diff options
author | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-11-21 09:32:12 -0500 |
---|---|---|
committer | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-11-21 09:32:12 -0500 |
commit | 59ca43808c1732864eb126e4fd93d5fc61f8a6ff (patch) | |
tree | 3d4b686ca3f1e3c5584662fadb0ec6a64adcfaa1 | |
parent | bd0f4cbe405df4e1af65c7d34336dbd447084849 (diff) | |
download | meta-secure-core-59ca43808c1732864eb126e4fd93d5fc61f8a6ff.tar.gz |
meta-integrity: enable modsign support in kernel
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
3 files changed, 30 insertions, 5 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc index a9e5a93..a70774e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc | |||
@@ -1,19 +1,32 @@ | |||
1 | FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" | 1 | FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" |
2 | 2 | ||
3 | IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}" | 3 | IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}" |
4 | MODSIGN_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', '1', '0', d)}" | ||
4 | 5 | ||
5 | DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}" | 6 | DEPENDS += "${@'key-store openssl-native' \ |
7 | if d.getVar('IMA_ENABLED', True) == '1' or \ | ||
8 | d.getVar('MODSIGN_ENABLED', True) == '1' \ | ||
9 | else ''}" | ||
6 | 10 | ||
7 | SRC_URI += "\ | 11 | SRC_URI += "\ |
8 | ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \ | 12 | ${@'file://ima.scc file://ima.cfg' \ |
9 | if d.getVar('IMA_ENABLED', True) == '1' else ''} \ | 13 | if d.getVar('IMA_ENABLED', True) == '1' else ''} \ |
14 | ${@'file://modsign.scc file://modsign.cfg' \ | ||
15 | if d.getVar('MODSIGN_ENABLED', True) == '1' else ''} \ | ||
10 | " | 16 | " |
11 | 17 | ||
12 | do_configure_prepend() { | 18 | do_configure_prepend() { |
13 | cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt" | 19 | sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt" |
20 | modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key" | ||
21 | modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt" | ||
14 | 22 | ||
15 | if [ -f "$cert" ]; then | 23 | if [ -f "$sys_cert" ]; then |
16 | install -m 0644 "$cert" "${B}" | 24 | install -m 0644 "$sys_cert" "${B}" |
25 | fi | ||
26 | |||
27 | if [ -f "$modsign_key" -a -f "$modsign_cert" ]; then | ||
28 | cat "$modsign_key" "$modsign_cert" \ | ||
29 | > "${B}/modsign_key.pem" | ||
17 | else | 30 | else |
18 | true | 31 | true |
19 | fi | 32 | fi |
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg new file mode 100644 index 0000000..4ac8dba --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg | |||
@@ -0,0 +1,7 @@ | |||
1 | CONFIG_MODULE_SIG=y | ||
2 | CONFIG_MODULE_SIG_FORCE=y | ||
3 | CONFIG_MODULE_SIG_KEY="modsign_key.pem" | ||
4 | CONFIG_MODULE_SIG_HASH="sha256" | ||
5 | CONFIG_MODULE_SIG_SHA256=y | ||
6 | CONFIG_CRYPTO_SHA256=y | ||
7 | CONFIG_MODULE_SIG_ALL=y | ||
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc new file mode 100644 index 0000000..99a4cdd --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc | |||
@@ -0,0 +1,5 @@ | |||
1 | define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement" | ||
2 | define KFEATURE_COMPATIBILITY all | ||
3 | |||
4 | include integrity.scc | ||
5 | kconf non-hardware modsign.cfg | ||