From bd0f4cbe405df4e1af65c7d34336dbd447084849 Mon Sep 17 00:00:00 2001 From: Jia Zhang Date: Tue, 21 Nov 2017 09:30:51 -0500 Subject: meta-signing-key: support to build key-store with modsign and extra system trusted key support Signed-off-by: Jia Zhang --- meta-signing-key/classes/user-key-store.bbclass | 62 +++++++++++++++++++++- meta-signing-key/conf/layer.conf | 6 +++ .../recipes-support/key-store/key-store_0.1.bb | 58 ++++++++++++++++++-- 3 files changed, 120 insertions(+), 6 deletions(-) diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 9af758f..03e1b2c 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass @@ -9,8 +9,10 @@ USER_KEY_SHOW_VERBOSE = "1" UEFI_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d)}' +MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}' IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' -SYSTEM_TRUSTED = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' +SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}' +EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}' RPM = '1' def vprint(str, d): @@ -24,6 +26,14 @@ def uks_system_trusted_keys_dir(d): set_keys_dir('SYSTEM_TRUSTED', d) return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/' +def uks_extra_system_trusted_keys_dir(d): + set_keys_dir('EXTRA_SYSTEM_TRUSTED', d) + return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/' + +def uks_modsign_keys_dir(d): + set_keys_dir('MODSIGN', d) + return d.getVar('MODSIGN_KEYS_DIR', True) + '/' + def uks_ima_keys_dir(d): set_keys_dir('IMA', d) return d.getVar('IMA_KEYS_DIR', True) + '/' @@ -163,6 +173,30 @@ def check_system_trusted_keys(d): vprint("%s.crt is unavailable" % _, d) return False +def check_extra_system_trusted_keys(d): + dir = uks_extra_system_trusted_keys_dir(d) + + _ = 'extra_system_trusted_key' + if not os.path.exists(dir + _ + '.key'): + vprint("%s.key is unavailable" % _, d) + return False + + if not os.path.exists(dir + _ + '.crt'): + vprint("%s.crt is unavailable" % _, d) + return False + +def check_modsign_keys(d): + dir = uks_modsign_keys_dir(d) + + _ = 'modsign_key' + if not os.path.exists(dir + _ + '.key'): + vprint("%s.key is unavailable" % _, d) + return False + + if not os.path.exists(dir + _ + '.crt'): + vprint("%s.crt is unavailable" % _, d) + return False + def check_rpm_keys(d): dir = uks_rpm_keys_dir(d) @@ -345,6 +379,26 @@ deploy_system_trusted_keys() { fi } +deploy_extra_system_trusted_keys() { + local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys" + + if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then + install -d "$deploy_dir" + + cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir" + fi +} + +deploy_modsign_keys() { + local deploy_dir="${DEPLOY_KEYS_DIR}/modsign_keys" + + if [ x"${MODSIGN_KEYS_DIR}" != x"$deploy_dir" ]; then + install -d "$deploy_dir" + + cp -af "${MODSIGN_KEYS_DIR}"/* "$deploy_dir" + fi +} + def deploy_keys(name, d): d.setVar('DEPLOY_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/' + \ d.getVar('SIGNING_MODEL', True) + '-keys') @@ -359,6 +413,10 @@ def sanity_check_user_keys(name, may_exit, d): _ = check_ima_user_keys(d) elif name == 'SYSTEM_TRUSTED': _ = check_system_trusted_keys(d) + elif name == 'EXTRA_SYSTEM_TRUSTED': + _ = check_extra_system_trusted_keys(d) + elif name == 'MODSIGN': + _ = check_modsign_keys(d) elif name == 'RPM': _ = check_rpm_keys(d) else: @@ -382,7 +440,7 @@ def set_keys_dir(name, d): d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') python check_deploy_keys() { - for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'RPM'): + for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'): if d.getVar(_, True) != "1": continue diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 7b7127e..939f71a 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf @@ -17,6 +17,8 @@ SIGNING_MODEL ??= "sample" SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys" SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys" +SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys" +SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys" SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" @@ -31,6 +33,8 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt" MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}" +EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" +MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}" IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" @@ -46,6 +50,8 @@ RPM_GPG_PASSPHRASE ?= "SecureCore" BB_HASHBASE_WHITELIST_append += "\ SYSTEM_TRUSTED_KEYS_DIR \ + EXTRA_SYSTEM_TRUSTED_KEYS_DIR \ + MODSIGN_KEYS_DIR \ IMA_KEYS_DIR \ RPM_KEYS_DIR \ UEFI_SB_KEYS_DIR MOK_SB_KEYS_DIR \ diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 86a0f45..60e2491 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -17,12 +17,24 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" # For ${PN}-system-trusted-privkey SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" +# For ${PN}-extra-system-trusted-privkey +EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key" + +# For ${PN}-modsign-privkey +MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" + # For ${PN}-ima-privkey IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" # For ${PN}-system-trusted-cert SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" +# For ${PN}-extra-system-trusted-cert +EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt" + +# For ${PN}-modsign-cert +MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" + # For ${PN}-ima-cert IMA_CERT = "${KEY_DIR}/x509_evm.der" @@ -35,7 +47,17 @@ python () { d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - pn = d.getVar('PN', True) + '-ima-privkey' + pn = d.getVar('PN', True) + '-extra-system-trusted-privkey' + d.setVar('PACKAGES_prepend', pn + ' ') + d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) + d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) + + pn = d.getVar('PN', True) + '-modsign-privkey' + d.setVar('PACKAGES_prepend', pn + ' ') + d.setVar('FILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) + d.setVar('CONFFILES_' + pn, d.getVar('MODSIGN_PRIV_KEY', True)) + + pn = d.getVar('PN', True) + 'ima-privkey' d.setVar('PACKAGES_prepend', pn + ' ') d.setVar('FILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) d.setVar('CONFFILES_' + pn, d.getVar('IMA_PRIV_KEY', True)) @@ -74,6 +96,24 @@ do_install() { install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" fi + key_dir="${@uks_extra_system_trusted_keys_dir(d)}" + install -m 0644 "$key_dir/extra_system_trusted_key.crt" \ + "${D}${EXTRA_SYSTEM_CERT}" + + if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then + install -m 0400 "$key_dir/extra_system_trusted_key.key" \ + "${D}${EXTRA_SYSTEM_PRIV_KEY}" + fi + + key_dir="${@uks_modsign_keys_dir(d)}" + install -m 0644 "$key_dir/modsign_key.crt" \ + "${D}${MODSIGN_CERT}" + + if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then + install -m 0400 "$key_dir/modsign_key.key" \ + "${D}${MODSIGN_PRIV_KEY}" + fi + key_dir="${@uks_ima_keys_dir(d)}" install -m 0644 "$key_dir/x509_ima.der" "${D}${IMA_CERT}" @@ -108,20 +148,30 @@ pkg_postinst_${PN}-rpm-pubkey() { fi } -PACKAGES =+ "\ +PACKAGES = "\ ${PN}-system-trusted-cert \ + ${PN}-extra-system-trusted-cert \ + ${PN}-modsign-cert \ ${PN}-ima-cert \ " # Note any private key is not available if user key signing model used. -PACKAGES_DYNAMIC += "\ - ${PN}-ima-privkey \ +PACKAGES_DYNAMIC = "\ ${PN}-system-trusted-privkey \ + ${PN}-extra-system-trusted-privkey \ + ${PN}-modsign-privkey \ + ${PN}-ima-privkey \ ${PN}-rpm-pubkey \ " FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" +FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" +CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" + +FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" +CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" + FILES_${PN}-ima-cert = "${IMA_CERT}" CONFFILES_${PN}-ima-cert = "${IMA_CERT}" -- cgit v1.2.3-54-g00ecf