ast2600: Add IMA/EVM config variables to local.conf
IMA and EVM support requires Linux kernel support that can be enabled with
the DISTRO_FEATURE 'ima'. Add this to local.conf.
Beyond that, IMA and EVM require a couple of variables that the user should
set for her own needs, such as keys and certs used by IMA.
Have executables in the filesystem signed by inheriting the ima-evm-rootfs
IMAGE_CLASS.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/meta-evb/meta-evb-aspeed/meta-evb-ast2600/conf/templates/default/local.conf.sample b/meta-evb/meta-evb-aspeed/meta-evb-ast2600/conf/templates/default/local.conf.sample
index 7da9adf..0280b0f 100644
--- a/meta-evb/meta-evb-aspeed/meta-evb-ast2600/conf/templates/default/local.conf.sample
+++ b/meta-evb/meta-evb-aspeed/meta-evb-ast2600/conf/templates/default/local.conf.sample
@@ -16,4 +16,25 @@
HALT,/tmp,10M,1K"
CONF_VERSION = "2"
+DISTRO_FEATURES:append = " integrity"
+
+# Enable IMA kernel support
+# DISTRO_FEATURES:append = " ima"
+
+# Once ima-evm-rootfs is activated we need the keys below for signing
+# executables and libraries
+# IMAGE_CLASSES += "ima-evm-rootfs"
+
+# Modify the following variables to point to your own directory and keys
+# The CA must be able to verify the x509 cert:
+# openssl verify -CAfile ${IMA_EVM_ROOT_CA} ${IMA_EVM_X509}
+#
+# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
+# IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+# IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
+# IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+
+# The following policy enforces IMA & EVM signatures
+# IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
+
require conf/machine/include/obmc-bsp-common.inc