summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJia Zhang <qianyue.zj@alibaba-inc.com>2019-10-01 09:29:24 +0800
committerGitHub <noreply@github.com>2019-10-01 09:29:24 +0800
commit2d8b45a3d8c130e072aadf8b43b16ccbcb3b741e (patch)
tree24b2328e621e53bc8a8007deff78ce6e7ed160a0
parent809a4774a09e79e30ab6620648bc5d1056e1e733 (diff)
parentf2db9e0de6934f3533449056eadd646784833d1f (diff)
downloadmeta-secure-core-2d8b45a3d8c130e072aadf8b43b16ccbcb3b741e.tar.gz
Merge pull request #118 from lumag/drop-privkeys
Security: do not install private keys into rootfs
Diffstat
-rw-r--r--meta-integrity/README.md9
-rw-r--r--meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb4
-rw-r--r--meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc4
-rw-r--r--meta-signing-key/recipes-support/key-store/key-store_0.1.bb54
4 files changed, 10 insertions, 61 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index ad17c05..32365e9 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -110,14 +110,15 @@ default, the sample keys are used for the purpose of development and
110demonstration. Please ensure you know what your risk is to use the sample keys 110demonstration. Please ensure you know what your risk is to use the sample keys
111in your product, because they are completely public. 111in your product, because they are completely public.
112 112
113If sample keys are used, the private IMA key is installed as /etc/keys/x509_ima.key. 113Private keys are not installed into the target image. If you understand your
114risks, you can copy them to your target file system or to an external storage.
114 115
115A typical signing command is as following: 116If you do so, a typical signing command is as following:
116 117
117 # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass=<passowrd> /path/to/file 118 # evmctl ima_sign --hashalgo sha256 --key path/to/x509_ima.key --pass=<passowrd> /path/to/file
118or 119or
119 120
120 # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass=<passowrd> -r /path/to/directory 121 # evmctl ima_sign --hashalgo sha256 --key /path/to/x509_ima.key --pass=<passowrd> -r /path/to/directory
121 122
122The following command can be used to verify a file's IMA signature with specified certificate: 123The following command can be used to verify a file's IMA signature with specified certificate:
123 124
diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb
index e8885cc..7755a87 100644
--- a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb
+++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb
@@ -15,6 +15,6 @@ RDEPENDS_${PN} += "\
15 15
16# Note any private key is not available if user key signing model used. 16# Note any private key is not available if user key signing model used.
17RRECOMMENDS_${PN} += "\ 17RRECOMMENDS_${PN} += "\
18 key-store-ima-privkey \ 18 key-store-ima-cert \
19 key-store-system-trusted-privkey \ 19 key-store-system-trusted-cert \
20" 20"
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
index b950acd..829c485 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -17,9 +17,11 @@ SRC_URI += "\
17 17
18INHIBIT_PACKAGE_STRIP = "${@'1' if d.getVar('MODSIGN_ENABLED', True) == '1' else '0'}" 18INHIBIT_PACKAGE_STRIP = "${@'1' if d.getVar('MODSIGN_ENABLED', True) == '1' else '0'}"
19 19
20inherit ${@'user-key-store' if d.getVar('MODSIGN_ENABLED', True) == '1' else ''}
21
20do_configure_prepend() { 22do_configure_prepend() {
21 sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt" 23 sys_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.crt"
22 modsign_key="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.key" 24 modsign_key="${@uks_modsign_keys_dir(d)}/modsign_key.key"
23 modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt" 25 modsign_cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/modsign_key.crt"
24 26
25 if [ -f "$sys_cert" ]; then 27 if [ -f "$sys_cert" ]; then
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index d83b79c..9dc7cae 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -14,18 +14,6 @@ KEY_DIR = "${sysconfdir}/keys"
14# For RPM verification 14# For RPM verification
15RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" 15RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
16 16
17# For ${PN}-system-trusted-privkey
18SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
19
20# For ${PN}-secondary-trusted-privkey
21SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
22
23# For ${PN}-modsign-privkey
24MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
25
26# For ${PN}-ima-privkey
27IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key"
28
29# For ${PN}-system-trusted-cert 17# For ${PN}-system-trusted-cert
30SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" 18SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
31 19
@@ -43,26 +31,6 @@ python () {
43 if not (uks_signing_model(d) in "sample", "user"): 31 if not (uks_signing_model(d) in "sample", "user"):
44 return 32 return
45 33
46 pn = d.getVar('PN', True) + '-system-trusted-privkey'
47 d.setVar('PACKAGES_prepend', pn + ' ')
48 d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
49 d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
50
51 pn = d.getVar('PN', True) + '-secondary-trusted-privkey'
52 d.setVar('PACKAGES_prepend', pn + ' ')
53 d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
54 d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True))
55
56 pn = d.getVar('PN', True) + '-modsign-privkey'
57 d.setVar('PACKAGES_prepend', pn + ' ')
58 d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
59 d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
60
61 pn = d.getVar('PN', True) + '-ima-privkey'
62 d.setVar('PACKAGES_prepend', pn + ' ')
63 d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
64 d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
65
66 pn = d.getVar('PN', True) + '-rpm-pubkey' 34 pn = d.getVar('PN', True) + '-rpm-pubkey'
67 d.setVar('PACKAGES_prepend', pn + ' ') 35 d.setVar('PACKAGES_prepend', pn + ' ')
68 d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True)) 36 d.setVar('FILES_' + pn, d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-' + d.getVar('RPM_GPG_NAME', True))
@@ -93,36 +61,18 @@ do_install() {
93 key_dir="${@uks_system_trusted_keys_dir(d)}" 61 key_dir="${@uks_system_trusted_keys_dir(d)}"
94 install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}" 62 install -m 0644 "$key_dir/system_trusted_key.crt" "${D}${SYSTEM_CERT}"
95 63
96 if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
97 install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
98 fi
99
100 key_dir="${@uks_secondary_trusted_keys_dir(d)}" 64 key_dir="${@uks_secondary_trusted_keys_dir(d)}"
101 install -m 0644 "$key_dir/secondary_trusted_key.crt" \ 65 install -m 0644 "$key_dir/secondary_trusted_key.crt" \
102 "${D}${SECONDARY_TRUSTED_CERT}" 66 "${D}${SECONDARY_TRUSTED_CERT}"
103 openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \ 67 openssl x509 -inform PEM -outform DER -in "${D}${SECONDARY_TRUSTED_CERT}" \
104 -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}" 68 -out "${D}${SECONDARY_TRUSTED_DER_ENC_CERT}"
105 69
106 if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
107 install -m 0400 "$key_dir/secondary_trusted_key.key" \
108 "${D}${SECONDARY_TRUSTED_PRIV_KEY}"
109 fi
110
111 key_dir="${@uks_modsign_keys_dir(d)}" 70 key_dir="${@uks_modsign_keys_dir(d)}"
112 install -m 0644 "$key_dir/modsign_key.crt" \ 71 install -m 0644 "$key_dir/modsign_key.crt" \
113 "${D}${MODSIGN_CERT}" 72 "${D}${MODSIGN_CERT}"
114 73
115 if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
116 install -m 0400 "$key_dir/modsign_key.key" \
117 "${D}${MODSIGN_PRIV_KEY}"
118 fi
119
120 key_dir="${@uks_ima_keys_dir(d)}" 74 key_dir="${@uks_ima_keys_dir(d)}"
121 install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" 75 install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
122
123 if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
124 install -m 0400 "$key_dir/x509_ima.key" "${D}${IMA_PRIV_KEY}"
125 fi
126} 76}
127 77
128do_install[prefuncs] += "check_deploy_keys" 78do_install[prefuncs] += "check_deploy_keys"
@@ -158,10 +108,6 @@ PACKAGES = "\
158 108
159# Note any private key is not available if user key signing model used. 109# Note any private key is not available if user key signing model used.
160PACKAGES_DYNAMIC = "\ 110PACKAGES_DYNAMIC = "\
161 ${PN}-system-trusted-privkey \
162 ${PN}-secondary-trusted-privkey \
163 ${PN}-modsign-privkey \
164 ${PN}-ima-privkey \
165 ${PN}-rpm-pubkey \ 111 ${PN}-rpm-pubkey \
166" 112"
167 113
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-27 04:15:47 +0000