| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
| |
Unify how the TPM2 recipes are named.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
|
|
|
|
|
| |
see https://patchwork.openembedded.org/patch/140542/
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...
The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.
Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create. To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".
Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
|
| |
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
| |
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
|
|
|
|
|
|
|
| |
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
| |
We're missing a leading '-' when we combine pn and ima-privkey here,
add.
Signed-off-by: Michael Grigorov <michael.grigorov@konsulko.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
| |
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
|
|
|
|
|
|
|
|
| |
Refresh the following patches:
0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch
0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
Grub-get-and-set-efi-variables.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- All valid initramfs types will be listed in INITRAMFS_FSTYPES so use
that variable rather than open-coding a list of possibilities.
- Since we're using the list of things that must exist now we don't need
to test if the files exist anymore. And when signing, we can sign all
of them now.
- Add some python to do_package to update all of the ALTERNATIVES
variables dynamically based on how we're configured. This introduces
an alternative for the initramfs portion as well so there is a stable
name.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- In all cases, when building Linux apps (and thus linking with gcc) we
need to pass in the normal set of LDFLAGS for both rpath and link hash
type.
- Rework Fix-for-the-cross-compilation.patch a bit. When linking EFI
apps (and thus linking with ld) we don't need to pass in other special
flags. When linking the "openssl" apps we do not need to spell out
the crtN files as gcc handles that for us, they are normal Linux apps.
Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.
With all of these changes we are now able to reuse sstate cache between
build directories.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
| |
Our "init" script requires additional directories to exist and since we
don't pull in something like base-files that gives us a full layout we
must make these additional directories on our own.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
|
|
| |
- You must ensure that RPM is used in PACKAGE_CLASSES.
- We need to remove image-prelink from USER_CLASSES. Prelinking the
image at creation time (as happens on x86/x86_64) will result in the
IMA hash of files changing from the recorded signature and
verification will fail.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
|
| |
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
|
|
|
|
| |
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
|
|
|
|
|
|
| |
The sources require that we have pkgconfig support as well, add missing
inherit.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
| |
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
| |
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version. This includes all of the patches we had
been applying.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
| |
base_read_file has been removed from oe-core so use the
replacement function oe.utils.read_file.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
|
|
|
|
|
|
| |
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
|
|
|
|
|
|
|
|
| |
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
| |
The kernel module will be stripped during do_package, including the
modsign signature.
Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
| |
trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
| |
modsign and extra system trusted key
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot. However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother. While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
| |
Include what's required to have rpms be signed in the example section.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
| |
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
| |
rpm-integrity is required for RPM signing which is enabled by default.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
| |
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
|
| |
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:
| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
|
|
|
|
|
|
|
|
|
| |
Fix 32bit assembler errors:
| /tmp/ccJyZFtJ.s: Assembler messages:
| /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)'
| /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi'
...
| make[1]: *** [<builtin>: security_policy.o] Error 1
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|