From 37e5a930d70ccd6f4468606276012c9711103dc4 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 19 Jun 2024 10:15:55 -0400 Subject: meta-integrity: Enable passing private key password Allow users to pass the private key password using IMA_EVM_EVMCTL_KEY_PASSWORD. Signed-off-by: Stefan Berger Signed-off-by: Armin Kuster --- meta-integrity/README.md | 1 + meta-integrity/classes/ima-evm-rootfs.bbclass | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 6439729..6845c21 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -95,6 +95,7 @@ the image, enable image signing in the local.conf like this: IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + IMA_EVM_EVMCTL_KEY_PASSWORD = "" IMA_EVM_PRIVKEY_KEYID_OPT = "" IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 4890ba6..7ec2751 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -12,6 +12,9 @@ IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" # --keyid or --keyid-from-cert . IMA_EVM_PRIVKEY_KEYID_OPT ?= "" +# Password for the private key +IMA_EVM_EVMCTL_KEY_PASSWORD ?= "" + # Public part of certificates (used for both IMA and EVM). # The default is okay when using the example key directory. IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" @@ -72,6 +75,8 @@ ima_evm_sign_rootfs () { exit 1 fi + export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD} + bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}" -- cgit v1.2.3-54-g00ecf