From aff5532ca38731edb5c8b9f1d4c212bb1729d14b Mon Sep 17 00:00:00 2001 From: rocky Date: Wed, 13 Nov 2024 13:58:39 +0800 Subject: [PATCH] =?UTF-8?q?add=20=E6=96=87=E4=BB=B6=E5=AE=8C=E6=95=B4?= =?UTF-8?q?=E6=80=A7=E4=BF=9D=E6=8A=A4.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...264\346\200\247\344\277\235\346\212\244.md" | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git "a/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" "b/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" index ba5628edf..208e9df00 100644 --- "a/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" +++ "b/docs/zh/docs/ShangMi/\346\226\207\344\273\266\345\256\214\346\225\264\346\200\247\344\277\235\346\212\244.md" @@ -24,8 +24,20 @@ IMA全称Integrity Measurement Architecture,是Linux内核提供的强制访 # 生成SM2证书 # openssl x509 -req -days 3650 -extfile ima.cfg -signkey ima.key -in ima.csr -out ima.crt ``` - -4. 将根证书放置到内核源码目录,并修改内核编译选项CONFIG_SYSTEM_TRUSTED_KEYS,将指定证书编译到内核TRUSTED密钥中(仅评估模式涉及): +4. 生成IMA二级证书: + # 创建证书配置文件 + echo 'subjectKeyIdentifier=hash' > ima.cfg + echo 'authorityKeyIdentifier=keyid,issuer' >> ima.cfg + # 生成私钥 + openssl ecparam -genkey -name SM2 -out ima.key + # 生成签名请求 + openssl req -new -sm3 -key ima.key -out ima.csr + # 基于一级证书生成二级证书 + openssl x509 -req -sm3 -CAcreateserial -CA ca.crt -CAkey ca.key -extfile ima.cfg -in ima.csr -out ima.crt + # 转换为DER格式 + openssl x509 -outform DER -in ima.crt -out x509_ima.der0 + +5. 将根证书放置到内核源码目录,并修改内核编译选项CONFIG_SYSTEM_TRUSTED_KEYS,将指定证书编译到内核TRUSTED密钥中(仅评估模式涉及): ```sh # cp /path/to/ima.crt . @@ -34,7 +46,7 @@ IMA全称Integrity Measurement Architecture,是Linux内核提供的强制访 CONFIG_SYSTEM_TRUSTED_KEYS="ima.crt" ``` -5. 编译并安装内核(仅评估模式涉及): +6. 编译并安装内核(仅评估模式涉及): ```sh make -j64 -- Gitee