summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* meta-signing-key: support to build key-store with modsign and extra system ↵Jia Zhang2017-11-213-6/+120
| | | | | | trusted key support Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* scripts/create-user-key-store.sh: support to generate the user keys for ↵Jia Zhang2017-11-211-0/+26
| | | | | | modsign and extra system trusted key Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-signing-key: add the sample keys for modsign and extra system trusted keyJia Zhang2017-11-214-0/+94
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-signing-key, meta-efi-secure-boot: Rework for dependenciesTom Rini2017-11-1611-1/+1
| | | | | | | | | | | | The content of meta-signing-key depends on a few recipes within meta-efi-secure-boot. However, meta-signing-key can be used without meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will also provide a more correct set of dependencies as we cannot say that both layers depend on eachother. While doing this, within meta-signing-key only depend on content from meta-efi-secure-boot if the efi-secure-boot DISTRO_FEATURE is set. Signed-off-by: Tom Rini <trini@konsulko.com>
* README updateTom Rini2017-11-161-0/+1
| | | | | | Include what's required to have rpms be signed in the example section. Signed-off-by: Tom Rini <trini@konsulko.com>
* initrdscripts: rename expected ima certificate (#28)Yunguo Wei2017-11-121-1/+1
| | | | | | | | evmctl is able to import DER format certificate only. Although *.crt doesn't mean its a PEM certificate, but *.der makes more sense. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* seloader: sync up with upstreamJia Zhang2017-10-271-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* rpm: always include rpm-integrity.inc for RPM signingJia Zhang2017-10-271-1/+1
| | | | | | rpm-integrity is required for RPM signing which is enabled by default. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-integrity: fix build failure caused by 6aa83f98bJia Zhang2017-10-271-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* shim: drop fallbackJia Zhang2017-10-277-148/+7
| | | | | | | | | shim will uninstall MOK Verify Protocol when launching fallack, implying it is impossible to get the instance of MOK Verify Protocol for SELoader. This behavior violates the original intention of introducing fallback. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* rpm: only apply bbappend file when ima in DISTRO_FEATURES (#27)Kai2017-10-272-22/+23
| | | | | | | | | | Rename bbappend file of rpm and only include it when image in DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during do rootfs: | WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile: | [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long Signed-off-by: Kai Kang <kai.kang@windriver.com>
* shim: disable OVERRIDE_SECURITY_POLICY for 32bit target (#25)Wenzong Fan2017-09-301-1/+2
| | | | | | | | | | Fix 32bit assembler errors: | /tmp/ccJyZFtJ.s: Assembler messages: | /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)' | /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi' ... | make[1]: *** [<builtin>: security_policy.o] Error 1 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* grub-efi: fix build error with qemux86 (#24)Wenzong Fan2017-09-291-1/+1
| | | | | | | | | Fix the error: mok2verify.c:169:53: error: \ format '%lx' expects argument of type 'long unsigned int', \ but argument 3 has type 'grub_efi_status_t {aka int}' \ [-Werror=format=] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* keyutils: update to 1.5.10 (#22)Wenzong Fan2017-09-273-49/+57
| | | | | | | | | | | | | | | * rebase patches: - keyutils_fix_library_install.patch - keyutils-remove-m32-m64.patch * append '-Wall' to CFLAGS for fixing: .../recipe-sysroot/usr/include/features.h:376:4: error: \ #warning _FORTIFY_SOURCE requires compiling with \ optimization (-O) [-Werror=cpp] * cleanup alternative targets, the *keyring*.7 files have been removed from keyutils 1.5.10. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* user-key-store.bbclass: add deploy_rpm_keys (#20)Wenzong Fan2017-09-251-0/+10
| | | | | | Fix warning: WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* Install packages if distro flag set (#21)Wenzong Fan2017-09-252-3/+3
| | | | | | | * install 'packagegroup-tpm2-initramfs' of distro flag 'tpm2' is set * install 'initrdscripts-ima' if distro flag 'ima' is set * install 'cryptfs-tpm2-initramfs' if distro flag 'luks' is set Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* cryptsetup:add lvm2-udevrules into RDEPENDS (#19)WarrickJiang2017-09-251-1/+1
| | | | | | meta-oe layer split the udevrules for lvm2 into a new package. Add lvm2-udevrules into cryptsetup RDEPENDS list. Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
* kernel-initramfs: fix the issue rm kernel source codes (#18)fli2017-09-251-1/+0
| | | | | | | The "${S}" is not used for kernel-initramfs and it will cleanup the kernel source codes if it is specified to ${STAGING_KERNEL_DIR}, thus remove this definition. Signed-off-by: Fupan Li <fupan.li@windriver.com>
* meta-tpm2: clean up bootstrapJia Zhang2017-09-203-3/+3
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* Change the email address of MAINTAINERJia Zhang2017-09-201-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* packagegroup-tpm: include tpm-quote-tools (#17)Wenzong Fan2017-09-121-0/+1
| | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-0210-15/+10
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* tpm : openssl-tpm-engine: parse an encrypted TPM key password from env (#15)limeng-linux2017-09-022-7/+285
| | | | | | | | | | | | | | when openssl-tpm-engine lib is used on an unattended device, there is no way to input TPM key password. So add this feature to support parse an encrypted(AES algorithm) TPM key password from env. The default decrypting AES password and salt is set in bb file. When we create a TPM key(TSS format), generate a 8 bytes random data as its password, and then we need to encrypt the password with the same AES password and salt in bb file. At last, we set a env as below: export TPM_KEY_ENC_PW=xxxxxxxx "xxxxxxxx" is the encrypted TPM key password for libtpm.so. Signed-off-by: Meng Li <Meng.Li@windriver.com>
* Update BB_HASHBASE_WHITELISTJia Zhang2017-09-012-3/+11
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* create-user-key-store.sh: Add arguments to specify gpg's key name and email ↵yunguowei2017-08-281-1/+27
| | | | | address (#14) Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-efi-secure-boot/README.md: document shim_cert as unusedJia Zhang2017-08-261-2/+4
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-ids: install packagegroup-ids if the feature ids configuredJia Zhang2017-08-243-1/+7
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* key-store: Fix two key-store-rpm-pubkey user key issues (#13)Guojian2017-08-241-5/+5
| | | | | | | | | | 1. user key pub rpm package also could be created. 2. The latest bitbake could not support the d.getVar() function nest call. Such as the following function call always return "None" d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True) It caused the key-store-rpm-pubkey rpm package could not be created in the latest oe-core project. Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* meta-ids: initial commit for IDS support (#11)Wenzong Fan2017-08-247-0/+157
| | | | | | * Add new layer for IDS support * Add package mtree to provide basic IDS functions Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-integrity: add tpm2, tpm as LAYERRECOMMENDS (#9)Wenzong Fan2017-08-241-0/+3
| | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* sign_rpm_ext: make sure all target recipes are signedJia Zhang2017-08-242-24/+26
| | | | | | | | Placing the key import logic under signing-keys cannot ensure all target recipes are always signed. Instead, place it before do_package_write_rpm. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: remove INHERIT += "sign_rpm_ext"Jia Zhang2017-08-231-2/+0
| | | | | | This definition should be placed in local.conf. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* secure-core-image: install dnf by defaultJia Zhang2017-08-231-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* secure-core-image-initramfs: enlarge the max sizeJia Zhang2017-08-231-0/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-signing-key: replace the sample RPM signing keyJia Zhang2017-08-232-44/+83
| | | | | | The previous cannot be handled by gpg v2 properly when importing it. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* shim: sync up with upstreamJia Zhang2017-08-237-335/+22
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Fix the user rpm sign key can not be found issue (#5)Guojian2017-08-221-4/+0
| | | | | | | | When the SIGNING_MODEL is set to "user", the signing-keys recipes will run failed on the get_public_keys task. uks_rpm_keys_dir() function could not return the right rpm_keys directory when the SIGNING_MODEL is set to "user". Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* signing-keys: fix the race condition when concurrent import operations occurJia Zhang2017-08-201-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-tpm: tss 1.x always depends on openssl 1.0.xJia Zhang2017-08-203-3/+3
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* encrypted-storage: use luks as the feature name for current implementationJia Zhang2017-08-2014-30/+29
| | | | | | | | encrypted-storage layer will include more security features about encrypted storage so the term "encrypted-storage" won't be used to specify a dedicated technology term such as "LUKS". Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* create-user-key-store.sh: support gpg 2.x used to generate rpm signing keyJia Zhang2017-08-201-18/+26
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failure due to wrong option positionJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: clean upJia Zhang2017-08-201-3/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: define the location of default gpg keyring to TMPDIRJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: fix permission warningJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failureJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: clean upJia Zhang2017-08-191-9/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: Fix the GPG_PATH directory not exist issue (#4)Guojian2017-08-191-8/+7
| | | | | | | | | | | | | | | If "GPG_PATH" is set in the init script, then "signing-keys" get_public_keys task will execute failed. So the "GPG_PATH" directory would be created when "GPG_PATH" is set. The do_get_public_keys failed to import gpg key error information is as following: ---------------------------------------------------------------------------------------- ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key (layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore): gpg: fatal: can't create directory `tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)Guojian2017-08-191-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The keyutils-doc package supply some same name man7 files with man-pages, it will cause the rpm package installation or upgrade failed. The keyutils-doc and man-pages rpm packages' transction check error information is as following: -------------------------------------------------------------------- Running transaction test Error: Transaction check error: file /usr/share/man/man7/keyrings.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/persistent-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/process-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/thread-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-193-16/+5
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-05 20:02:38 +0000