  1 +
 meta-integrity/classes/ima-evm-rootfs.bbclass | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 75dadd4..6439729 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -95,6 +95,7 @@ the image, enable image signing in the local.conf like this:
 
     IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+    IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
     IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index bc07d58..4890ba6 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -8,6 +8,10 @@ IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
 # using the example key directory.
 IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
 
+# Additional option when signing. Allows to for example provide
+# --keyid <id> or --keyid-from-cert <filename>.
+IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
+
 # Public part of certificates (used for both IMA and EVM).
 # The default is okay when using the example key directory.
 IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -69,7 +73,8 @@ ima_evm_sign_rootfs () {
     fi
 
     bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
-    evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+    evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+        --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"
 
     # check signing key and signature verification key
     evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
@@ -82,7 +87,8 @@ ima_evm_sign_rootfs () {
         install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
 
         bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
-        evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
+        evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+          --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} "${IMAGE_ROOTFS}/etc/ima/ima-policy"
     fi
 
     # Optionally write the file names and ima and evm signatures into files
-- 
cgit v1.2.3-54-g00ecf