hHi Stefan, On Tue, 2023-04-25 at 12:10 -0400, Stefan Berger wrote: > Add example scripts for ECC key and certificate creation and reference > them from the README. > > Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> Thank you for adding the ECC examples. With Eric Snowberg's "Add CA enforcement keyring restrictions" patch (Linux v6.4) and the proposed IMA changes, the existing scripts in the examples/ directory need to be updated. Before upstreaming these ECC scripts, let's at least update them. >From Jarkko's v6.4 pull request The .machine keyring, used for Machine Owner Keys (MOK), acquired the ability to store only CA enforced keys, and put rest to the .platform keyring, thus separating the code signing keys from the keys that are used to sign certificates. This essentially unlocks the use of the .machine keyring as a trust anchor for IMA. It is an opt-in feature, meaning that the additional contraints won't brick anyone who does not care about them. > --- > README | 3 +++ > examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++ > examples/ima-genkey-ecc.sh | 33 ++++++++++++++++++++++++++++++++ > examples/ima-genkey-self-ecc.sh | 29 ++++++++++++++++++++++++++++ > 4 files changed, 94 insertions(+) > create mode 100755 examples/ima-gen-local-ca-ecc.sh > create mode 100755 examples/ima-genkey-ecc.sh > create mode 100755 examples/ima-genkey-self-ecc.sh > > diff --git a/README b/README > index fd12680..ef7f475 100644 > --- a/README > +++ b/README > @@ -469,6 +469,9 @@ Examples of scripts to generate X509 public key certificates: > /usr/share/doc/ima-evm-utils/ima-genkey-self.sh > /usr/share/doc/ima-evm-utils/ima-genkey.sh > /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh > + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh > + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh > + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh > > > AUTHOR > diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh > new file mode 100755 > index 0000000..ee2aeb6 > --- /dev/null > +++ b/examples/ima-gen-local-ca-ecc.sh > @@ -0,0 +1,29 @@ > +#!/bin/sh > + > +GENKEY=ima-local-ca.genkey > + > +cat << __EOF__ >$GENKEY > +[ req ] > +distinguished_name = req_distinguished_name > +prompt = no > +string_mask = utf8only > +x509_extensions = v3_ca > + > +[ req_distinguished_name ] > +O = IMA-CA > +CN = IMA/EVM certificate signing key > +emailAddress = ca@ima-ca > + > +[ v3_ca ] > +basicConstraints=CA:TRUE > +subjectKeyIdentifier=hash > +authorityKeyIdentifier=keyid:always,issuer > +# keyUsage = cRLSign, keyCertSign With the INTEGRITY_CA_MACHINE_KEYRING_MAX Kconfig, keyCertSign is required for loading keys onto the .machine keyring. Please uncomment the above line. > +__EOF > + > +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ Please update sha1 to sha256. > + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ > + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 > + > +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem > + > diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh > new file mode 100755 > index 0000000..735c665 > --- /dev/null > +++ b/examples/ima-genkey-ecc.sh > @@ -0,0 +1,33 @@ > +#!/bin/sh > + > +GENKEY=ima.genkey > + > +cat << __EOF__ >$GENKEY > +[ req ] > +distinguished_name = req_distinguished_name > +prompt = no > +string_mask = utf8only > +x509_extensions = v3_usr > + > +[ req_distinguished_name ] > +O = `hostname` > +CN = `whoami` signing key > +emailAddress = `whoami`@`hostname` > + > +[ v3_usr ] > +basicConstraints=critical,CA:FALSE > +#basicConstraints=CA:FALSE > +keyUsage=digitalSignature > +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment In preparation to allowing only code signing keys on the IMA keyring, please add "extendedKeyUsage=critical,codeSigning", > +subjectKeyIdentifier=hash > +authorityKeyIdentifier=keyid > +#authorityKeyIdentifier=keyid,issuer > +__EOF__ > + > +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ And similarly change sha1 to sha256 here. > + -out csr_ima.pem -keyout privkey_ima.pem \ > + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 > +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ > + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ > + -outform DER -out x509_ima.der > + -- thanks, Mimi
