Use the DER-formatted system trusted key

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-07-03 15:50:59 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-07-03 15:50:59 +0800
commit: 353a003f1bd422ea71ed7009e2d7ed04476bc6e2 (patch)
tree: badd337c0b4bc19b81f33fc3b8f6d72c0e7a4422
parent: 3816bb03fd895b37d9eca3b2e4f68283a999c3e6 (diff)
download: meta-secure-core-353a003f1bd422ea71ed7009e2d7ed04476bc6e2.tar.gz
3 files changed, 30 insertions, 7 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
index 247ae55..2e636cf 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -11,9 +11,10 @@ SRC_URI += "\
 "
 do_configure_append() {
-    if [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ]; then
+    cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.der"
-        openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \
-            -outform DER -out "${B}/system_trusted_cert.x509"
+    if [ -f "$cert" ]; then
+        install -m 0644 "$cert" "${B}/system_trusted_cert.x509"
    else
        true
    fi
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 7b9572e..41e6797 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -29,10 +29,10 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
 SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
 # For ${PN}-ima-privkey
-IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.pem"
+IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
 # For ${PN}-system-trusted-cert
-SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.pem"
+SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der"
 FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
@@ -83,7 +83,7 @@ do_install() {
    install -d "${D}${KEY_DIR}"
    key_dir="${@uks_system_trusted_keys_dir(d)}"
-    install -m 0644 "$key_dir/system_trusted_key.pem" "${D}${SYSTEM_CERT}"
+    install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}"
    if [ "${@uks_signing_model(d)}" = "sample" ]; then
        install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh
index fc871a7..b8cce9e 100755
--- a/meta-signing-key/scripts/create-user-key-store.sh
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -47,6 +47,13 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
 SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
 IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
+pem2der() {
+    local src="$1"
+    local dst="${src/.crt/.der}"
+    openssl x509 -in "$src" -outform DER -out "$dst"
+}
 ca_sign() {
    local key_dir="$1"
    local key_name="$2"
@@ -68,8 +75,17 @@ ca_sign() {
            -keyout "$key_dir/$key_name.key" \
            -out "$key_dir/$key_name.csr"
+        local ca_cert="$ca_key_dir/$ca_key_name.crt"
+        local ca_cert_form="PEM"
+        [ ! -s "$ca_cert" ] && {
+            ca_cert="$ca_key_dir/$ca_key_name.der"
+            ca_cert_form="DER"
+        }
        openssl x509 -req -in "$key_dir/$key_name.csr" \
-            -CA "$ca_key_dir/$ca_key_name.crt" \
+            -CA "$ca_cert" \
+            -CAform "$ca_cert_form" \
            -CAkey "$ca_key_dir/$ca_key_name.key" \
            -set_serial 1 -days 3650 \
            -out "$key_dir/$key_name.crt"
@@ -109,6 +125,9 @@ create_system_user_key() {
    ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
        "/CN=System Trusted Certificate for $USER@`hostname`/"
+    pem2der "$key_dir/system_trusted_key.crt"
+    rm -f "$key_dir/system_trusted_key.crt"
 }
 create_ima_user_key() {
@@ -118,6 +137,9 @@ create_ima_user_key() {
    ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \
        "/CN=IMA Trusted Certificate for $USER@`hostname`/"
+    pem2der "$key_dir/x509_ima.crt"
+    rm -f "$key_dir/x509_ima.crt"
 }
 create_user_keys() {
author	Lans Zhang <jia.zhang@windriver.com>	2017-07-03 15:50:59 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-07-03 15:50:59 +0800
commit	353a003f1bd422ea71ed7009e2d7ed04476bc6e2 (patch)
tree	badd337c0b4bc19b81f33fc3b8f6d72c0e7a4422
parent	3816bb03fd895b37d9eca3b2e4f68283a999c3e6 (diff)
download	meta-secure-core-353a003f1bd422ea71ed7009e2d7ed04476bc6e2.tar.gz

diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc index 247ae55..2e636cf 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -11,9 +11,10 @@ SRC_URI += "\
11	"	11	"
12		12
13	do_configure_append() {	13	do_configure_append() {
14	if [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ]; then	14	cert="${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.der"
15	openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \	15
16	-outform DER -out "${B}/system_trusted_cert.x509"	16	if [ -f "$cert" ]; then
		17	install -m 0644 "$cert" "${B}/system_trusted_cert.x509"
17	else	18	else
18	true	19	true
19	fi	20	fi


diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 7b9572e..41e6797 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -29,10 +29,10 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
29	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"	29	SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
30		30
31	# For ${PN}-ima-privkey	31	# For ${PN}-ima-privkey
32	IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.pem"	32	IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
33		33
34	# For ${PN}-system-trusted-cert	34	# For ${PN}-system-trusted-cert
35	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.pem"	35	SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.der"
36	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	36	FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
37	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"	37	CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
38		38
@@ -83,7 +83,7 @@ do_install() {
83	install -d "${D}${KEY_DIR}"	83	install -d "${D}${KEY_DIR}"
84		84
85	key_dir="${@uks_system_trusted_keys_dir(d)}"	85	key_dir="${@uks_system_trusted_keys_dir(d)}"
86	install -m 0644 "$key_dir/system_trusted_key.pem" "${D}${SYSTEM_CERT}"	86	install -m 0644 "$key_dir/system_trusted_key.der" "${D}${SYSTEM_CERT}"
87		87
88	if [ "${@uks_signing_model(d)}" = "sample" ]; then	88	if [ "${@uks_signing_model(d)}" = "sample" ]; then
89	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"	89	install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"


diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index fc871a7..b8cce9e 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -47,6 +47,13 @@ MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
47	SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"	47	SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
48	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"	48	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
49		49
		50	pem2der() {
		51	local src="$1"
		52	local dst="${src/.crt/.der}"
		53
		54	openssl x509 -in "$src" -outform DER -out "$dst"
		55	}
		56
50	ca_sign() {	57	ca_sign() {
51	local key_dir="$1"	58	local key_dir="$1"
52	local key_name="$2"	59	local key_name="$2"
@@ -68,8 +75,17 @@ ca_sign() {
68	-keyout "$key_dir/$key_name.key" \	75	-keyout "$key_dir/$key_name.key" \
69	-out "$key_dir/$key_name.csr"	76	-out "$key_dir/$key_name.csr"
70		77
		78	local ca_cert="$ca_key_dir/$ca_key_name.crt"
		79	local ca_cert_form="PEM"
		80
		81	[ ! -s "$ca_cert" ] && {
		82	ca_cert="$ca_key_dir/$ca_key_name.der"
		83	ca_cert_form="DER"
		84	}
		85
71	openssl x509 -req -in "$key_dir/$key_name.csr" \	86	openssl x509 -req -in "$key_dir/$key_name.csr" \
72	-CA "$ca_key_dir/$ca_key_name.crt" \	87	-CA "$ca_cert" \
		88	-CAform "$ca_cert_form" \
73	-CAkey "$ca_key_dir/$ca_key_name.key" \	89	-CAkey "$ca_key_dir/$ca_key_name.key" \
74	-set_serial 1 -days 3650 \	90	-set_serial 1 -days 3650 \
75	-out "$key_dir/$key_name.crt"	91	-out "$key_dir/$key_name.crt"
@@ -109,6 +125,9 @@ create_system_user_key() {
109		125
110	ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \	126	ca_sign "$key_dir" system_trusted_key "$key_dir" system_trusted_key \
111	"/CN=System Trusted Certificate for $USER@`hostname`/"	127	"/CN=System Trusted Certificate for $USER@`hostname`/"
		128
		129	pem2der "$key_dir/system_trusted_key.crt"
		130	rm -f "$key_dir/system_trusted_key.crt"
112	}	131	}
113		132
114	create_ima_user_key() {	133	create_ima_user_key() {
@@ -118,6 +137,9 @@ create_ima_user_key() {
118		137
119	ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \	138	ca_sign "$key_dir" x509_ima "$SYSTEM_KEYS_DIR" system_trusted_key \
120	"/CN=IMA Trusted Certificate for $USER@`hostname`/"	139	"/CN=IMA Trusted Certificate for $USER@`hostname`/"
		140
		141	pem2der "$key_dir/x509_ima.crt"
		142	rm -f "$key_dir/x509_ima.crt"
121	}	143	}
122		144
123	create_user_keys() {	145	create_user_keys() {