ima: Document and replace keys and adapt scripts for EC keys
For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
index b600761..339d3e3 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,7 +18,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -33,10 +32,11 @@
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem