From bd0f4cbe405df4e1af65c7d34336dbd447084849 Mon Sep 17 00:00:00 2001
From: Jia Zhang <qianyue.zj@alibaba-inc.com>
Date: Tue, 21 Nov 2017 09:30:51 -0500
Subject: meta-signing-key: support to build key-store with modsign and extra
 system trusted key support

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
---
 meta-signing-key/classes/user-key-store.bbclass    | 62 +++++++++++++++++++++-
 meta-signing-key/conf/layer.conf                   |  6 +++
 .../recipes-support/key-store/key-store_0.1.bb     | 58 ++++++++++++++++++--
 3 files changed, 120 insertions(+), 6 deletions(-)

diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass
index 9af758f..03e1b2c 100644
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1"
 
 UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
 MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}'
+MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}'
 IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
-SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}'
+SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}'
+EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}'
 RPM = '1'
 
 def vprint(str, d):
@@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d):
     set_keys_dir('SYSTEM_TRUSTED', d)
     return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
 
+def uks_extra_system_trusted_keys_dir(d):
+    set_keys_dir('EXTRA_SYSTEM_TRUSTED', d)
+    return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/'
+
+def uks_modsign_keys_dir(d):
+    set_keys_dir('MODSIGN', d)
+    return d.getVar('MODSIGN_KEYS_DIR', True) + '/'
+
 def uks_ima_keys_dir(d):
     set_keys_dir('IMA', d)
     return d.getVar('IMA_KEYS_DIR', True) + '/'
@@ -163,6 +173,30 @@ def check_system_trusted_keys(d):
         vprint("%s.crt is unavailable" % _, d)
         return False
 
+def check_extra_system_trusted_keys(d):
+    dir = uks_extra_system_trusted_keys_dir(d)
+
+    _ = 'extra_system_trusted_key'
+    if not os.path.exists(dir + _ + '.key'):
+        vprint("%s.key is unavailable" % _, d)
+        return False
+
+    if not os.path.exists(dir + _ + '.crt'):
+        vprint("%s.crt is unavailable" % _, d)
+        return False
+
+def check_modsign_keys(d):
+    dir = uks_modsign_keys_dir(d)
+
+    _ = 'modsign_key'
+    if not os.path.exists(dir + _ + '.key'):
+        vprint("%s.key is unavailable" % _, d)
+        return False
+
+    if not os.path.exists(dir + _ + '.crt'):
+        vprint("%s.crt is unavailable" % _, d)
+        return False
+
 def check_rpm_keys(d):
     dir = uks_rpm_keys_dir(d)
 
@@ -345,6 +379,26 @@ deploy_system_trusted_keys() {
     fi
 }
 
+deploy_extra_system_trusted_keys() {
+    local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys"
+
+    if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then
+        install -d "$deploy_dir"
+
+        cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir"
+    fi
+}
+
+deploy_modsign_keys() {
+    local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys"
+
+    if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then
+        install -d "$deploy_dir"
+
+        cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir"
+    fi
+}
+
 def deploy_keys(name, d):
     d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \
              d.getVar('SIGNING_MODEL', True) + '-keys')
@@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d):
         _ = check_ima_user_keys(d)
     elif name == 'SYSTEM_TRUSTED':
         _ = check_system_trusted_keys(d)
+    elif name == 'EXTRA_SYSTEM_TRUSTED':
+        _ = check_extra_system_trusted_keys(d)
+    elif name == 'MODSIGN':
+        _ = check_modsign_keys(d)
     elif name == 'RPM':
         _ = check_rpm_keys(d)
     else:
@@ -382,7 +440,7 @@ def set_keys_dir(name, d):
         d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys')
 
 python check_deploy_keys() {
-    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'):
+    for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'):
         if d.getVar(_, True) != "1":
             continue
 
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf
index 7b7127e..939f71a 100644
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample"
 SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys"
 SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys"
 SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys"
+SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys"
+SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys"
 SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys"
 SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys"
 
@@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
 UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"
 SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}"
+EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"
+MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}"
 IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}"
 RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}"
 
@@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore"
 
 BB_HASHBASE_WHITELIST_append += "\
     SYSTEM_TRUSTED_KEYS_DIR \
+    EXTRA_SYSTEM_TRUSTED_KEYS_DIR \
+    MODSIGN_KEYS_DIR \
     IMA_KEYS_DIR \
     RPM_KEYS_DIR \
     UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 86a0f45..60e2491 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg"
 # For ${PN}-system-trusted-privkey
 SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key"
 
+# For ${PN}-extra-system-trusted-privkey
+EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key"
+
+# For ${PN}-modsign-privkey
+MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key"
+
 # For ${PN}-ima-privkey
 IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt"
 
 # For ${PN}-system-trusted-cert
 SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt"
 
+# For ${PN}-extra-system-trusted-cert
+EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt"
+
+# For ${PN}-modsign-cert
+MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt"
+
 # For ${PN}-ima-cert
 IMA_CERT = "${KEY_DIR}/x509_evm.der"
 
@@ -35,7 +47,17 @@ python () {
     d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
     d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True))
 
-    pn = d.getVar('PN', True) + '-ima-privkey'
+    pn = d.getVar('PN', True) + '-extra-system-trusted-privkey'
+    d.setVar('PACKAGES_prepend', pn + ' ')
+    d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+    d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True))
+
+    pn = d.getVar('PN', True) + '-modsign-privkey'
+    d.setVar('PACKAGES_prepend', pn + ' ')
+    d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
+    d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True))
+
+    pn = d.getVar('PN', True) + 'ima-privkey'
     d.setVar('PACKAGES_prepend', pn + ' ')
     d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
     d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True))
@@ -74,6 +96,24 @@ do_install() {
         install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}"
     fi
 
+    key_dir="${@uks_extra_system_trusted_keys_dir(d)}"
+    install -m 0644 "$key_dir/extra_system_trusted_key.crt" \
+        "${D}${EXTRA_SYSTEM_CERT}"
+
+    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
+        install -m 0400 "$key_dir/extra_system_trusted_key.key" \
+            "${D}${EXTRA_SYSTEM_PRIV_KEY}"
+    fi
+
+    key_dir="${@uks_modsign_keys_dir(d)}"
+    install -m 0644 "$key_dir/modsign_key.crt" \
+        "${D}${MODSIGN_CERT}"
+
+    if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then
+        install -m 0400 "$key_dir/modsign_key.key" \
+            "${D}${MODSIGN_PRIV_KEY}"
+    fi
+
     key_dir="${@uks_ima_keys_dir(d)}"
     install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}"
 
@@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() {
     fi
 }
 
-PACKAGES =+ "\
+PACKAGES = "\
     ${PN}-system-trusted-cert \
+    ${PN}-extra-system-trusted-cert \
+    ${PN}-modsign-cert \
     ${PN}-ima-cert \
 "
 
 # Note any private key is not available if user key signing model used.
-PACKAGES_DYNAMIC += "\
-    ${PN}-ima-privkey \
+PACKAGES_DYNAMIC = "\
     ${PN}-system-trusted-privkey \
+    ${PN}-extra-system-trusted-privkey \
+    ${PN}-modsign-privkey \
+    ${PN}-ima-privkey \
     ${PN}-rpm-pubkey \
 "
 
 FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}"
 
+FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}"
+
+FILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
+CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}"
+
 FILES_${PN}-ima-cert = "${IMA_CERT}"
 CONFFILES_${PN}-ima-cert = "${IMA_CERT}"
-- 
cgit v1.2.3-54-g00ecf