Merge branch 'update-ecc-doc-examples' into next

From the cover letter: Update the README and add example scripts for RSA keys to use more up-to-date values for key sizes and hash being used and adjust the OpenSSL config files so that the created keys can be used with the .machine keyring. Add EC key and cert support scripts and describe EC key and certificate generation in the README.
2025-04-27 14:22:31 +02:00 · 2023-04-27 09:59:18 -04:00 · 2023-04-27 09:59:18 -04:00 · dc0cbaea42
commit dc0cbaea42
parent 31f4a22b57 14bce8a97c
8 changed files with 136 additions and 15 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -7,7 +7,13 @@ if MANPAGE_DOCBOOK_XSL
 dist_man_MANS = evmctl.1
 endif

-doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+doc_DATA = \
+	 examples/ima-genkey-self.sh \
+	 examples/ima-genkey.sh \
+	 examples/ima-gen-local-ca.sh \
+	 examples/ima-genkey-self-ecc.sh \
+	 examples/ima-genkey-ecc.sh \
+	 examples/ima-gen-local-ca-ecc.sh
 EXTRA_DIST = autogen.sh $(doc_DATA)

 CLEANFILES = *.html *.xsl
--- a/41
+++ b/41
@ -200,11 +200,11 @@ Generate signing and verification keys

 Generate private key in plain text format:

-    openssl genrsa -out privkey_evm.pem 1024
+    openssl genrsa -out privkey_evm.pem 2048

 Generate encrypted private key:

-    openssl genrsa -des3 -out privkey_evm.pem 1024
+    openssl genrsa -des3 -out privkey_evm.pem 2048

 Make encrypted private key from unencrypted:

@ -213,15 +213,27 @@ Make encrypted private key from unencrypted:
 Generate self-signed X509 public key certificate and private key for using kernel
 asymmetric keys support:

-    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+    openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \
    	        -x509 -config x509_evm.genkey \
 	        -outform DER -out x509_evm.der -keyout privkey_evm.pem

+Create an elliptic curve (EC) key (supported since Linux v5.13)
+
+    openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem
+
+Generate self-signed x509 EC public key certificate and private key for using
+kernel asymmetric key support (supported since Linux v5.13):
+
+   openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+                -x509 -config x509_evm.genkey \
+                -outform DER -out x509_evm.der -keyout privkey_evm.pem \
+                -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
 Configuration file x509_evm.genkey:

 	# Beginning of the file
 	[ req ]
-	default_bits = 1024
+	default_bits = 2048
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
@ -235,6 +247,7 @@ Configuration file x509_evm.genkey:
 	[ myexts ]
 	basicConstraints=critical,CA:FALSE
 	keyUsage=digitalSignature
+	extendedKeyUsage=critical,codeSigning
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid
 	# EOF
@ -244,6 +257,9 @@ Generate public key for using RSA key format:

    openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem

+Similarly generate public EC key:
+
+    openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem

 Copy keys to /etc/keys:

@ -287,12 +303,18 @@ Configuration file ima-local-ca.genkey:
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
-	# keyUsage = cRLSign, keyCertSign
+	keyUsage = cRLSign, keyCertSign
 	# EOF

+Note: To generated elliptic curve keys add the following parameters to
+      the 'req' commands below (supported since Linux v5.13):
+
+      -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+
 Generate private key and X509 public key certificate:

- openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
             -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv

 Produce X509 in DER format for using while building the kernel:
@ -303,7 +325,7 @@ Configuration file ima.genkey:

 	# Beginning of the file
 	[ req ]
-	default_bits = 1024
+	default_bits = 2048
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
@ -327,7 +349,7 @@ Configuration file ima.genkey:

 Generate private key and X509 public key certificate signing request:

- openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+ openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
             -out csr_ima.pem -keyout privkey_ima.pem

 Sign X509 public key certificate signing request with local IMA CA private key:
@ -448,6 +470,9 @@ Examples of scripts to generate X509 public key certificates:
 /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
 /usr/share/doc/ima-evm-utils/ima-genkey.sh
 /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh


 AUTHOR
--- a/examples/ima-gen-local-ca-ecc.sh
+++ b/examples/ima-gen-local-ca-ecc.sh
@ -0,0 +1,28 @@
+#!/bin/sh
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
--- a/examples/ima-gen-local-ca.sh
+++ b/examples/ima-gen-local-ca.sh
@ -19,10 +19,10 @@ emailAddress = ca@ima-ca
 basicConstraints=CA:TRUE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 __EOF__

-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
 		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv

 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
--- a/examples/ima-genkey-ecc.sh
+++ b/examples/ima-genkey-ecc.sh
@ -0,0 +1,33 @@
+#!/bin/sh
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
--- a/examples/ima-genkey-self-ecc.sh
+++ b/examples/ima-genkey-self-ecc.sh
@ -0,0 +1,28 @@
+#!/bin/sh
+
+GENKEY=x509_evm.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
--- a/examples/ima-genkey-self.sh
+++ b/examples/ima-genkey-self.sh
@ -4,7 +4,7 @@ GENKEY=x509_evm.genkey

 cat << __EOF__ >$GENKEY
 [ req ]
-default_bits = 1024
+default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@ -22,7 +22,7 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 __EOF__

-openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
 		-outform DER -out x509_evm.der -keyout privkey_evm.pem

 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
--- a/examples/ima-genkey.sh
+++ b/examples/ima-genkey.sh
@ -4,7 +4,7 @@ GENKEY=ima.genkey

 cat << __EOF__ >$GENKEY
 [ req ]
-default_bits = 1024
+default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@ -20,12 +20,13 @@ basicConstraints=critical,CA:FALSE
 #basicConstraints=CA:FALSE
 keyUsage=digitalSignature
 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer
 __EOF__

-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
 		-out csr_ima.pem -keyout privkey_ima.pem
 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
 		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \