From c804f2591498d5d400e12340346e6b190623ddc6 Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Wed, 16 May 2018 13:37:54 -0400 Subject: meta-signing-key: Rename "extra trusted" to "secondary" The way that the create-user-key-store.sh script creates what it has been calling "extra_system_trusted_key" is really what would be considered a "secondary" trusted key as it is signed by the primary key that we create. To make this clearer, as there are other cases for an "extra trusted system key" that are not this key, update the variables, package names, etc, to reflect "secondary" not "extra system". Requested-by: Jia Zhang Signed-off-by: Tom Rini --- meta-signing-key/classes/user-key-store.bbclass | 28 +++++++++---------- meta-signing-key/conf/layer.conf | 6 ++-- .../extra_system_trusted_key.crt | 19 ------------- .../extra_system_trusted_key.key | 28 ------------------- .../secondary_trusted_key.crt | 19 +++++++++++++ .../secondary_trusted_key.key | 28 +++++++++++++++++++ .../recipes-support/key-store/key-store_0.1.bb | 32 +++++++++++----------- meta-signing-key/scripts/create-user-key-store.sh | 12 ++++---- 8 files changed, 86 insertions(+), 86 deletions(-) delete mode 100644 meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt delete mode 100644 meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key create mode 100644 meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt create mode 100644 meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 03e1b2c..a0cecab 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass @@ -12,7 +12,7 @@ MOK_SB = '${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "1", "0", d MODSIGN = '${@bb.utils.contains("DISTRO_FEATURES", "modsign", "1", "0", d)}' IMA = '${@bb.utils.contains("DISTRO_FEATURES", "ima", "1", "0", d)}' SYSTEM_TRUSTED = '${@"1" if d.getVar("IMA", True) or d.getVar("MODSIGN", True) else "0"}' -EXTRA_SYSTEM_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}' +SECONDARY_TRUSTED = '${@"1" if d.getVar("SYSTEM_TRUSTED", True) else "0"}' RPM = '1' def vprint(str, d): @@ -26,9 +26,9 @@ def uks_system_trusted_keys_dir(d): set_keys_dir('SYSTEM_TRUSTED', d) return d.getVar('SYSTEM_TRUSTED_KEYS_DIR', True) + '/' -def uks_extra_system_trusted_keys_dir(d): - set_keys_dir('EXTRA_SYSTEM_TRUSTED', d) - return d.getVar('EXTRA_SYSTEM_TRUSTED_KEYS_DIR', True) + '/' +def uks_secondary_trusted_keys_dir(d): + set_keys_dir('SECONDARY_TRUSTED', d) + return d.getVar('SECONDARY_TRUSTED_KEYS_DIR', True) + '/' def uks_modsign_keys_dir(d): set_keys_dir('MODSIGN', d) @@ -173,10 +173,10 @@ def check_system_trusted_keys(d): vprint("%s.crt is unavailable" % _, d) return False -def check_extra_system_trusted_keys(d): - dir = uks_extra_system_trusted_keys_dir(d) +def check_secondary_trusted_keys(d): + dir = uks_secondary_trusted_keys_dir(d) - _ = 'extra_system_trusted_key' + _ = 'secondary_trusted_key' if not os.path.exists(dir + _ + '.key'): vprint("%s.key is unavailable" % _, d) return False @@ -379,13 +379,13 @@ deploy_system_trusted_keys() { fi } -deploy_extra_system_trusted_keys() { - local deploy_dir="${DEPLOY_KEYS_DIR}/extra_system_trusted_keys" +deploy_secondary_trusted_keys() { + local deploy_dir="${DEPLOY_KEYS_DIR}/secondary_trusted_keys" - if [ x"${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then + if [ x"${SECONDARY_TRUSTED_KEYS_DIR}" != x"$deploy_dir" ]; then install -d "$deploy_dir" - cp -af "${EXTRA_SYSTEM_TRUSTED_KEYS_DIR}"/* "$deploy_dir" + cp -af "${SECONDARY_TRUSTED_KEYS_DIR}"/* "$deploy_dir" fi } @@ -413,8 +413,8 @@ def sanity_check_user_keys(name, may_exit, d): _ = check_ima_user_keys(d) elif name == 'SYSTEM_TRUSTED': _ = check_system_trusted_keys(d) - elif name == 'EXTRA_SYSTEM_TRUSTED': - _ = check_extra_system_trusted_keys(d) + elif name == 'SECONDARY_TRUSTED': + _ = check_secondary_trusted_keys(d) elif name == 'MODSIGN': _ = check_modsign_keys(d) elif name == 'RPM': @@ -440,7 +440,7 @@ def set_keys_dir(name, d): d.setVar(name + '_KEYS_DIR', d.getVar('DEPLOY_DIR_IMAGE', True) + '/user-keys/' + name.lower() + '_keys') python check_deploy_keys() { - for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'EXTRA_SYSTEM_TRUSTED', 'MODSIGN', 'RPM'): + for _ in ('UEFI_SB', 'MOK_SB', 'IMA', 'SYSTEM_TRUSTED', 'SECONDARY_TRUSTED', 'MODSIGN', 'RPM'): if d.getVar(_, True) != "1": continue diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 939f71a..e067f6b 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf @@ -17,7 +17,7 @@ SIGNING_MODEL ??= "sample" SAMPLE_MOK_SB_KEYS_DIR = "${LAYERDIR}/files/mok_sb_keys" SAMPLE_UEFI_SB_KEYS_DIR = "${LAYERDIR}/files/uefi_sb_keys" SAMPLE_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/system_trusted_keys" -SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/extra_system_trusted_keys" +SAMPLE_SECONDARY_TRUSTED_KEYS_DIR = "${LAYERDIR}/files/secondary_trusted_keys" SAMPLE_MODSIGN_KEYS_DIR = "${LAYERDIR}/files/modsign_keys" SAMPLE_IMA_KEYS_DIR = "${LAYERDIR}/files/ima_keys" SAMPLE_RPM_KEYS_DIR = "${LAYERDIR}/files/rpm_keys" @@ -33,7 +33,7 @@ EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt" MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_SYSTEM_TRUSTED_KEYS_DIR}" -EXTRA_SYSTEM_TRUSTED_KEYS_DIR ??= "${SAMPLE_EXTRA_SYSTEM_TRUSTED_KEYS_DIR}" +SECONDARY_TRUSTED_KEYS_DIR ??= "${SAMPLE_SECONDARY_TRUSTED_KEYS_DIR}" MODSIGN_KEYS_DIR ??= "${SAMPLE_MODSIGN_KEYS_DIR}" IMA_KEYS_DIR ??= "${SAMPLE_IMA_KEYS_DIR}" RPM_KEYS_DIR ??= "${SAMPLE_RPM_KEYS_DIR}" @@ -50,7 +50,7 @@ RPM_GPG_PASSPHRASE ?= "SecureCore" BB_HASHBASE_WHITELIST_append += "\ SYSTEM_TRUSTED_KEYS_DIR \ - EXTRA_SYSTEM_TRUSTED_KEYS_DIR \ + SECONDARY_TRUSTED_KEYS_DIR \ MODSIGN_KEYS_DIR \ IMA_KEYS_DIR \ RPM_KEYS_DIR \ diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt b/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt deleted file mode 100644 index b7c3493..0000000 --- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpTeXN0 -ZW0gVHJ1c3RlZCBDZXJ0aWZpY2F0ZTAeFw0xNzExMjAxMTU4MTJaFw0yNzExMTgx -MTU4MTJaMCsxKTAnBgNVBAMMIEV4dHJhIFN5c3RlbSBUcnVzdGVkIENlcnRpZmlj -YXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ZqvfjyW5kDefMWy -RbA70GGAyG3LHscSFUfLb1m5ZKeEPyLzCQNzZr5uLiONdYvr09eZsTrBQ3RZ4F7v -4c4YWkfP8RqKzFBpMG0roa0ynB3M7iGYR4WAuPA/4R1qy0Lvdh5dB0tSloHNToYL -yI0QpXlSRigdGs9Q5pFYi6W43pTQyQAf/OtLXGNlmNK7I24JKILVjMdWPyVleAzS -VmlzSl5nvNxgPfmga1Yc91WM2oh/ijZqQ6w1t2ZIbldAfE+VT4CCiHWDSt8fsVEQ -83dUPJNGVDax6JfO7sTsiQNa8qALnJXnqDMbUxcZkLyv1GADo/TsGyqLvvBsdSA/ -zcsMuQIDAQABo0IwQDAdBgNVHQ4EFgQUXrBOA5XBBjQBUBu8KXbNaMRyNnswHwYD -VR0jBBgwFoAUzz22EZ4YijXYhX/ihihANm4Eff4wDQYJKoZIhvcNAQELBQADggEB -AHE3TGi66MYkkX3L9kTPYzBcKisyWdU06N4Uha2rRhKhb6amCY7sfKkcJt79WNAc -HxX0QXL4IvHVINRsFjyvKu+Z2B1EK7n+S0YoOo33HBHTvl/5NuPY2vH0jJmLXHuX -vpB1jOq/1PlbWpZcbAUDL2N5HbdDdOSW91NjBemnRkKRMDEnLlgrSYDPAll9kPXE -FrHEIqVrWbBxdSgyP4ZIOMT1deSYTjfk4Isz8k8U0HsDaocPeEysJfDvImP9Xl0A -T1uytaMWbwKN+zQGwLbXJNOXpzPn8LCLMrBMep/ZTK5uLipJ9+UP77kIkztvjzVJ -tGwxYZ1/yHBGVYTwwuM7QTM= ------END CERTIFICATE----- diff --git a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key b/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key deleted file mode 100644 index 0bf56cf..0000000 --- a/meta-signing-key/files/extra_system_trusted_keys/extra_system_trusted_key.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhmq9+PJbmQN58 -xbJFsDvQYYDIbcsexxIVR8tvWblkp4Q/IvMJA3Nmvm4uI411i+vT15mxOsFDdFng -Xu/hzhhaR8/xGorMUGkwbSuhrTKcHczuIZhHhYC48D/hHWrLQu92Hl0HS1KWgc1O -hgvIjRCleVJGKB0az1DmkViLpbjelNDJAB/860tcY2WY0rsjbgkogtWMx1Y/JWV4 -DNJWaXNKXme83GA9+aBrVhz3VYzaiH+KNmpDrDW3ZkhuV0B8T5VPgIKIdYNK3x+x -URDzd1Q8k0ZUNrHol87uxOyJA1ryoAucleeoMxtTFxmQvK/UYAOj9OwbKou+8Gx1 -ID/Nywy5AgMBAAECggEBAJ7cEZ9OguN34jLx8upngnblcY2w4kq12uHpQDMUdxuN -ae4bag96wpQim+sZVc7jzBfLxYmq2dPp5i+8KiZSvYs07hPUoM/l/2v+M68RCoYr -5dX5CgWy2EVhx1l5IW4nn/8IunEcdPdOR4d3lGyQCJy8pVaJgJUUTt9MkZEkDN2N -khguc67IkHoquF6Pc3eT4b4JafoZMklKV5fIEy2oxn3e5tyy9b1D5ECjjqzSn70x -9OfYVLWrA3i1grQ+h/JalCm7s23j1o1DiaFxZGMGpAlNVOEeXB4MrjeWE3JmQucZ -cXeRhNkQPuhhUsQ3gi094exZqs6C03Lu5CqtY9nOyJECgYEA+WOpbQ+15n2OI8Dn -U3nLVqw8nlOqxHqd3yknRYmL3ghbhV9cG59LM1+vh/WYqYijLtVRoGA1gGKjqWfH -NlO7c+m2czzsQGICCMWaQ7l2LnW3pFmfpgXVkYa52ct54pcd4rA6xRqjSAx9g7qj -MuLuSn/ewWWsqCUFjaKJHmmdBIsCgYEA55WetFyv5/6+9wNvIfLdStPnu5u0O3sw -jyZnGRKQHmV2Wq3FwICgtFZdHdMzBYl+QXPTydVDk9OW//vh9lDzELWbCKbOOUuj -vGHbNFa5GoE98TQyuI/gaoQiLYU7mZynon5pqrF7AwB624wQFrCbMzFhXyRGVoLC -x20b9v3fKEsCgYBXq7iA9Zftuk/As+zehJ9+DbiVtDYBMlXTgMUkhfEckfWSkm5v -63TlT4sGkckkODudmDJE3e2Q/5wnTqtSpubsHcodAtrO22V5rfXIPyeTt6Bib3tX -Qw/MQ/+L2CM2DAfejDNs3StvhayOJYt/tRUuLXuio1qqFbG5E91+SoR/dwKBgFs0 -D4aUoipJp0d8sL27+e7IOZEnJvnt8BfQVfYH2349EzlvClxfy+p5wL5IOOXLWk/I -n/Xy6WREhklWF418H93Kx73Gg50I7vj3yO554PhRQeXGWttYvlb0pskqmWhLy7Ew -+8hfkUSDYd8o8AUflF+66NAhZxoW8UK887B4FvS1AoGBAIAt4KwjWB9gamwif8eQ -yndtzmRh6i67IwEzH5lxerRBrXKU4svQldkNzPQMPAMp3zUyqrzg6w7tY2pYSBXp -vIEmVUHS743hW3NlUwnyjDRSWjPZMAlFng6Y07xbpnXJ8u4teck2TF8qaGO24YDM -VAymp0RnFZl+ZGbVn5ZUbFXT ------END PRIVATE KEY----- diff --git a/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt new file mode 100644 index 0000000..b7c3493 --- /dev/null +++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpTeXN0 +ZW0gVHJ1c3RlZCBDZXJ0aWZpY2F0ZTAeFw0xNzExMjAxMTU4MTJaFw0yNzExMTgx +MTU4MTJaMCsxKTAnBgNVBAMMIEV4dHJhIFN5c3RlbSBUcnVzdGVkIENlcnRpZmlj +YXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4ZqvfjyW5kDefMWy +RbA70GGAyG3LHscSFUfLb1m5ZKeEPyLzCQNzZr5uLiONdYvr09eZsTrBQ3RZ4F7v +4c4YWkfP8RqKzFBpMG0roa0ynB3M7iGYR4WAuPA/4R1qy0Lvdh5dB0tSloHNToYL +yI0QpXlSRigdGs9Q5pFYi6W43pTQyQAf/OtLXGNlmNK7I24JKILVjMdWPyVleAzS +VmlzSl5nvNxgPfmga1Yc91WM2oh/ijZqQ6w1t2ZIbldAfE+VT4CCiHWDSt8fsVEQ +83dUPJNGVDax6JfO7sTsiQNa8qALnJXnqDMbUxcZkLyv1GADo/TsGyqLvvBsdSA/ +zcsMuQIDAQABo0IwQDAdBgNVHQ4EFgQUXrBOA5XBBjQBUBu8KXbNaMRyNnswHwYD +VR0jBBgwFoAUzz22EZ4YijXYhX/ihihANm4Eff4wDQYJKoZIhvcNAQELBQADggEB +AHE3TGi66MYkkX3L9kTPYzBcKisyWdU06N4Uha2rRhKhb6amCY7sfKkcJt79WNAc +HxX0QXL4IvHVINRsFjyvKu+Z2B1EK7n+S0YoOo33HBHTvl/5NuPY2vH0jJmLXHuX +vpB1jOq/1PlbWpZcbAUDL2N5HbdDdOSW91NjBemnRkKRMDEnLlgrSYDPAll9kPXE +FrHEIqVrWbBxdSgyP4ZIOMT1deSYTjfk4Isz8k8U0HsDaocPeEysJfDvImP9Xl0A +T1uytaMWbwKN+zQGwLbXJNOXpzPn8LCLMrBMep/ZTK5uLipJ9+UP77kIkztvjzVJ +tGwxYZ1/yHBGVYTwwuM7QTM= +-----END CERTIFICATE----- diff --git a/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key new file mode 100644 index 0000000..0bf56cf --- /dev/null +++ b/meta-signing-key/files/secondary_trusted_keys/secondary_trusted_key.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhmq9+PJbmQN58 +xbJFsDvQYYDIbcsexxIVR8tvWblkp4Q/IvMJA3Nmvm4uI411i+vT15mxOsFDdFng +Xu/hzhhaR8/xGorMUGkwbSuhrTKcHczuIZhHhYC48D/hHWrLQu92Hl0HS1KWgc1O +hgvIjRCleVJGKB0az1DmkViLpbjelNDJAB/860tcY2WY0rsjbgkogtWMx1Y/JWV4 +DNJWaXNKXme83GA9+aBrVhz3VYzaiH+KNmpDrDW3ZkhuV0B8T5VPgIKIdYNK3x+x +URDzd1Q8k0ZUNrHol87uxOyJA1ryoAucleeoMxtTFxmQvK/UYAOj9OwbKou+8Gx1 +ID/Nywy5AgMBAAECggEBAJ7cEZ9OguN34jLx8upngnblcY2w4kq12uHpQDMUdxuN +ae4bag96wpQim+sZVc7jzBfLxYmq2dPp5i+8KiZSvYs07hPUoM/l/2v+M68RCoYr +5dX5CgWy2EVhx1l5IW4nn/8IunEcdPdOR4d3lGyQCJy8pVaJgJUUTt9MkZEkDN2N +khguc67IkHoquF6Pc3eT4b4JafoZMklKV5fIEy2oxn3e5tyy9b1D5ECjjqzSn70x +9OfYVLWrA3i1grQ+h/JalCm7s23j1o1DiaFxZGMGpAlNVOEeXB4MrjeWE3JmQucZ +cXeRhNkQPuhhUsQ3gi094exZqs6C03Lu5CqtY9nOyJECgYEA+WOpbQ+15n2OI8Dn +U3nLVqw8nlOqxHqd3yknRYmL3ghbhV9cG59LM1+vh/WYqYijLtVRoGA1gGKjqWfH +NlO7c+m2czzsQGICCMWaQ7l2LnW3pFmfpgXVkYa52ct54pcd4rA6xRqjSAx9g7qj +MuLuSn/ewWWsqCUFjaKJHmmdBIsCgYEA55WetFyv5/6+9wNvIfLdStPnu5u0O3sw +jyZnGRKQHmV2Wq3FwICgtFZdHdMzBYl+QXPTydVDk9OW//vh9lDzELWbCKbOOUuj +vGHbNFa5GoE98TQyuI/gaoQiLYU7mZynon5pqrF7AwB624wQFrCbMzFhXyRGVoLC +x20b9v3fKEsCgYBXq7iA9Zftuk/As+zehJ9+DbiVtDYBMlXTgMUkhfEckfWSkm5v +63TlT4sGkckkODudmDJE3e2Q/5wnTqtSpubsHcodAtrO22V5rfXIPyeTt6Bib3tX +Qw/MQ/+L2CM2DAfejDNs3StvhayOJYt/tRUuLXuio1qqFbG5E91+SoR/dwKBgFs0 +D4aUoipJp0d8sL27+e7IOZEnJvnt8BfQVfYH2349EzlvClxfy+p5wL5IOOXLWk/I +n/Xy6WREhklWF418H93Kx73Gg50I7vj3yO554PhRQeXGWttYvlb0pskqmWhLy7Ew ++8hfkUSDYd8o8AUflF+66NAhZxoW8UK887B4FvS1AoGBAIAt4KwjWB9gamwif8eQ +yndtzmRh6i67IwEzH5lxerRBrXKU4svQldkNzPQMPAMp3zUyqrzg6w7tY2pYSBXp +vIEmVUHS743hW3NlUwnyjDRSWjPZMAlFng6Y07xbpnXJ8u4teck2TF8qaGO24YDM +VAymp0RnFZl+ZGbVn5ZUbFXT +-----END PRIVATE KEY----- diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 8dd9637..66691cc 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -17,8 +17,8 @@ RPM_KEY_DIR = "${sysconfdir}/pki/rpm-gpg" # For ${PN}-system-trusted-privkey SYSTEM_PRIV_KEY = "${KEY_DIR}/system_trusted_key.key" -# For ${PN}-extra-system-trusted-privkey -EXTRA_SYSTEM_PRIV_KEY = "${KEY_DIR}/extra_system_trusted_key.key" +# For ${PN}-secondary-trusted-privkey +SECONDARY_TRUSTED_PRIV_KEY = "${KEY_DIR}/secondary_trusted_key.key" # For ${PN}-modsign-privkey MODSIGN_PRIV_KEY = "${KEY_DIR}/modsign_key.key" @@ -29,8 +29,8 @@ IMA_PRIV_KEY = "${KEY_DIR}/privkey_evm.crt" # For ${PN}-system-trusted-cert SYSTEM_CERT = "${KEY_DIR}/system_trusted_key.crt" -# For ${PN}-extra-system-trusted-cert -EXTRA_SYSTEM_CERT = "${KEY_DIR}/extra_system_trusted_key.crt" +# For ${PN}-secondary-trusted-cert +SECONDARY_TRUSTED_CERT = "${KEY_DIR}/secondary_trusted_key.crt" # For ${PN}-modsign-cert MODSIGN_CERT = "${KEY_DIR}/modsign_key.crt" @@ -47,10 +47,10 @@ python () { d.setVar('FILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) d.setVar('CONFFILES_' + pn, d.getVar('SYSTEM_PRIV_KEY', True)) - pn = d.getVar('PN', True) + '-extra-system-trusted-privkey' + pn = d.getVar('PN', True) + '-secondary-trusted-privkey' d.setVar('PACKAGES_prepend', pn + ' ') - d.setVar('FILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) - d.setVar('CONFFILES_' + pn, d.getVar('EXTRA_SYSTEM_PRIV_KEY', True)) + d.setVar('FILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) + d.setVar('CONFFILES_' + pn, d.getVar('SECONDARY_TRUSTED_PRIV_KEY', True)) pn = d.getVar('PN', True) + '-modsign-privkey' d.setVar('PACKAGES_prepend', pn + ' ') @@ -96,13 +96,13 @@ do_install() { install -m 0400 "$key_dir/system_trusted_key.key" "${D}${SYSTEM_PRIV_KEY}" fi - key_dir="${@uks_extra_system_trusted_keys_dir(d)}" - install -m 0644 "$key_dir/extra_system_trusted_key.crt" \ - "${D}${EXTRA_SYSTEM_CERT}" + key_dir="${@uks_secondary_trusted_keys_dir(d)}" + install -m 0644 "$key_dir/secondary_trusted_key.crt" \ + "${D}${SECONDARY_TRUSTED_CERT}" if [ "${@uks_signing_model(d)}" = "sample" -o "${@uks_signing_model(d)}" = "user" ]; then - install -m 0400 "$key_dir/extra_system_trusted_key.key" \ - "${D}${EXTRA_SYSTEM_PRIV_KEY}" + install -m 0400 "$key_dir/secondary_trusted_key.key" \ + "${D}${SECONDARY_TRUSTED_PRIV_KEY}" fi key_dir="${@uks_modsign_keys_dir(d)}" @@ -150,7 +150,7 @@ pkg_postinst_${PN}-rpm-pubkey() { PACKAGES = "\ ${PN}-system-trusted-cert \ - ${PN}-extra-system-trusted-cert \ + ${PN}-secondary-trusted-cert \ ${PN}-modsign-cert \ ${PN}-ima-cert \ " @@ -158,7 +158,7 @@ PACKAGES = "\ # Note any private key is not available if user key signing model used. PACKAGES_DYNAMIC = "\ ${PN}-system-trusted-privkey \ - ${PN}-extra-system-trusted-privkey \ + ${PN}-secondary-trusted-privkey \ ${PN}-modsign-privkey \ ${PN}-ima-privkey \ ${PN}-rpm-pubkey \ @@ -167,8 +167,8 @@ PACKAGES_DYNAMIC = "\ FILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" CONFFILES_${PN}-system-trusted-cert = "${SYSTEM_CERT}" -FILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" -CONFFILES_${PN}-extra-system-trusted-cert = "${EXTRA_SYSTEM_CERT}" +FILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" +CONFFILES_${PN}-secondary-trusted-cert = "${SECONDARY_TRUSTED_CERT}" FILES_${PN}-modsign-cert = "${MODSIGN_CERT}" CONFFILES_${PN}-modsign-cert = "${MODSIGN_CERT}" diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh index ddcd31a..eea52df 100755 --- a/meta-signing-key/scripts/create-user-key-store.sh +++ b/meta-signing-key/scripts/create-user-key-store.sh @@ -98,7 +98,7 @@ SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys" IMA_KEYS_DIR="$KEYS_DIR/ima_keys" RPM_KEYS_DIR="$KEYS_DIR/rpm_keys" MODSIGN_KEYS_DIR="$KEYS_DIR/modsign_keys" -EXTRA_SYSTEM_KEYS_DIR="$KEYS_DIR/extra_system_trusted_keys" +SECONDARY_TRUSTED_KEYS_DIR="$KEYS_DIR/secondary_trusted_keys" pem2der() { local src="$1" @@ -201,12 +201,12 @@ create_modsign_user_key() { "/CN=MODSIGN Certificate/" } -create_extra_system_user_key() { - local key_dir="$EXTRA_SYSTEM_KEYS_DIR" +create_secondary_user_key() { + local key_dir="$SECONDARY_TRUSTED_KEYS_DIR" [ ! -d "$key_dir" ] && mkdir -p "$key_dir" - ca_sign "$key_dir" extra_system_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \ + ca_sign "$key_dir" secondary_trusted_key "$SYSTEM_KEYS_DIR" system_trusted_key \ "/CN=Extra System Trusted Certificate/" } @@ -297,8 +297,8 @@ create_user_keys() { echo "Creating the user key for system" create_system_user_key - echo "Creating the user key for system extra" - create_extra_system_user_key + echo "Creating the user key for system secondary trust" + create_secondary_user_key echo "Creating the user key for modsign" create_modsign_user_key -- cgit v1.2.3-54-g00ecf