meta-signing-key: support to build key-store with modsign and extra system trusted key support

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
author: Jia Zhang <qianyue.zj@alibaba-inc.com> 2017-11-21 09:30:51 -0500
committer: Jia Zhang <qianyue.zj@alibaba-inc.com> 2017-11-21 09:30:51 -0500
commit: bd0f4cbe405df4e1af65c7d34336dbd447084849 (patch)
tree: b7cf3c02cc13b9cf0859aeaf8a6747cd407f986f
parent: a97b3363b63e8589b897e5dd357d6755d7d4c8c4 (diff)
download: meta-secure-core-bd0f4cbe405df4e1af65c7d34336dbd447084849.tar.gz
3 files changed, 120 insertions, 6 deletions
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass
index 9af758f..03e1b2c 100644
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1"
 UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
 MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
+MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
 IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
-SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
+SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
+EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
 RPM = '1'
 def vprint(str, d):
@@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d):
    set_keys_dir('SYSTEM_TRUSTED', d)
    return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
+def uks_extra_system_trusted_keys_dir(d):
+    set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
+    return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
+def uks_modsign_keys_dir(d):
+    set_keys_dir('MODSIGN', d)
+    return d.getVar('MODSIGN_KEYS_DIR', True) + '/'
 def uks_ima_keys_dir(d):
    set_keys_dir('IMA', d)
    return d.getVar('IMA_KEYS_DIR', True) + '/'
@@ -163,6 +173,30 @@ def check_system_trusted_keys(d):
        vprint("%s.crt is unavailable" % _, d)
        return False
+def check_extra_system_trusted_keys(d):
+    dir = uks_extra_system_trusted_keys_dir(d)
+    _ = 'extra_system_trusted_key'
+    if not os.path.exists(dir + _ + '.key'):
+        vprint("%s.key is unavailable" % _, d)
+        return False
+    if not os.path.exists(dir + _ + '.crt'):
+        vprint("%s.crt is unavailable" % _, d)
+        return False
+def check_modsign_keys(d):
+    dir = uks_modsign_keys_dir(d)
+    _ = 'modsign_key'
+    if not os.path.exists(dir + _ + '.key'):
+        vprint("%s.key is unavailable" % _, d)
+        return False
+    if not os.path.exists(dir + _ + '.crt'):
+        vprint("%s.crt is unavailable" % _, d)
+        return False
 def check_rpm_keys(d):
    dir = uks_rpm_keys_dir(d)
@@ -345,6 +379,26 @@ deploy_system_trusted_keys() {
    fi
 }
+deploy_extra_system_trusted_keys() {
+    local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
+    if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
+        install -d "$deploy_dir"
+        cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
+    fi
+}
+deploy_modsign_keys() {
+    local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys"
+    if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then
+        install -d "$deploy_dir"
+        cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir"
+    fi
+}
 def deploy_keys(name, d):
    d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \
             d.getVar('SIGNING_MODEL', True) + '-keys')
@@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d):
        _ = check_ima_user_keys(d)
    elif name == 'SYSTEM_TRUSTED':
        _ = check_system_trusted_keys(d)
+    elif name == 'EXTRA_SYSTEM_TRUSTED':
+        _ = check_extra_system_trusted_keys(d)
+    elif name == 'MODSIGN':
+        _ = check_modsign_keys(d)
    elif name == 'RPM':
        _ = check_rpm_keys(d)
    else:
@@ -382,7 +440,7 @@ def set_keys_dir(name, d):
        d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
 python check_deploy_keys() {
-    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'):
+    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
        if d.getVar(_, True) != "1":
            continue
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf
index 7b7127e..939f71a 100644
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample"
 SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
 SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
 SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
+SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
+SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
 SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
 SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
@@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
 UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
 SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
+EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
+MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
 IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
 RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
@@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
 BB_HASHBASE_WHITELIST_append += "\
    SYSTEM_TRUSTED_KEYS_DIR \
+    EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
+    MODSIGN_KEYS_DIR \
    IMA_KEYS_DIR \
    RPM_KEYS_DIR \
    UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 86a0f45..60e2491 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
 # For ${PN}-system-trusted-privkey
 SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
+# For ${PN}-extra-system-trusted-privkey
+EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
+# For ${PN}-modsign-privkey
+MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
 # For ${PN}-ima-privkey
 IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
+# For ${PN}-extra-system-trusted-cert
+EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
+# For ${PN}-modsign-cert
+MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
 # For ${PN}-ima-cert
 IMA_CERT = "${KEY_DIR}/x509_evm.der"
@@ -35,7 +47,17 @@ python () {
    d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
    d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
-    pn = d.getVar('PN', True) + '-ima-privkey'
+    pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
+    d.setVar('PACKAGES_prepend', pn + ' ')
+    d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    pn = d.getVar('PN', True) + '-modsign-privkey'
+    d.setVar('PACKAGES_prepend', pn + ' ')
+    d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
+    d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
+    pn = d.getVar('PN', True) + 'ima-privkey'
    d.setVar('PACKAGES_prepend', pn + ' ')
    d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
    d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
@@ -74,6 +96,24 @@ do_install() {
        install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
    fi
+    key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
+    install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
+        "${D}${EXTRA_SYSTEM_CERT}"
+    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
+        install -m 0400 "$key_dir/extra_system_trusted_key.key" \
+            "${D}${EXTRA_SYSTEM_PRIV_KEY}"
+    fi
+    key_dir="${@uks_modsign_keys_dir(d)}"
+    install -m 0644 "$key_dir/modsign_key.crt" \
+        "${D}${MODSIGN_CERT}"
+    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
+        install -m 0400 "$key_dir/modsign_key.key" \
+            "${D}${MODSIGN_PRIV_KEY}"
+    fi
    key_dir="${@uks_ima_keys_dir(d)}"
    install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
@@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() {
    fi
 }
-PACKAGES =+ "\
+PACKAGES = "\
    ${PN}-system-trusted-cert \
+    ${PN}-extra-system-trusted-cert \
+    ${PN}-modsign-cert \
    ${PN}-ima-cert \
 "
 # Note any private key is not available if user key signing model used.
-PACKAGES_DYNAMIC += "\
+PACKAGES_DYNAMIC = "\
-    ${PN}-ima-privkey \
    ${PN}-system-trusted-privkey \
+    ${PN}-extra-system-trusted-privkey \
+    ${PN}-modsign-privkey \
+    ${PN}-ima-privkey \
    ${PN}-rpm-pubkey \
 "
 FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
+FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
+CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
 FILES_${PN}-ima-cert = "${IMA_CERT}"
 CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
author	Jia Zhang <qianyue.zj@alibaba-inc.com>	2017-11-21 09:30:51 -0500
committer	Jia Zhang <qianyue.zj@alibaba-inc.com>	2017-11-21 09:30:51 -0500
commit	bd0f4cbe405df4e1af65c7d34336dbd447084849 (patch)
tree	b7cf3c02cc13b9cf0859aeaf8a6747cd407f986f
parent	a97b3363b63e8589b897e5dd357d6755d7d4c8c4 (diff)
download	meta-secure-core-bd0f4cbe405df4e1af65c7d34336dbd447084849.tar.gz

diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 9af758f..03e1b2c 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1"
9		9
10	UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'	10	UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
11	MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'	11	MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
		12	MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
12	IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'	13	IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
13	SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'	14	SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
		15	EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
14	RPM = '1'	16	RPM = '1'
15		17
16	def vprint(str, d):	18	def vprint(str, d):
@@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d):
24	set_keys_dir('SYSTEM_TRUSTED', d)	26	set_keys_dir('SYSTEM_TRUSTED', d)
25	return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'	27	return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
26		28
		29	def uks_extra_system_trusted_keys_dir(d):
		30	set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
		31	return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
		32
		33	def uks_modsign_keys_dir(d):
		34	set_keys_dir('MODSIGN', d)
		35	return d.getVar('MODSIGN_KEYS_DIR', True) + '/'
		36
27	def uks_ima_keys_dir(d):	37	def uks_ima_keys_dir(d):
28	set_keys_dir('IMA', d)	38	set_keys_dir('IMA', d)
29	return d.getVar('IMA_KEYS_DIR', True) + '/'	39	return d.getVar('IMA_KEYS_DIR', True) + '/'
@@ -163,6 +173,30 @@ def check_system_trusted_keys(d):
163	vprint("%s.crt is unavailable" % _, d)	173	vprint("%s.crt is unavailable" % _, d)
164	return False	174	return False
165		175
		176	def check_extra_system_trusted_keys(d):
		177	dir = uks_extra_system_trusted_keys_dir(d)
		178
		179	_ = 'extra_system_trusted_key'
		180	if not os.path.exists(dir + _ + '.key'):
		181	vprint("%s.key is unavailable" % _, d)
		182	return False
		183
		184	if not os.path.exists(dir + _ + '.crt'):
		185	vprint("%s.crt is unavailable" % _, d)
		186	return False
		187
		188	def check_modsign_keys(d):
		189	dir = uks_modsign_keys_dir(d)
		190
		191	_ = 'modsign_key'
		192	if not os.path.exists(dir + _ + '.key'):
		193	vprint("%s.key is unavailable" % _, d)
		194	return False
		195
		196	if not os.path.exists(dir + _ + '.crt'):
		197	vprint("%s.crt is unavailable" % _, d)
		198	return False
		199
166	def check_rpm_keys(d):	200	def check_rpm_keys(d):
167	dir = uks_rpm_keys_dir(d)	201	dir = uks_rpm_keys_dir(d)
168		202
@@ -345,6 +379,26 @@ deploy_system_trusted_keys() {
345	fi	379	fi
346	}	380	}
347		381
		382	deploy_extra_system_trusted_keys() {
		383	local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
		384
		385	if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
		386	install -d "$deploy_dir"
		387
		388	cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
		389	fi
		390	}
		391
		392	deploy_modsign_keys() {
		393	local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys"
		394
		395	if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then
		396	install -d "$deploy_dir"
		397
		398	cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir"
		399	fi
		400	}
		401
348	def deploy_keys(name, d):	402	def deploy_keys(name, d):
349	d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \	403	d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \
350	d.getVar('SIGNING_MODEL', True) + '-keys')	404	d.getVar('SIGNING_MODEL', True) + '-keys')
@@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d):
359	_ = check_ima_user_keys(d)	413	_ = check_ima_user_keys(d)
360	elif name == 'SYSTEM_TRUSTED':	414	elif name == 'SYSTEM_TRUSTED':
361	_ = check_system_trusted_keys(d)	415	_ = check_system_trusted_keys(d)
		416	elif name == 'EXTRA_SYSTEM_TRUSTED':
		417	_ = check_extra_system_trusted_keys(d)
		418	elif name == 'MODSIGN':
		419	_ = check_modsign_keys(d)
362	elif name == 'RPM':	420	elif name == 'RPM':
363	_ = check_rpm_keys(d)	421	_ = check_rpm_keys(d)
364	else:	422	else:
@@ -382,7 +440,7 @@ def set_keys_dir(name, d):
382	d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')	440	d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
383		441
384	python check_deploy_keys() {	442	python check_deploy_keys() {
385	for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'):	443	for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
386	if d.getVar(_, True) != "1":	444	if d.getVar(_, True) != "1":
387	continue	445	continue
388		446


diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 7b7127e..939f71a 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf
@@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample"
17	SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"	17	SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
18	SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"	18	SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
19	SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"	19	SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
		20	SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
		21	SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
20	SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"	22	SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
21	SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"	23	SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
22		24
@@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
31	MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"	33	MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
32	UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"	34	UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
33	SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"	35	SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
		36	EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
		37	MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
34	IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"	38	IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
35	RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"	39	RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
36		40
@@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
46		50
47	BB_HASHBASE_WHITELIST_append += "\	51	BB_HASHBASE_WHITELIST_append += "\
48	SYSTEM_TRUSTED_KEYS_DIR \	52	SYSTEM_TRUSTED_KEYS_DIR \
		53	EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
		54	MODSIGN_KEYS_DIR \
49	IMA_KEYS_DIR \	55	IMA_KEYS_DIR \
50	RPM_KEYS_DIR \	56	RPM_KEYS_DIR \
51	UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \	57	UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \


diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 86a0f45..60e2491 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
17	# For ${PN}-system-trusted-privkey	17	# For ${PN}-system-trusted-privkey
18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"	18	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
19		19
		20	# For ${PN}-extra-system-trusted-privkey
		21	EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
		22
		23	# For ${PN}-modsign-privkey
		24	MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
		25
20	# For ${PN}-ima-privkey	26	# For ${PN}-ima-privkey
21	IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"	27	IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
22		28
23	# For ${PN}-system-trusted-cert	29	# For ${PN}-system-trusted-cert
24	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"	30	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
25		31
		32	# For ${PN}-extra-system-trusted-cert
		33	EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
		34
		35	# For ${PN}-modsign-cert
		36	MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
		37
26	# For ${PN}-ima-cert	38	# For ${PN}-ima-cert
27	IMA_CERT = "${KEY_DIR}/x509_evm.der"	39	IMA_CERT = "${KEY_DIR}/x509_evm.der"
28		40
@@ -35,7 +47,17 @@ python () {
35	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))	47	d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
36	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))	48	d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
37		49
38	pn = d.getVar('PN', True) + '-ima-privkey'	50	pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
		51	d.setVar('PACKAGES_prepend', pn + ' ')
		52	d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
		53	d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
		54
		55	pn = d.getVar('PN', True) + '-modsign-privkey'
		56	d.setVar('PACKAGES_prepend', pn + ' ')
		57	d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
		58	d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
		59
		60	pn = d.getVar('PN', True) + 'ima-privkey'
39	d.setVar('PACKAGES_prepend', pn + ' ')	61	d.setVar('PACKAGES_prepend', pn + ' ')
40	d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))	62	d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
41	d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))	63	d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
@@ -74,6 +96,24 @@ do_install() {
74	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"	96	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
75	fi	97	fi
76		98
		99	key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
		100	install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
		101	"${D}${EXTRA_SYSTEM_CERT}"
		102
		103	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
		104	install -m 0400 "$key_dir/extra_system_trusted_key.key" \
		105	"${D}${EXTRA_SYSTEM_PRIV_KEY}"
		106	fi
		107
		108	key_dir="${@uks_modsign_keys_dir(d)}"
		109	install -m 0644 "$key_dir/modsign_key.crt" \
		110	"${D}${MODSIGN_CERT}"
		111
		112	if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
		113	install -m 0400 "$key_dir/modsign_key.key" \
		114	"${D}${MODSIGN_PRIV_KEY}"
		115	fi
		116
77	key_dir="${@uks_ima_keys_dir(d)}"	117	key_dir="${@uks_ima_keys_dir(d)}"
78	install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"	118	install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
79		119
@@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() {
108	fi	148	fi
109	}	149	}
110		150
111	PACKAGES =+ "\	151	PACKAGES = "\
112	${PN}-system-trusted-cert \	152	${PN}-system-trusted-cert \
		153	${PN}-extra-system-trusted-cert \
		154	${PN}-modsign-cert \
113	${PN}-ima-cert \	155	${PN}-ima-cert \
114	"	156	"
115		157
116	# Note any private key is not available if user key signing model used.	158	# Note any private key is not available if user key signing model used.
117	PACKAGES_DYNAMIC += "\	159	PACKAGES_DYNAMIC = "\
118	${PN}-ima-privkey \
119	${PN}-system-trusted-privkey \	160	${PN}-system-trusted-privkey \
		161	${PN}-extra-system-trusted-privkey \
		162	${PN}-modsign-privkey \
		163	${PN}-ima-privkey \
120	${PN}-rpm-pubkey \	164	${PN}-rpm-pubkey \
121	"	165	"
122		166
123	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	167	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
124	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	168	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
125		169
		170	FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
		171	CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
		172
		173	FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
		174	CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
		175
126	FILES_${PN}-ima-cert = "${IMA_CERT}"	176	FILES_${PN}-ima-cert = "${IMA_CERT}"
127	CONFFILES_${PN}-ima-cert = "${IMA_CERT}"	177	CONFFILES_${PN}-ima-cert = "${IMA_CERT}"