diff options
Diffstat (limited to 'meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass')
-rw-r--r-- | meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 98c4bc1f26..7b7337379c 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -89,6 +89,18 @@ ima_evm_sign_rootfs () { bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi + + # Optionally write the file names and ima and evm signatures into files + if [ "${IMA_FILE_SIGNATURES_FILE}" ]; then + getfattr -R -m security.ima --e hex --dump ./ 2>/dev/null | \ + sed -n -e 's|# file: |/|p' -e 's|security.ima=|ima:|p' | \ + sed '$!N;s/\n/ /' > ./${IMA_FILE_SIGNATURES_FILE} + fi + if [ "${EVM_FILE_SIGNATURES_FILE}" ]; then + getfattr -R -m security.evm --e hex --dump ./ 2>/dev/null | \ + sed -n -e 's|# file: |/|p' -e 's|security.evm=|evm:|p' | \ + sed '$!N;s/\n/ /' > ./${EVM_FILE_SIGNATURES_FILE} + fi } # Signing must run as late as possible in the do_rootfs task. |