meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE

data/debug-keys will be reused for demo modsign keys, so rename IMA_EVM_BASE to more generic INTEGRITY_BASE. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
author: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> 2019-07-28 18:31:48 +0300
committer: Armin Kuster <akuster808@gmail.com> 2019-08-04 13:12:41 -0700
commit: c9c4e6c228556cc2054a4b49f85b282fd69fc25c (patch)
tree: 6e796d2009a9617c1ab2d876150005f8f4d61cb9
parent: 0a73a14fbb0418b4b563ab987aea424dd1eff815 (diff)
download: meta-security-c9c4e6c228556cc2054a4b49f85b282fd69fc25c.tar.gz
4 files changed, 11 insertions, 11 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5bef76e..4607948 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building
 the image, enable image signing in the local.conf like this:
    INHERIT += "ima-evm-rootfs"
-    IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+    IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
 This uses the default keys provided in the "data" directory of the layer.
 Because everyone has access to these private keys, such an image
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the
    # In that shell, create the keys. Several options exist:
    # 1. Self-signed keys.
-    $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh
+    $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
    # 2. Keys signed by a new CA.
    # When asked for a PEM passphrase, that will be for the root CA.
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the
    # only creating new certificates does. Most likely the default
    # attributes for these certificates need to be adapted; modify
    # the scripts as needed.
-    # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh
+    # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
-    # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
+    # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
    # 3. Keys signed by an existing CA.
-    # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
+    # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
    exit
 When using ``ima-self-signed.sh`` as described above, self-signed keys
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
 changes. To activate policy loading via systemd, place a policy file
 in `/etc/ima/ima-policy`, for example with:
-    IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"
+    IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
 To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 8aec388..d6ade3b 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -1,7 +1,7 @@
 # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be
 # set explicitly in a local.conf before activating ima-evm-rootfs.
 # To use the insecure (because public) example keys, use
-# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
 IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
 # Private key for IMA signing. The default is okay when
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 917aa86..1d31edd 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6"
 # Set a variable to get to the top of the metadata location. Needed
 # for finding scripts (when following the README.md instructions) and
 # default debug keys (in ima-evm-rootfs.bbclass).
-IMA_EVM_BASE := '${LAYERDIR}'
+INTEGRITY_BASE := '${LAYERDIR}'
 # We must not export this path to all shell scripts (as in "export
-# IMA_EVM_BASE"), because that causes problems with sstate (becames
+# INTEGRITY_BASE"), because that causes problems with sstate (becames
 # dependent on location of the layer). Exporting it to just the
 # interactive shell is enough.
-OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
+OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 LAYERSERIES_COMPAT_integrity = "warrior"
 # ima-evm-utils depends on keyutils from meta-security
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index 6ed724d..e1bc6ff 100644
--- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -17,6 +17,6 @@ inherit core-image
 export IMAGE_BASENAME = "integrity-image-minimal"
 INHERIT += "ima-evm-rootfs"
-IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
 QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
author	Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>	2019-07-28 18:31:48 +0300
committer	Armin Kuster <akuster808@gmail.com>	2019-08-04 13:12:41 -0700
commit	c9c4e6c228556cc2054a4b49f85b282fd69fc25c (patch)
tree	6e796d2009a9617c1ab2d876150005f8f4d61cb9
parent	0a73a14fbb0418b4b563ab987aea424dd1eff815 (diff)
download	meta-security-c9c4e6c228556cc2054a4b49f85b282fd69fc25c.tar.gz

diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 5bef76e..4607948 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building
74	the image, enable image signing in the local.conf like this:	74	the image, enable image signing in the local.conf like this:
75		75
76	INHERIT += "ima-evm-rootfs"	76	INHERIT += "ima-evm-rootfs"
77	IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"	77	IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
78		78
79	This uses the default keys provided in the "data" directory of the layer.	79	This uses the default keys provided in the "data" directory of the layer.
80	Because everyone has access to these private keys, such an image	80	Because everyone has access to these private keys, such an image
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the
96	# In that shell, create the keys. Several options exist:	96	# In that shell, create the keys. Several options exist:
97		97
98	# 1. Self-signed keys.	98	# 1. Self-signed keys.
99	$IMA_EVM_BASE/scripts/ima-gen-self-signed.sh	99	$INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
100		100
101	# 2. Keys signed by a new CA.	101	# 2. Keys signed by a new CA.
102	# When asked for a PEM passphrase, that will be for the root CA.	102	# When asked for a PEM passphrase, that will be for the root CA.
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the
104	# only creating new certificates does. Most likely the default	104	# only creating new certificates does. Most likely the default
105	# attributes for these certificates need to be adapted; modify	105	# attributes for these certificates need to be adapted; modify
106	# the scripts as needed.	106	# the scripts as needed.
107	# $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh	107	# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
108	# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh	108	# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
109		109
110	# 3. Keys signed by an existing CA.	110	# 3. Keys signed by an existing CA.
111	# $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>	111	# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
112	exit	112	exit
113		113
114	When using ``ima-self-signed.sh`` as described above, self-signed keys	114	When using ``ima-self-signed.sh`` as described above, self-signed keys
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
169	changes. To activate policy loading via systemd, place a policy file	169	changes. To activate policy loading via systemd, place a policy file
170	in `/etc/ima/ima-policy`, for example with:	170	in `/etc/ima/ima-policy`, for example with:
171		171
172	IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"	172	IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
173		173
174	To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`	174	To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
175		175


diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388..d6ade3b 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -1,7 +1,7 @@
1	# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be	1	# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be
2	# set explicitly in a local.conf before activating ima-evm-rootfs.	2	# set explicitly in a local.conf before activating ima-evm-rootfs.
3	# To use the insecure (because public) example keys, use	3	# To use the insecure (because public) example keys, use
4	# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"	4	# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
5	IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"	5	IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
6		6
7	# Private key for IMA signing. The default is okay when	7	# Private key for IMA signing. The default is okay when


diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index 917aa86..1d31edd 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf
@@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6"
13	# Set a variable to get to the top of the metadata location. Needed	13	# Set a variable to get to the top of the metadata location. Needed
14	# for finding scripts (when following the README.md instructions) and	14	# for finding scripts (when following the README.md instructions) and
15	# default debug keys (in ima-evm-rootfs.bbclass).	15	# default debug keys (in ima-evm-rootfs.bbclass).
16	IMA_EVM_BASE := '${LAYERDIR}'	16	INTEGRITY_BASE := '${LAYERDIR}'
17		17
18	# We must not export this path to all shell scripts (as in "export	18	# We must not export this path to all shell scripts (as in "export
19	# IMA_EVM_BASE"), because that causes problems with sstate (becames	19	# INTEGRITY_BASE"), because that causes problems with sstate (becames
20	# dependent on location of the layer). Exporting it to just the	20	# dependent on location of the layer). Exporting it to just the
21	# interactive shell is enough.	21	# interactive shell is enough.
22	OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"	22	OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
23		23
24	LAYERSERIES_COMPAT_integrity = "warrior"	24	LAYERSERIES_COMPAT_integrity = "warrior"
25	# ima-evm-utils depends on keyutils from meta-security	25	# ima-evm-utils depends on keyutils from meta-security


diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 6ed724d..e1bc6ff 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -17,6 +17,6 @@ inherit core-image
17	export IMAGE_BASENAME = "integrity-image-minimal"	17	export IMAGE_BASENAME = "integrity-image-minimal"
18		18
19	INHERIT += "ima-evm-rootfs"	19	INHERIT += "ima-evm-rootfs"
20	IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"	20	IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
21		21
22	QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"	22	QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"