From c9c4e6c228556cc2054a4b49f85b282fd69fc25c Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Date: Sun, 28 Jul 2019 18:31:48 +0300
Subject: meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE

data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 meta-integrity/README.md                                     | 12 ++++++------
 meta-integrity/classes/ima-evm-rootfs.bbclass                |  2 +-
 meta-integrity/conf/layer.conf                               |  6 +++---
 .../recipes-core/images/integrity-image-minimal.bb           |  2 +-
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5bef76e..4607948 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building
 the image, enable image signing in the local.conf like this:
 
     INHERIT += "ima-evm-rootfs"
-    IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+    IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
 
 This uses the default keys provided in the "data" directory of the layer.
 Because everyone has access to these private keys, such an image
@@ -96,7 +96,7 @@ for that are included in the layer. This is also how the
     # In that shell, create the keys. Several options exist:
 
     # 1. Self-signed keys.
-    $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh
+    $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
 
     # 2. Keys signed by a new CA.
     # When asked for a PEM passphrase, that will be for the root CA.
@@ -104,11 +104,11 @@ for that are included in the layer. This is also how the
     # only creating new certificates does. Most likely the default
     # attributes for these certificates need to be adapted; modify
     # the scripts as needed.
-    # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh
-    # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
+    # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
+    # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
 
     # 3. Keys signed by an existing CA.
-    # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
+    # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
     exit
 
 When using ``ima-self-signed.sh`` as described above, self-signed keys
@@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
 changes. To activate policy loading via systemd, place a policy file
 in `/etc/ima/ima-policy`, for example with:
 
-    IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"
+    IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
 
 To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
 
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 8aec388..d6ade3b 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -1,7 +1,7 @@
 # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be
 # set explicitly in a local.conf before activating ima-evm-rootfs.
 # To use the insecure (because public) example keys, use
-# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
 IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
 
 # Private key for IMA signing. The default is okay when
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index 917aa86..1d31edd 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -13,13 +13,13 @@ BBFILE_PRIORITY_integrity = "6"
 # Set a variable to get to the top of the metadata location. Needed
 # for finding scripts (when following the README.md instructions) and
 # default debug keys (in ima-evm-rootfs.bbclass).
-IMA_EVM_BASE := '${LAYERDIR}'
+INTEGRITY_BASE := '${LAYERDIR}'
 
 # We must not export this path to all shell scripts (as in "export
-# IMA_EVM_BASE"), because that causes problems with sstate (becames
+# INTEGRITY_BASE"), because that causes problems with sstate (becames
 # dependent on location of the layer). Exporting it to just the
 # interactive shell is enough.
-OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
+OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
 LAYERSERIES_COMPAT_integrity = "warrior"
 # ima-evm-utils depends on keyutils from meta-security
diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index 6ed724d..e1bc6ff 100644
--- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -17,6 +17,6 @@ inherit core-image
 export IMAGE_BASENAME = "integrity-image-minimal"
 
 INHERIT += "ima-evm-rootfs"
-IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
 
 QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
-- 
cgit v1.2.3-54-g00ecf