diff options
| author | Tom Rini <trini@konsulko.com> | 2018-05-16 23:08:35 -0400 |
|---|---|---|
| committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2018-05-17 20:36:23 +0800 |
| commit | a8419d577a840ef86bce479af2057e454d8b1bc0 (patch) | |
| tree | 353a88e1385324491682674589ea21f2bd83e0fe | |
| parent | c804f2591498d5d400e12340346e6b190623ddc6 (diff) | |
| download | meta-secure-core-a8419d577a840ef86bce479af2057e454d8b1bc0.tar.gz | |
meta-integrity, meta-signing-key: Populate the secondary keyring
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
| -rwxr-xr-x | meta-integrity/recipes-core/initrdscripts/files/init.ima | 13 | ||||
| -rw-r--r-- | meta-signing-key/recipes-support/key-store/key-store_0.1.bb | 13 |
2 files changed, 24 insertions, 2 deletions
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima index f11ff13..c663817 100755 --- a/meta-integrity/recipes-core/initrdscripts/files/init.ima +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima | |||
| @@ -97,6 +97,19 @@ fi | |||
| 97 | 97 | ||
| 98 | mount --move ${ROOT_DIR}/proc /proc | 98 | mount --move ${ROOT_DIR}/proc /proc |
| 99 | 99 | ||
| 100 | # If we have a secondary trusted keyring, here is the opportunity to load | ||
| 101 | # additional trusted keys from the real rootfs. | ||
| 102 | for cert in ${ROOT_DIR}/etc/keys/x509_secondary_*.der; do | ||
| 103 | [ ! -s "$cert" ] && continue | ||
| 104 | name=`basename $cert` | ||
| 105 | |||
| 106 | if ! keyctl padd asymmetric "$name" %:.secondary_trusted_keys < $cert > ${ROOT_DIR}/dev/null; then | ||
| 107 | print_critical "Unable to load the secondary certificate $cert" | ||
| 108 | else | ||
| 109 | print_verbose "The secondary certificate $cert has been loaded" | ||
| 110 | fi | ||
| 111 | done | ||
| 112 | |||
| 100 | # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was | 113 | # The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was |
| 101 | # automatically loaded by kernel already. Here is the opportunity to load | 114 | # automatically loaded by kernel already. Here is the opportunity to load |
| 102 | # a custom IMA certificate from the real rootfs. | 115 | # a custom IMA certificate from the real rootfs. |
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 66691cc..30485a7 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb | |||
| @@ -31,6 +31,7 @@ SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" | |||
| 31 | 31 | ||
| 32 | # For ${PN}-secondary-trusted-cert | 32 | # For ${PN}-secondary-trusted-cert |
| 33 | SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt" | 33 | SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt" |
| 34 | SECONDARY_TRUSTED_DER_ENC_CERT = "${KEY_DIR}/x509_secondary_system_trusted_key.der" | ||
| 34 | 35 | ||
| 35 | # For ${PN}-modsign-cert | 36 | # For ${PN}-modsign-cert |
| 36 | MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" | 37 | MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" |
| @@ -99,6 +100,8 @@ do_install() { | |||
| 99 | key_dir="${@uks_secondary_trusted_keys_dir(d)}" | 100 | key_dir="${@uks_secondary_trusted_keys_dir(d)}" |
| 100 | install -m 0644 "$key_dir/secondary_trusted_key.crt" \ | 101 | install -m 0644 "$key_dir/secondary_trusted_key.crt" \ |
| 101 | "${D}${SECONDARY_TRUSTED_CERT}" | 102 | "${D}${SECONDARY_TRUSTED_CERT}" |
| 103 | openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \ | ||
| 104 | -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}" | ||
| 102 | 105 | ||
| 103 | if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then | 106 | if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then |
| 104 | install -m 0400 "$key_dir/secondary_trusted_key.key" \ | 107 | install -m 0400 "$key_dir/secondary_trusted_key.key" \ |
| @@ -167,8 +170,14 @@ PACKAGES_DYNAMIC = "\ | |||
| 167 | FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" | 170 | FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" |
| 168 | CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" | 171 | CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" |
| 169 | 172 | ||
| 170 | FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" | 173 | FILES_${PN}-secondary-trusted-cert = "\ |
| 171 | CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" | 174 | ${SECONDARY_TRUSTED_CERT} \ |
| 175 | ${SECONDARY_TRUSTED_DER_ENC_CERT} \ | ||
| 176 | " | ||
| 177 | CONFFILES_${PN}-secondary-trusted-cert = "\ | ||
| 178 | ${SECONDARY_TRUSTED_CERT} \ | ||
| 179 | ${SECONDARY_TRUSTED_DER_ENC_CERT} \ | ||
| 180 | " | ||
| 172 | 181 | ||
| 173 | FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" | 182 | FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" |
| 174 | CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" | 183 | CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" |