commit aa7c9ff77e20ef284b746a6eb6293e95ac8f8397
author Stefan Berger <stefanb@linux.ibm.com> Tue Mar 28 17:31:50 2023 -0400
committer Stefan Berger <stefanb@linux.ibm.com> Wed Apr 26 20:18:39 2023 -0400
tree 54a28f23ebf3a50b6f91c28ca1019474d206b8f2
parent 8af674e68bedd36b37344726e62d11880dfd6131

ima: Document and replace keys and adapt scripts for EC keys

For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

meta-security/meta-integrity/data/debug-keys/README.md

diff --git a/meta-security/meta-integrity/data/debug-keys/README.md b/meta-security/meta-integrity/data/debug-keys/README.md
new file mode 100644
index 0000000..e613968
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/README.md
@@ -0,0 +1,17 @@
+# EVM & IMA keys
+
+The following IMA & EVM debug/test keys are in this directory
+
+- ima-local-ca.priv: The CA's private key (password: 1234)
+- ima-local-ca.pem: The CA's self-signed certificate
+- privkey_ima.pem: IMA & EVM private key used for signing files
+- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
+
+The CA's (self-signed) certificate can be used to verify the validity of
+the x509_ima.der certificate. Since the CA certificate will be built into
+the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
+pass this test:
+
+```
+  openssl verify -CAfile ima-local-ca.pem x509_ima.der
+````

meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem

diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem
new file mode 100644
index 0000000..4b48be4
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9
+MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt
+c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG
+SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP
+MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD
+DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU
+rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud
+IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO
+PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu
+clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw==
+-----END CERTIFICATE-----

meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv

diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv
new file mode 100644
index 0000000..e13de23
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw
+DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK
+x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems
+lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY
+LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw=
+-----END ENCRYPTED PRIVATE KEY-----

meta-security/meta-integrity/data/debug-keys/privkey_ima.pem

diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
index 502a0b6..8362cfe 100644
--- a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
+++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -1,16 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
-Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
-IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
-OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
-lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
-HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
-aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
-TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
-WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
-SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
-xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
-CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
-1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
-3vVaxg2EfqB1
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm
+SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj
+cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv
 -----END PRIVATE KEY-----

meta-security/meta-integrity/data/debug-keys/x509_ima.der

diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
index 087ca6b..3f6f24e 100644
--- a/meta-security/meta-integrity/data/debug-keys/x509_ima.der
+++ b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
Binary files differ