| Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame] | 1 | # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be |
| 2 | # set explicitly in a local.conf before activating ima-evm-rootfs. |
| 3 | # To use the insecure (because public) example keys, use |
| Brad Bishop | 26bdd44 | 2019-08-16 17:08:17 -0400 | [diff] [blame] | 4 | # IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" |
| Brad Bishop | 15ae250 | 2019-06-18 21:44:24 -0400 | [diff] [blame] | 5 | IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" |
| 6 | |
| 7 | # Private key for IMA signing. The default is okay when |
| 8 | # using the example key directory. |
| 9 | IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" |
| 10 | |
| 11 | # Public part of certificates (used for both IMA and EVM). |
| 12 | # The default is okay when using the example key directory. |
| 13 | IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" |
| 14 | |
| 15 | # Root CA to be compiled into the kernel, none by default. |
| 16 | # Must be the absolute path to a der-encoded x509 CA certificate |
| 17 | # with a .x509 suffix. See linux-%.bbappend for details. |
| 18 | # |
| 19 | # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. |
| 20 | IMA_EVM_ROOT_CA ?= "" |
| 21 | |
| 22 | # Sign all regular files by default. |
| 23 | IMA_EVM_ROOTFS_SIGNED ?= ". -type f" |
| 24 | # Hash nothing by default. |
| 25 | IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" |
| 26 | |
| 27 | # Mount these file systems (identified via their mount point) with |
| 28 | # the iversion flags (needed by IMA when allowing writing). |
| 29 | IMA_EVM_ROOTFS_IVERSION ?= "" |
| 30 | |
| 31 | ima_evm_sign_rootfs () { |
| 32 | cd ${IMAGE_ROOTFS} |
| 33 | |
| 34 | # Beware that all operations below must also work when |
| 35 | # ima_evm_sign_rootfs was already called earlier for the same |
| 36 | # rootfs. That's because do_image might again run for various |
| 37 | # reasons (including a change of the signing keys) without also |
| 38 | # re-running do_rootfs. |
| 39 | |
| 40 | # Copy file(s) which must be on the device. Note that |
| 41 | # evmctl uses x509_evm.der also for "ima_verify", which is probably |
| 42 | # a bug (should default to x509_ima.der). Does not matter for us |
| 43 | # because we use the same key for both. |
| 44 | install -d ./${sysconfdir}/keys |
| 45 | rm -f ./${sysconfdir}/keys/x509_evm.der |
| 46 | install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der |
| 47 | ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der |
| 48 | |
| 49 | # Fix /etc/fstab: it must include the "i_version" mount option for |
| 50 | # those file systems where writing files is allowed, otherwise |
| 51 | # these changes will not get detected at runtime. |
| 52 | # |
| 53 | # Note that "i_version" is documented in "man mount" only for ext4, |
| 54 | # whereas "iversion" is said to be filesystem-independent. In practice, |
| 55 | # there is only one MS_I_VERSION flag in the syscall and ext2/ext3/ext4 |
| 56 | # all support it. |
| 57 | # |
| 58 | # coreutils translates "iversion" into MS_I_VERSION. busybox rejects |
| 59 | # "iversion" and only understands "i_version". systemd only understands |
| 60 | # "iversion". We pick "iversion" here for systemd, whereas rootflags |
| 61 | # for initramfs must use "i_version" for busybox. |
| 62 | # |
| 63 | # Deduplicates iversion in case that this gets called more than once. |
| 64 | if [ -f etc/fstab ]; then |
| 65 | perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab |
| 66 | fi |
| 67 | |
| 68 | # Sign file with private IMA key. EVM not supported at the moment. |
| 69 | bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" |
| 70 | find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} |
| 71 | bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" |
| 72 | find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash |
| 73 | |
| 74 | # Optionally install custom policy for loading by systemd. |
| 75 | if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then |
| 76 | install -d ./${sysconfdir}/ima |
| 77 | rm -f ./${sysconfdir}/ima/ima-policy |
| 78 | install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy |
| 79 | fi |
| 80 | } |
| 81 | |
| 82 | # Signing must run as late as possible in the do_rootfs task. |
| 83 | # IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so |
| 84 | # append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with |
| 85 | # _append instead of += because _append gets evaluated later. In |
| 86 | # particular, we must run after prelink_image in |
| 87 | # IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. |
| 88 | |
| 89 | IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " |
| 90 | |
| 91 | # evmctl must have been installed first. |
| 92 | do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" |