diff options
author | Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> | 2019-07-28 18:31:48 +0300 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-08-04 13:12:41 -0700 |
commit | c9c4e6c228556cc2054a4b49f85b282fd69fc25c (patch) | |
tree | 6e796d2009a9617c1ab2d876150005f8f4d61cb9 | |
parent | 0a73a14fbb0418b4b563ab987aea424dd1eff815 (diff) | |
download | meta-security-c9c4e6c228556cc2054a4b49f85b282fd69fc25c.tar.gz |
meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
-rw-r--r-- | meta-integrity/README.md | 12 | ||||
-rw-r--r-- | meta-integrity/classes/ima-evm-rootfs.bbclass | 2 | ||||
-rw-r--r-- | meta-integrity/conf/layer.conf | 6 | ||||
-rw-r--r-- | meta-integrity/recipes-core/images/integrity-image-minimal.bb | 2 |
4 files changed, 11 insertions, 11 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 5bef76e..4607948 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building | |||
74 | the image, enable image signing in the local.conf like this: | 74 | the image, enable image signing in the local.conf like this: |
75 | 75 | ||
76 | INHERIT += "ima-evm-rootfs" | 76 | INHERIT += "ima-evm-rootfs" |
77 | IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" | 77 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
78 | 78 | ||
79 | This uses the default keys provided in the "data" directory of the layer. | 79 | This uses the default keys provided in the "data" directory of the layer. |
80 | Because everyone has access to these private keys, such an image | 80 | Because everyone has access to these private keys, such an image |
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the | |||
96 | # In that shell, create the keys. Several options exist: | 96 | # In that shell, create the keys. Several options exist: |
97 | 97 | ||
98 | # 1. Self-signed keys. | 98 | # 1. Self-signed keys. |
99 | $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh | 99 | $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh |
100 | 100 | ||
101 | # 2. Keys signed by a new CA. | 101 | # 2. Keys signed by a new CA. |
102 | # When asked for a PEM passphrase, that will be for the root CA. | 102 | # When asked for a PEM passphrase, that will be for the root CA. |
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the | |||
104 | # only creating new certificates does. Most likely the default | 104 | # only creating new certificates does. Most likely the default |
105 | # attributes for these certificates need to be adapted; modify | 105 | # attributes for these certificates need to be adapted; modify |
106 | # the scripts as needed. | 106 | # the scripts as needed. |
107 | # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh | 107 | # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh |
108 | # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh | 108 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh |
109 | 109 | ||
110 | # 3. Keys signed by an existing CA. | 110 | # 3. Keys signed by an existing CA. |
111 | # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> | 111 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> |
112 | exit | 112 | exit |
113 | 113 | ||
114 | When using ``ima-self-signed.sh`` as described above, self-signed keys | 114 | When using ``ima-self-signed.sh`` as described above, self-signed keys |
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd | |||
169 | changes. To activate policy loading via systemd, place a policy file | 169 | changes. To activate policy loading via systemd, place a policy file |
170 | in `/etc/ima/ima-policy`, for example with: | 170 | in `/etc/ima/ima-policy`, for example with: |
171 | 171 | ||
172 | IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" | 172 | IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" |
173 | 173 | ||
174 | To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` | 174 | To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` |
175 | 175 | ||
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388..d6ade3b 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass | |||
@@ -1,7 +1,7 @@ | |||
1 | # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be | 1 | # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be |
2 | # set explicitly in a local.conf before activating ima-evm-rootfs. | 2 | # set explicitly in a local.conf before activating ima-evm-rootfs. |
3 | # To use the insecure (because public) example keys, use | 3 | # To use the insecure (because public) example keys, use |
4 | # IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" | 4 | # IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
5 | IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" | 5 | IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" |
6 | 6 | ||
7 | # Private key for IMA signing. The default is okay when | 7 | # Private key for IMA signing. The default is okay when |
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index 917aa86..1d31edd 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf | |||
@@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6" | |||
13 | # Set a variable to get to the top of the metadata location. Needed | 13 | # Set a variable to get to the top of the metadata location. Needed |
14 | # for finding scripts (when following the README.md instructions) and | 14 | # for finding scripts (when following the README.md instructions) and |
15 | # default debug keys (in ima-evm-rootfs.bbclass). | 15 | # default debug keys (in ima-evm-rootfs.bbclass). |
16 | IMA_EVM_BASE := '${LAYERDIR}' | 16 | INTEGRITY_BASE := '${LAYERDIR}' |
17 | 17 | ||
18 | # We must not export this path to all shell scripts (as in "export | 18 | # We must not export this path to all shell scripts (as in "export |
19 | # IMA_EVM_BASE"), because that causes problems with sstate (becames | 19 | # INTEGRITY_BASE"), because that causes problems with sstate (becames |
20 | # dependent on location of the layer). Exporting it to just the | 20 | # dependent on location of the layer). Exporting it to just the |
21 | # interactive shell is enough. | 21 | # interactive shell is enough. |
22 | OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" | 22 | OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" |
23 | 23 | ||
24 | LAYERSERIES_COMPAT_integrity = "warrior" | 24 | LAYERSERIES_COMPAT_integrity = "warrior" |
25 | # ima-evm-utils depends on keyutils from meta-security | 25 | # ima-evm-utils depends on keyutils from meta-security |
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 6ed724d..e1bc6ff 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb | |||
@@ -17,6 +17,6 @@ inherit core-image | |||
17 | export IMAGE_BASENAME = "integrity-image-minimal" | 17 | export IMAGE_BASENAME = "integrity-image-minimal" |
18 | 18 | ||
19 | INHERIT += "ima-evm-rootfs" | 19 | INHERIT += "ima-evm-rootfs" |
20 | IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" | 20 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
21 | 21 | ||
22 | QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" | 22 | QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" |