[PATCH ima-evm-utils v2 0/2] Update README and examples for ECC key support

[PATCH ima-evm-utils v2 0/2] Update README and examples for ECC key support

[Stefan Berger]

Update the README and add example scripts for ECC key and cert support.

Regards,
   Stefan

Stefan Berger (2):
  Add openssl command line examples for creation of EC keys
  examples: Add examples for elliptic curve key and certs generation

 README                           | 24 +++++++++++++++++++++++
 examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++
 examples/ima-genkey-ecc.sh       | 33 ++++++++++++++++++++++++++++++++
 examples/ima-genkey-self-ecc.sh  | 29 ++++++++++++++++++++++++++++
 4 files changed, 115 insertions(+)
 create mode 100755 examples/ima-gen-local-ca-ecc.sh
 create mode 100755 examples/ima-genkey-ecc.sh
 create mode 100755 examples/ima-genkey-self-ecc.sh

-- 
2.39.2

[PATCH ima-evm-utils v2 1/2] Add openssl command line examples for creation of EC keys

[Stefan Berger]

Add openssl command line examples for creation of EC keys for
EVM and IMA CA and signing key.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/README b/README
index 75e4fd2..fd12680 100644
--- a/README
+++ b/README
@@ -217,6 +217,18 @@ asymmetric keys support:
     	        -x509 -config x509_evm.genkey \
 	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
 
+Create an elliptic curve (EC) key (supported since Linux v5.13)
+
+    openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem
+
+Generate self-signed x509 EC public key certificate and private key for using
+kernel asymmetric key support (supported since Linux v5.13):
+
+   openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+                -x509 -config x509_evm.genkey \
+                -outform DER -out x509_evm.der -keyout privkey_evm.pem \
+                -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
 Configuration file x509_evm.genkey:
 
 	# Beginning of the file
@@ -244,6 +256,9 @@ Generate public key for using RSA key format:
 
     openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
 
+Similarly generate public EC key:
+
+    openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
 
 Copy keys to /etc/keys:
 
@@ -290,6 +305,12 @@ Configuration file ima-local-ca.genkey:
 	# keyUsage = cRLSign, keyCertSign
 	# EOF
 
+Note: To generated elliptic curve keys add the following parameters to
+      the 'req' commands below (supported since Linux v5.13):
+
+      -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+
 Generate private key and X509 public key certificate:
 
  openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
-- 
2.39.2

[PATCH ima-evm-utils v2 2/2] examples: Add examples for elliptic curve key and certs generation

[Stefan Berger]

Add example scripts for ECC key and certificate creation and reference
them from the README.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README                           |  3 +++
 examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++
 examples/ima-genkey-ecc.sh       | 33 ++++++++++++++++++++++++++++++++
 examples/ima-genkey-self-ecc.sh  | 29 ++++++++++++++++++++++++++++
 4 files changed, 94 insertions(+)
 create mode 100755 examples/ima-gen-local-ca-ecc.sh
 create mode 100755 examples/ima-genkey-ecc.sh
 create mode 100755 examples/ima-genkey-self-ecc.sh

diff --git a/README b/README
index fd12680..ef7f475 100644
--- a/README
+++ b/README
@@ -469,6 +469,9 @@ Examples of scripts to generate X509 public key certificates:
  /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
  /usr/share/doc/ima-evm-utils/ima-genkey.sh
  /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
 
 
 AUTHOR
diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh
new file mode 100755
index 0000000..ee2aeb6
--- /dev/null
+++ b/examples/ima-gen-local-ca-ecc.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+
diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh
new file mode 100755
index 0000000..735c665
--- /dev/null
+++ b/examples/ima-genkey-ecc.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
+
diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh
new file mode 100755
index 0000000..3d8f11f
--- /dev/null
+++ b/examples/ima-genkey-self-ecc.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=x509_evm.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
+
-- 
2.39.2

Re: [PATCH ima-evm-utils v2 2/2] examples: Add examples for elliptic curve key and certs generation

[Mimi Zohar]

hHi Stefan,

On Tue, 2023-04-25 at 12:10 -0400, Stefan Berger wrote:
> Add example scripts for ECC key and certificate creation and reference
> them from the README.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Thank you for adding the ECC examples.  With Eric Snowberg's "Add CA
enforcement keyring restrictions" patch (Linux v6.4) and the proposed
IMA changes, the existing scripts in the examples/ directory need to be
updated.   Before upstreaming these ECC scripts, let's at least update
them.

From Jarkko's v6.4 pull request

The .machine keyring, used for Machine Owner Keys (MOK), acquired the
ability to store only CA enforced keys, and put rest to the .platform
keyring, thus separating the code signing keys from the keys that are
used to sign certificates. This essentially unlocks the use of the
.machine keyring as a trust anchor for IMA. It is an opt-in feature,
meaning that the additional contraints won't brick anyone who does not
care about them.

> ---
>  README                           |  3 +++
>  examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++
>  examples/ima-genkey-ecc.sh       | 33 ++++++++++++++++++++++++++++++++
>  examples/ima-genkey-self-ecc.sh  | 29 ++++++++++++++++++++++++++++
>  4 files changed, 94 insertions(+)
>  create mode 100755 examples/ima-gen-local-ca-ecc.sh
>  create mode 100755 examples/ima-genkey-ecc.sh
>  create mode 100755 examples/ima-genkey-self-ecc.sh
> 
> diff --git a/README b/README
> index fd12680..ef7f475 100644
> --- a/README
> +++ b/README
> @@ -469,6 +469,9 @@ Examples of scripts to generate X509 public key certificates:
>   /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
>   /usr/share/doc/ima-evm-utils/ima-genkey.sh
>   /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
> + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
> + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
> + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
>  
>  
>  AUTHOR
> diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh
> new file mode 100755
> index 0000000..ee2aeb6
> --- /dev/null
> +++ b/examples/ima-gen-local-ca-ecc.sh
> @@ -0,0 +1,29 @@
> +#!/bin/sh
> +
> +GENKEY=ima-local-ca.genkey
> +
> +cat << __EOF__ >$GENKEY
> +[ req ]
> +distinguished_name = req_distinguished_name
> +prompt = no
> +string_mask = utf8only
> +x509_extensions = v3_ca
> +
> +[ req_distinguished_name ]
> +O = IMA-CA
> +CN = IMA/EVM certificate signing key
> +emailAddress = ca@ima-ca
> +
> +[ v3_ca ]
> +basicConstraints=CA:TRUE
> +subjectKeyIdentifier=hash
> +authorityKeyIdentifier=keyid:always,issuer
> +# keyUsage = cRLSign, keyCertSign

With the INTEGRITY_CA_MACHINE_KEYRING_MAX Kconfig, keyCertSign is
required for loading keys onto the .machine keyring.  Please uncomment
the above line.


> +__EOF
> +
> +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \

Please update sha1 to sha256.


> +		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
> +		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
> +
> +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
> +
> diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh
> new file mode 100755
> index 0000000..735c665
> --- /dev/null
> +++ b/examples/ima-genkey-ecc.sh
> @@ -0,0 +1,33 @@
> +#!/bin/sh
> +
> +GENKEY=ima.genkey
> +
> +cat << __EOF__ >$GENKEY
> +[ req ]
> +distinguished_name = req_distinguished_name
> +prompt = no
> +string_mask = utf8only
> +x509_extensions = v3_usr
> +
> +[ req_distinguished_name ]
> +O = `hostname`
> +CN = `whoami` signing key
> +emailAddress = `whoami`@`hostname`
> +
> +[ v3_usr ]
> +basicConstraints=critical,CA:FALSE
> +#basicConstraints=CA:FALSE
> +keyUsage=digitalSignature
> +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

In preparation to allowing only code signing keys on the IMA keyring,
please add "extendedKeyUsage=critical,codeSigning",

> +subjectKeyIdentifier=hash
> +authorityKeyIdentifier=keyid
> +#authorityKeyIdentifier=keyid,issuer
> +__EOF__
> +
> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \

And similarly change sha1 to sha256 here.

> +		-out csr_ima.pem -keyout privkey_ima.pem \
> +		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
> +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
> +		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
> +		-outform DER -out x509_ima.der
> +

-- 
thanks,

Mimi

Re: [PATCH ima-evm-utils v2 2/2] examples: Add examples for elliptic curve key and certs generation

[Stefan Berger]

On 4/26/23 09:58, Mimi Zohar wrote:

> In preparation to allowing only code signing keys on the IMA keyring,
> please add "extendedKeyUsage=critical,codeSigning",
> 
>> +subjectKeyIdentifier=hash
>> +authorityKeyIdentifier=keyid
>> +#authorityKeyIdentifier=keyid,issuer
>> +__EOF__
>> +
>> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
> 
> And similarly change sha1 to sha256 here.

Should we make all these changes first to the existing scripts for RSA keys?

Re: [PATCH ima-evm-utils v2 2/2] examples: Add examples for elliptic curve key and certs generation

[Mimi Zohar]

On Wed, 2023-04-26 at 10:20 -0400, Stefan Berger wrote:
> 
> On 4/26/23 09:58, Mimi Zohar wrote:
> 
> > In preparation to allowing only code signing keys on the IMA keyring,
> > please add "extendedKeyUsage=critical,codeSigning",
> > 
> >> +subjectKeyIdentifier=hash
> >> +authorityKeyIdentifier=keyid
> >> +#authorityKeyIdentifier=keyid,issuer
> >> +__EOF__
> >> +
> >> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
> > 
> > And similarly change sha1 to sha256 here.
> 
> Should we make all these changes first to the existing scripts for RSA keys?

Definitely.

Please also update the "doc_DATA" in Makefile.am to include the new
scripts.

-- 
thanks,

Mimi