key-store: rename ima private key and certificate on target

If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>

4 files changed, 18 insertions, 5 deletions

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 8ffd484..ad17c05 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -110,6 +110,19 @@ default, the sample keys are used for the purpose of development and
 demonstration. Please ensure you know what your risk is to use the sample keys
 in your product, because they are completely public.
 
+If sample keys are used, the private IMA key is installed as /etc/keys/x509_ima.key.
+
+A typical signing command is as following:
+
+    # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass=<passowrd> /path/to/file
+or
+
+    # evmctl ima_sign --hashalgo sha256 --key /etc/keys/x509_ima.key --pass=<passowrd> -r /path/to/directory
+
+The following command can be used to verify a file's IMA signature with specified certificate:
+
+    # evmctl ima_verify --key /etc/keys/x509_ima.der /path/to/file
+
 ### RPM File Signing
 The payloads in a RPM are signed by the private key during the build, and each
 IMA signatures for the corresponding  payload file will be eventually written
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima
index c663817..8934cfc 100755
--- a/meta-integrity/recipes-core/initrdscripts/files/init.ima
+++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima
@@ -110,10 +110,10 @@ for cert in ${ROOT_DIR}/etc/keys/x509_secondary_*.der; do
     fi
 done
 
-# The trusted IMA certificate /etc/keys/x509_evm.der in initramfs was
+# The trusted IMA certificate /etc/keys/x509_ima.der in initramfs was
 # automatically loaded by kernel already. Here is the opportunity to load
 # a custom IMA certificate from the real rootfs.
-for cert in ${ROOT_DIR}/etc/keys/x509_evm*.der; do
+for cert in ${ROOT_DIR}/etc/keys/x509_ima*.der; do
     [ ! -s "$cert" ] && continue
     name=`basename $cert`
 
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
index 9cd609b..0d7e66c 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
@@ -19,5 +19,5 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y
 CONFIG_IMA_TRUSTED_KEYRING=y
 CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
 CONFIG_IMA_BLACKLIST_KEYRING=y
-CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der"
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index f5c3e75..d83b79c 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -24,7 +24,7 @@ SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key"
 MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
 
 # For ${PN}-ima-privkey
-IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
+IMA_PRIV_KEY = "${KEY_DIR}/x509_ima.key"
 
 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
@@ -37,7 +37,7 @@ SECONDARY_TRUSTED_DER_ENC_CERT = "${KEY_DIR}/x509_secondary_system_trusted_key.d
 MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
 
 # For ${PN}-ima-cert
-IMA_CERT = "${KEY_DIR}/x509_evm.der"
+IMA_CERT = "${KEY_DIR}/x509_ima.der"
 
 python () {
     if not (uks_signing_model(d) in "sample", "user"):