diff options
| -rw-r--r-- | meta-integrity/classes/ima-evm-rootfs.bbclass | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 98c4bc1..7b73373 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass | |||
| @@ -89,6 +89,18 @@ ima_evm_sign_rootfs () { | |||
| 89 | bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" | 89 | bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" |
| 90 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" | 90 | evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" |
| 91 | fi | 91 | fi |
| 92 | |||
| 93 | # Optionally write the file names and ima and evm signatures into files | ||
| 94 | if [ "${IMA_FILE_SIGNATURES_FILE}" ]; then | ||
| 95 | getfattr -R -m security.ima --e hex --dump ./ 2>/dev/null | \ | ||
| 96 | sed -n -e 's|# file: |/|p' -e 's|security.ima=|ima:|p' | \ | ||
| 97 | sed '$!N;s/\n/ /' > ./${IMA_FILE_SIGNATURES_FILE} | ||
| 98 | fi | ||
| 99 | if [ "${EVM_FILE_SIGNATURES_FILE}" ]; then | ||
| 100 | getfattr -R -m security.evm --e hex --dump ./ 2>/dev/null | \ | ||
| 101 | sed -n -e 's|# file: |/|p' -e 's|security.evm=|evm:|p' | \ | ||
| 102 | sed '$!N;s/\n/ /' > ./${EVM_FILE_SIGNATURES_FILE} | ||
| 103 | fi | ||
| 92 | } | 104 | } |
| 93 | 105 | ||
| 94 | # Signing must run as late as possible in the do_rootfs task. | 106 | # Signing must run as late as possible in the do_rootfs task. |