diff options
Diffstat (limited to 'meta-security/meta-integrity/classes')
-rw-r--r-- | meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass | 2 | ||||
-rw-r--r-- | meta-security/meta-integrity/classes/kernel-modsign.bbclass | 29 |
2 files changed, 30 insertions, 1 deletions
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388dff..d6ade3bf91 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -1,7 +1,7 @@ # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be # set explicitly in a local.conf before activating ima-evm-rootfs. # To use the insecure (because public) example keys, use -# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" # Private key for IMA signing. The default is okay when diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 0000000000..09025baa7d --- /dev/null +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +kernel_do_configure_prepend() { + if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then + cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ + > "${B}/modsign_key.pem" + else + bberror "Either modsign key or certificate are invalid" + fi +} + +do_shared_workdir_append() { + cp modsign_key.pem $kerneldir/ +} |