meta-integrity: enable modsign support in kernel

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
author: Jia Zhang <qianyue.zj@alibaba-inc.com> 2017-11-21 09:32:12 -0500
committer: Jia Zhang <qianyue.zj@alibaba-inc.com> 2017-11-21 09:32:12 -0500
commit: 59ca43808c1732864eb126e4fd93d5fc61f8a6ff (patch)
tree: 3d4b686ca3f1e3c5584662fadb0ec6a64adcfaa1
parent: bd0f4cbe405df4e1af65c7d34336dbd447084849 (diff)
download: meta-secure-core-59ca43808c1732864eb126e4fd93d5fc61f8a6ff.tar.gz
3 files changed, 30 insertions, 5 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
index a9e5a93..a70774e 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -1,19 +1,32 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
 IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
+MODSIGN_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', '1', '0', d)}"
-DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}"
+DEPENDS += "${@'key-store openssl-native' \
+               if d.getVar('IMA_ENABLED', True) == '1' or \
+                  d.getVar('MODSIGN_ENABLED', True) == '1' \
+               else ''}"
 SRC_URI += "\
-    ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \
+    ${@'file://ima.scc file://ima.cfg' \
       if d.getVar('IMA_ENABLED', True) == '1' else ''} \
+    ${@'file://modsign.scc file://modsign.cfg' \
+       if d.getVar('MODSIGN_ENABLED', True) == '1' else ''} \
 "
 do_configure_prepend() {
-    cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
+    sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
+    modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key"
+    modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt"
-    if [ -f "$cert" ]; then
+    if [ -f "$sys_cert" ]; then
-        install -m 0644 "$cert" "${B}"
+        install -m 0644 "$sys_cert" "${B}"
+    fi
+    if [ -f "$modsign_key" -a -f "$modsign_cert" ]; then
+        cat "$modsign_key" "$modsign_cert" \
+            > "${B}/modsign_key.pem"
    else
        true
    fi
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg
new file mode 100644
index 0000000..4ac8dba
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg
@@ -0,0 +1,7 @@
+CONFIG_MODULE_SIG=y
+CONFIG_MODULE_SIG_FORCE=y
+CONFIG_MODULE_SIG_KEY="modsign_key.pem"
+CONFIG_MODULE_SIG_HASH="sha256"
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_MODULE_SIG_ALL=y
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc
new file mode 100644
index 0000000..99a4cdd
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc
@@ -0,0 +1,5 @@
+define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
+define KFEATURE_COMPATIBILITY all
+include integrity.scc
+kconf non-hardware modsign.cfg
author	Jia Zhang <qianyue.zj@alibaba-inc.com>	2017-11-21 09:32:12 -0500
committer	Jia Zhang <qianyue.zj@alibaba-inc.com>	2017-11-21 09:32:12 -0500
commit	59ca43808c1732864eb126e4fd93d5fc61f8a6ff (patch)
tree	3d4b686ca3f1e3c5584662fadb0ec6a64adcfaa1
parent	bd0f4cbe405df4e1af65c7d34336dbd447084849 (diff)
download	meta-secure-core-59ca43808c1732864eb126e4fd93d5fc61f8a6ff.tar.gz

diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc index a9e5a93..a70774e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -1,19 +1,32 @@
1	FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"	1	FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
2		2
3	IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"	3	IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
		4	MODSIGN_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'modsign', '1', '0', d)}"
4		5
5	DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}"	6	DEPENDS += "${@'key-store openssl-native' \
		7	if d.getVar('IMA_ENABLED', True) == '1' or \
		8	d.getVar('MODSIGN_ENABLED', True) == '1' \
		9	else ''}"
6		10
7	SRC_URI += "\	11	SRC_URI += "\
8	${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' \	12	${@'file://ima.scc file://ima.cfg' \
9	if d.getVar('IMA_ENABLED', True) == '1' else ''} \	13	if d.getVar('IMA_ENABLED', True) == '1' else ''} \
		14	${@'file://modsign.scc file://modsign.cfg' \
		15	if d.getVar('MODSIGN_ENABLED', True) == '1' else ''} \
10	"	16	"
11		17
12	do_configure_prepend() {	18	do_configure_prepend() {
13	cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"	19	sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
		20	modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key"
		21	modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt"
14		22
15	if [ -f "$cert" ]; then	23	if [ -f "$sys_cert" ]; then
16	install -m 0644 "$cert" "${B}"	24	install -m 0644 "$sys_cert" "${B}"
		25	fi
		26
		27	if [ -f "$modsign_key" -a -f "$modsign_cert" ]; then
		28	cat "$modsign_key" "$modsign_cert" \
		29	> "${B}/modsign_key.pem"
17	else	30	else
18	true	31	true
19	fi	32	fi


diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg new file mode 100644 index 0000000..4ac8dba --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.cfg
@@ -0,0 +1,7 @@
		1	CONFIG_MODULE_SIG=y
		2	CONFIG_MODULE_SIG_FORCE=y
		3	CONFIG_MODULE_SIG_KEY="modsign_key.pem"
		4	CONFIG_MODULE_SIG_HASH="sha256"
		5	CONFIG_MODULE_SIG_SHA256=y
		6	CONFIG_CRYPTO_SHA256=y
		7	CONFIG_MODULE_SIG_ALL=y


diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc new file mode 100644 index 0000000..99a4cdd --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/modsign.scc
@@ -0,0 +1,5 @@
		1	define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
		2	define KFEATURE_COMPATIBILITY all
		3
		4	include integrity.scc
		5	kconf non-hardware modsign.cfg