diff options
author | Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> | 2019-07-28 18:31:48 +0300 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-08-04 13:12:41 -0700 |
commit | c9c4e6c228556cc2054a4b49f85b282fd69fc25c (patch) | |
tree | 6e796d2009a9617c1ab2d876150005f8f4d61cb9 /meta-integrity/README.md | |
parent | 0a73a14fbb0418b4b563ab987aea424dd1eff815 (diff) | |
download | meta-security-c9c4e6c228556cc2054a4b49f85b282fd69fc25c.tar.gz |
meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Diffstat (limited to 'meta-integrity/README.md')
-rw-r--r-- | meta-integrity/README.md | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 5bef76e..4607948 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md | |||
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building | |||
74 | the image, enable image signing in the local.conf like this: | 74 | the image, enable image signing in the local.conf like this: |
75 | 75 | ||
76 | INHERIT += "ima-evm-rootfs" | 76 | INHERIT += "ima-evm-rootfs" |
77 | IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" | 77 | IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
78 | 78 | ||
79 | This uses the default keys provided in the "data" directory of the layer. | 79 | This uses the default keys provided in the "data" directory of the layer. |
80 | Because everyone has access to these private keys, such an image | 80 | Because everyone has access to these private keys, such an image |
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the | |||
96 | # In that shell, create the keys. Several options exist: | 96 | # In that shell, create the keys. Several options exist: |
97 | 97 | ||
98 | # 1. Self-signed keys. | 98 | # 1. Self-signed keys. |
99 | $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh | 99 | $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh |
100 | 100 | ||
101 | # 2. Keys signed by a new CA. | 101 | # 2. Keys signed by a new CA. |
102 | # When asked for a PEM passphrase, that will be for the root CA. | 102 | # When asked for a PEM passphrase, that will be for the root CA. |
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the | |||
104 | # only creating new certificates does. Most likely the default | 104 | # only creating new certificates does. Most likely the default |
105 | # attributes for these certificates need to be adapted; modify | 105 | # attributes for these certificates need to be adapted; modify |
106 | # the scripts as needed. | 106 | # the scripts as needed. |
107 | # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh | 107 | # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh |
108 | # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh | 108 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh |
109 | 109 | ||
110 | # 3. Keys signed by an existing CA. | 110 | # 3. Keys signed by an existing CA. |
111 | # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> | 111 | # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> |
112 | exit | 112 | exit |
113 | 113 | ||
114 | When using ``ima-self-signed.sh`` as described above, self-signed keys | 114 | When using ``ima-self-signed.sh`` as described above, self-signed keys |
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd | |||
169 | changes. To activate policy loading via systemd, place a policy file | 169 | changes. To activate policy loading via systemd, place a policy file |
170 | in `/etc/ima/ima-policy`, for example with: | 170 | in `/etc/ima/ima-policy`, for example with: |
171 | 171 | ||
172 | IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" | 172 | IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" |
173 | 173 | ||
174 | To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` | 174 | To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` |
175 | 175 | ||