Gitiles
Code Review Sign In
gerrit.openbmc.org / stefanberger / openbmc / ee2a744833bb715135259a0a1b8a0e952a8db15e^! / .
commitee2a744833bb715135259a0a1b8a0e952a8db15e[log] [tgz]
authorStefan Berger <stefanb@linux.ibm.com>Thu Apr 27 10:14:59 2023 -0400
committerStefan Berger <stefanb@linux.ibm.com>Thu Apr 27 11:22:34 2023 -0400
tree05ce029be7007bde3546cce876a9de75f3426836
parentf3a37e520772893744b20e8faca9522e28fe2bc8 [diff]
integrity: Update the README for IMA support

Update the README describing how IMA support can be used.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md
index 816b40d..1a37280 100644
--- a/meta-security/meta-integrity/README.md
+++ b/meta-security/meta-integrity/README.md

@@ -76,7 +76,7 @@
 
 It has some dependencies on a suitable BSP; in particular the kernel
 must have a recent enough IMA/EVM subsystem. The layer was tested with
-Linux 3.19 and uses some features (like loading X509 certificates
+Linux 6.1 and uses some features (like loading X509 certificates
 directly from the kernel) which were added in that release. Your
 mileage may vary with older kernels.
 
@@ -89,10 +89,17 @@
 compilation of the Linux kernel. To also activate it when building
 the image, enable image signing in the local.conf like this:
 
+    DISTRO_FEATURES:append = " integrity ima"
+
     IMAGE_CLASSES += "ima-evm-rootfs"
+
     IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
+    IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+
+    # The following policy enforces IMA & EVM signatures
+    IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
 
 This uses the default keys provided in the "data" directory of the layer.
 Because everyone has access to these private keys, such an image
@@ -113,10 +120,7 @@
     cd $IMA_EVM_KEY_DIR
     # In that shell, create the keys. Several options exist:
 
-    # 1. Self-signed keys.
-    $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
-
-    # 2. Keys signed by a new CA.
+    # 1. Keys signed by a new CA.
     # When asked for a PEM passphrase, that will be for the root CA.
     # Signing images then will not require entering that passphrase,
     # only creating new certificates does. Most likely the default
@@ -125,13 +129,11 @@
     # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
     # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
 
-    # 3. Keys signed by an existing CA.
+    # 2. Keys signed by an existing CA.
     # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
     exit
 
-When using ``ima-self-signed.sh`` as described above, self-signed keys
-are created. Alternatively, one can also use keys signed by a CA.  The
-``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
 and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
 supports adding tha CA's public key to the kernel's system keyring by
 compiling it directly into the kernel. Because it is unknown whether