| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
| |
modsign and extra system trusted key
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot. However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother. While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
| |
Include what's required to have rpms be signed in the example section.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
|
|
|
|
|
|
|
| |
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
| |
rpm-integrity is required for RPM signing which is enabled by default.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
| |
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
|
|
|
|
|
|
| |
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:
| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
|
|
|
|
|
|
|
|
|
| |
Fix 32bit assembler errors:
| /tmp/ccJyZFtJ.s: Assembler messages:
| /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)'
| /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi'
...
| make[1]: *** [<builtin>: security_policy.o] Error 1
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
|
|
|
| |
Fix the error:
mok2verify.c:169:53: error: \
format '%lx' expects argument of type 'long unsigned int', \
but argument 3 has type 'grub_efi_status_t {aka int}' \
[-Werror=format=]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rebase patches:
- keyutils_fix_library_install.patch
- keyutils-remove-m32-m64.patch
* append '-Wall' to CFLAGS for fixing:
.../recipe-sysroot/usr/include/features.h:376:4: error: \
#warning _FORTIFY_SOURCE requires compiling with \
optimization (-O) [-Werror=cpp]
* cleanup alternative targets, the *keyring*.7 files have been
removed from keyutils 1.5.10.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
| |
Fix warning:
WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
|
| |
* install 'packagegroup-tpm2-initramfs' of distro flag 'tpm2' is set
* install 'initrdscripts-ima' if distro flag 'ima' is set
* install 'cryptfs-tpm2-initramfs' if distro flag 'luks' is set
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
| |
meta-oe layer split the udevrules for lvm2 into a new package.
Add lvm2-udevrules into cryptsetup RDEPENDS list.
Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
|
|
|
|
|
|
|
| |
The "${S}" is not used for kernel-initramfs and it will
cleanup the kernel source codes if it is specified to
${STAGING_KERNEL_DIR}, thus remove this definition.
Signed-off-by: Fupan Li <fupan.li@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
|
|
| |
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when openssl-tpm-engine lib is used on an unattended device, there is no
way to input TPM key password. So add this feature to support parse an
encrypted(AES algorithm) TPM key password from env.
The default decrypting AES password and salt is set in bb file.
When we create a TPM key(TSS format), generate a 8 bytes random data
as its password, and then we need to encrypt the password with the same
AES password and salt in bb file.
At last, we set a env as below:
export TPM_KEY_ENC_PW=xxxxxxxx
"xxxxxxxx" is the encrypted TPM key password for libtpm.so.
Signed-off-by: Meng Li <Meng.Li@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
| |
address (#14)
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
1. user key pub rpm package also could be created.
2. The latest bitbake could not support the d.getVar() function nest
call. Such as the following function call always return "None"
d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True)
It caused the key-store-rpm-pubkey rpm package could not be created in
the latest oe-core project.
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
|
|
|
|
|
|
| |
* Add new layer for IDS support
* Add package mtree to provide basic IDS functions
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
|
|
|
|
|
|
| |
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
| |
This definition should be placed in local.conf.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
| |
The previous cannot be handled by gpg v2 properly when importing it.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
|
|
| |
When the SIGNING_MODEL is set to "user", the signing-keys recipes will
run failed on the get_public_keys task. uks_rpm_keys_dir() function
could not return the right rpm_keys directory when the
SIGNING_MODEL is set to "user".
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
|
|
| |
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If "GPG_PATH" is set in the init script, then "signing-keys"
get_public_keys task will execute failed.
So the "GPG_PATH" directory would be created when "GPG_PATH" is set.
The do_get_public_keys failed to import gpg key error information is as following:
----------------------------------------------------------------------------------------
ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key
(layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore):
gpg: fatal: can't create directory
`tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The keyutils-doc package supply some same name man7 files with
man-pages, it will cause the rpm package installation or upgrade failed.
The keyutils-doc and man-pages rpm packages' transction check error
information is as following:
--------------------------------------------------------------------
Running transaction test
Error: Transaction check error:
file /usr/share/man/man7/keyrings.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/persistent-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/process-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/thread-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
|
|
|
|
| |
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|