diff options
author | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-11-21 09:30:51 -0500 |
---|---|---|
committer | Jia Zhang <qianyue.zj@alibaba-inc.com> | 2017-11-21 09:30:51 -0500 |
commit | bd0f4cbe405df4e1af65c7d34336dbd447084849 (patch) | |
tree | b7cf3c02cc13b9cf0859aeaf8a6747cd407f986f | |
parent | a97b3363b63e8589b897e5dd357d6755d7d4c8c4 (diff) | |
download | meta-secure-core-bd0f4cbe405df4e1af65c7d34336dbd447084849.tar.gz |
meta-signing-key: support to build key-store with modsign and extra system trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
-rw-r--r-- | meta-signing-key/classes/user-key-store.bbclass | 62 | ||||
-rw-r--r-- | meta-signing-key/conf/layer.conf | 6 | ||||
-rw-r--r-- | meta-signing-key/recipes-support/key-store/key-store_0.1.bb | 58 |
3 files changed, 120 insertions, 6 deletions
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 9af758f..03e1b2c 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass | |||
@@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1" | |||
9 | 9 | ||
10 | UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' | 10 | UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' |
11 | MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' | 11 | MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' |
12 | MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}' | ||
12 | IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' | 13 | IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' |
13 | SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' | 14 | SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}' |
15 | EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}' | ||
14 | RPM = '1' | 16 | RPM = '1' |
15 | 17 | ||
16 | def vprint(str, d): | 18 | def vprint(str, d): |
@@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d): | |||
24 | set_keys_dir('SYSTEM_TRUSTED', d) | 26 | set_keys_dir('SYSTEM_TRUSTED', d) |
25 | return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/' | 27 | return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/' |
26 | 28 | ||
29 | def uks_extra_system_trusted_keys_dir(d): | ||
30 | set_keys_dir('EXTRA_SYSTEM_TRUSTED', d) | ||
31 | return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/' | ||
32 | |||
33 | def uks_modsign_keys_dir(d): | ||
34 | set_keys_dir('MODSIGN', d) | ||
35 | return d.getVar('MODSIGN_KEYS_DIR', True) + '/' | ||
36 | |||
27 | def uks_ima_keys_dir(d): | 37 | def uks_ima_keys_dir(d): |
28 | set_keys_dir('IMA', d) | 38 | set_keys_dir('IMA', d) |
29 | return d.getVar('IMA_KEYS_DIR', True) + '/' | 39 | return d.getVar('IMA_KEYS_DIR', True) + '/' |
@@ -163,6 +173,30 @@ def check_system_trusted_keys(d): | |||
163 | vprint("%s.crt is unavailable" % _, d) | 173 | vprint("%s.crt is unavailable" % _, d) |
164 | return False | 174 | return False |
165 | 175 | ||
176 | def check_extra_system_trusted_keys(d): | ||
177 | dir = uks_extra_system_trusted_keys_dir(d) | ||
178 | |||
179 | _ = 'extra_system_trusted_key' | ||
180 | if not os.path.exists(dir + _ + '.key'): | ||
181 | vprint("%s.key is unavailable" % _, d) | ||
182 | return False | ||
183 | |||
184 | if not os.path.exists(dir + _ + '.crt'): | ||
185 | vprint("%s.crt is unavailable" % _, d) | ||
186 | return False | ||
187 | |||
188 | def check_modsign_keys(d): | ||
189 | dir = uks_modsign_keys_dir(d) | ||
190 | |||
191 | _ = 'modsign_key' | ||
192 | if not os.path.exists(dir + _ + '.key'): | ||
193 | vprint("%s.key is unavailable" % _, d) | ||
194 | return False | ||
195 | |||
196 | if not os.path.exists(dir + _ + '.crt'): | ||
197 | vprint("%s.crt is unavailable" % _, d) | ||
198 | return False | ||
199 | |||
166 | def check_rpm_keys(d): | 200 | def check_rpm_keys(d): |
167 | dir = uks_rpm_keys_dir(d) | 201 | dir = uks_rpm_keys_dir(d) |
168 | 202 | ||
@@ -345,6 +379,26 @@ deploy_system_trusted_keys() { | |||
345 | fi | 379 | fi |
346 | } | 380 | } |
347 | 381 | ||
382 | deploy_extra_system_trusted_keys() { | ||
383 | local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys" | ||
384 | |||
385 | if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then | ||
386 | install -d "$deploy_dir" | ||
387 | |||
388 | cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir" | ||
389 | fi | ||
390 | } | ||
391 | |||
392 | deploy_modsign_keys() { | ||
393 | local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys" | ||
394 | |||
395 | if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then | ||
396 | install -d "$deploy_dir" | ||
397 | |||
398 | cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir" | ||
399 | fi | ||
400 | } | ||
401 | |||
348 | def deploy_keys(name, d): | 402 | def deploy_keys(name, d): |
349 | d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \ | 403 | d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \ |
350 | d.getVar('SIGNING_MODEL', True) + '-keys') | 404 | d.getVar('SIGNING_MODEL', True) + '-keys') |
@@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d): | |||
359 | _ = check_ima_user_keys(d) | 413 | _ = check_ima_user_keys(d) |
360 | elif name == 'SYSTEM_TRUSTED': | 414 | elif name == 'SYSTEM_TRUSTED': |
361 | _ = check_system_trusted_keys(d) | 415 | _ = check_system_trusted_keys(d) |
416 | elif name == 'EXTRA_SYSTEM_TRUSTED': | ||
417 | _ = check_extra_system_trusted_keys(d) | ||
418 | elif name == 'MODSIGN': | ||
419 | _ = check_modsign_keys(d) | ||
362 | elif name == 'RPM': | 420 | elif name == 'RPM': |
363 | _ = check_rpm_keys(d) | 421 | _ = check_rpm_keys(d) |
364 | else: | 422 | else: |
@@ -382,7 +440,7 @@ def set_keys_dir(name, d): | |||
382 | d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') | 440 | d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') |
383 | 441 | ||
384 | python check_deploy_keys() { | 442 | python check_deploy_keys() { |
385 | for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'): | 443 | for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'): |
386 | if d.getVar(_, True) != "1": | 444 | if d.getVar(_, True) != "1": |
387 | continue | 445 | continue |
388 | 446 | ||
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 7b7127e..939f71a 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf | |||
@@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample" | |||
17 | SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" | 17 | SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" |
18 | SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys" | 18 | SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys" |
19 | SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys" | 19 | SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys" |
20 | SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys" | ||
21 | SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys" | ||
20 | SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" | 22 | SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" |
21 | SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" | 23 | SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" |
22 | 24 | ||
@@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt" | |||
31 | MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" | 33 | MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" |
32 | UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" | 34 | UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" |
33 | SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}" | 35 | SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}" |
36 | EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" | ||
37 | MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}" | ||
34 | IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" | 38 | IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" |
35 | RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" | 39 | RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" |
36 | 40 | ||
@@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore" | |||
46 | 50 | ||
47 | BB_HASHBASE_WHITELIST_append += "\ | 51 | BB_HASHBASE_WHITELIST_append += "\ |
48 | SYSTEM_TRUSTED_KEYS_DIR \ | 52 | SYSTEM_TRUSTED_KEYS_DIR \ |
53 | EXTRA_SYSTEM_TRUSTED_KEYS_DIR \ | ||
54 | MODSIGN_KEYS_DIR \ | ||
49 | IMA_KEYS_DIR \ | 55 | IMA_KEYS_DIR \ |
50 | RPM_KEYS_DIR \ | 56 | RPM_KEYS_DIR \ |
51 | UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \ | 57 | UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \ |
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 86a0f45..60e2491 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb | |||
@@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" | |||
17 | # For ${PN}-system-trusted-privkey | 17 | # For ${PN}-system-trusted-privkey |
18 | SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" | 18 | SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" |
19 | 19 | ||
20 | # For ${PN}-extra-system-trusted-privkey | ||
21 | EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key" | ||
22 | |||
23 | # For ${PN}-modsign-privkey | ||
24 | MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" | ||
25 | |||
20 | # For ${PN}-ima-privkey | 26 | # For ${PN}-ima-privkey |
21 | IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" | 27 | IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" |
22 | 28 | ||
23 | # For ${PN}-system-trusted-cert | 29 | # For ${PN}-system-trusted-cert |
24 | SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" | 30 | SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" |
25 | 31 | ||
32 | # For ${PN}-extra-system-trusted-cert | ||
33 | EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt" | ||
34 | |||
35 | # For ${PN}-modsign-cert | ||
36 | MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" | ||
37 | |||
26 | # For ${PN}-ima-cert | 38 | # For ${PN}-ima-cert |
27 | IMA_CERT = "${KEY_DIR}/x509_evm.der" | 39 | IMA_CERT = "${KEY_DIR}/x509_evm.der" |
28 | 40 | ||
@@ -35,7 +47,17 @@ python () { | |||
35 | d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) | 47 | d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) |
36 | d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) | 48 | d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) |
37 | 49 | ||
38 | pn = d.getVar('PN', True) + '-ima-privkey' | 50 | pn = d.getVar('PN', True) + '-extra-system-trusted-privkey' |
51 | d.setVar('PACKAGES_prepend', pn + ' ') | ||
52 | d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) | ||
53 | d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) | ||
54 | |||
55 | pn = d.getVar('PN', True) + '-modsign-privkey' | ||
56 | d.setVar('PACKAGES_prepend', pn + ' ') | ||
57 | d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) | ||
58 | d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) | ||
59 | |||
60 | pn = d.getVar('PN', True) + 'ima-privkey' | ||
39 | d.setVar('PACKAGES_prepend', pn + ' ') | 61 | d.setVar('PACKAGES_prepend', pn + ' ') |
40 | d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) | 62 | d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) |
41 | d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) | 63 | d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) |
@@ -74,6 +96,24 @@ do_install() { | |||
74 | install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" | 96 | install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" |
75 | fi | 97 | fi |
76 | 98 | ||
99 | key_dir="${@uks_extra_system_trusted_keys_dir(d)}" | ||
100 | install -m 0644 "$key_dir/extra_system_trusted_key.crt" \ | ||
101 | "${D}${EXTRA_SYSTEM_CERT}" | ||
102 | |||
103 | if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then | ||
104 | install -m 0400 "$key_dir/extra_system_trusted_key.key" \ | ||
105 | "${D}${EXTRA_SYSTEM_PRIV_KEY}" | ||
106 | fi | ||
107 | |||
108 | key_dir="${@uks_modsign_keys_dir(d)}" | ||
109 | install -m 0644 "$key_dir/modsign_key.crt" \ | ||
110 | "${D}${MODSIGN_CERT}" | ||
111 | |||
112 | if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then | ||
113 | install -m 0400 "$key_dir/modsign_key.key" \ | ||
114 | "${D}${MODSIGN_PRIV_KEY}" | ||
115 | fi | ||
116 | |||
77 | key_dir="${@uks_ima_keys_dir(d)}" | 117 | key_dir="${@uks_ima_keys_dir(d)}" |
78 | install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" | 118 | install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" |
79 | 119 | ||
@@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() { | |||
108 | fi | 148 | fi |
109 | } | 149 | } |
110 | 150 | ||
111 | PACKAGES =+ "\ | 151 | PACKAGES = "\ |
112 | ${PN}-system-trusted-cert \ | 152 | ${PN}-system-trusted-cert \ |
153 | ${PN}-extra-system-trusted-cert \ | ||
154 | ${PN}-modsign-cert \ | ||
113 | ${PN}-ima-cert \ | 155 | ${PN}-ima-cert \ |
114 | " | 156 | " |
115 | 157 | ||
116 | # Note any private key is not available if user key signing model used. | 158 | # Note any private key is not available if user key signing model used. |
117 | PACKAGES_DYNAMIC += "\ | 159 | PACKAGES_DYNAMIC = "\ |
118 | ${PN}-ima-privkey \ | ||
119 | ${PN}-system-trusted-privkey \ | 160 | ${PN}-system-trusted-privkey \ |
161 | ${PN}-extra-system-trusted-privkey \ | ||
162 | ${PN}-modsign-privkey \ | ||
163 | ${PN}-ima-privkey \ | ||
120 | ${PN}-rpm-pubkey \ | 164 | ${PN}-rpm-pubkey \ |
121 | " | 165 | " |
122 | 166 | ||
123 | FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" | 167 | FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" |
124 | CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" | 168 | CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" |
125 | 169 | ||
170 | FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" | ||
171 | CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" | ||
172 | |||
173 | FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" | ||
174 | CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" | ||
175 | |||
126 | FILES_${PN}-ima-cert = "${IMA_CERT}" | 176 | FILES_${PN}-ima-cert = "${IMA_CERT}" |
127 | CONFFILES_${PN}-ima-cert = "${IMA_CERT}" | 177 | CONFFILES_${PN}-ima-cert = "${IMA_CERT}" |