| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add support for verifying PKCS#7 signatures via MOK2 protocol to
multiboot2 command enabling one to load multiboot-capable kernels.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
|
| |/ /
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
|
| |\|
| |
| | |
grub-efi: fix uid contamination by host QA warning
|
| |/
|
|
|
|
|
|
|
| |
Fix the following QA issue:
WARNING: grub-efi-2.04-r0 do_package_qa: QA Issue: grub-efi: /boot/efi/EFI/BOOT/grub.cfg.p7b is owned by uid 19183
chown to root for p7b file to fix uid contamination by host.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
|
| |\
| |
| | |
meta-signing-key/conf/layer.conf: use weak assignment for RPM_GPG_NAM…
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
RPM_GPG_PASSPHRASE
Use weak assignment for RPM_GPG_NAME and RPM_GPG_PASSPHRASE so these
values could be overridden in other conf files.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |/ |
|
| |
|
|
|
|
|
| |
The bb.build.FuncFailed had been removed in bitbake with commit
cfeffb602dd5319f071cd6bcf84139ec77f2d170. Use bb.fatal instead of it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
| |
Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot
set
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
The grub-efi has been upgraded to 2.04 in oe-core. Update the bbappend
and refresh patches to adapt it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
| |
keyutils under meta-security have been moved to meta-openembeded by this commit
https://git.openembedded.org/meta-openembedded/commit/?id=415e213ad75ec9a93171c963395a1c4b92c6233b
and is higher version than keyutils, so remove this one
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After commit [5ef547b autoconf-archive: update to 2019.01.06]
applied in oe-core, there comes below error
when build tpm2-abrmd:
| NOTE: make -j 48
| Makefile:4381: *** missing separator. Stop.
So backport a patch from tpm2-abrmd upstream to fix
this failure.
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
After commit [5ef547b autoconf-archive: update to 2019.01.06]
applied in oe-core, there comes below error
when build tpm2-tss:
| NOTE: make -j 48
| Makefile:14636: *** missing separator. Stop.
So backport a patch from tpm2-tss upstream to fix
this failure.
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error:
util-linux:do_compile: 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 ->
53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99
bitbake-diffsigs --task util-linux do_compile --signature
9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374
53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99
Rename util-linux_%.bbappend to util-linux-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 0477a93cf98bd2946320d90cadb54a0fc2c2c0df.
Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error:
rpm-native:do_configure: c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b ->
d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca
bitbake-diffsigs --task rpm-native do_configure --signature
c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b
d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca
Revert the patch to fix it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix ima-inspect build failure:
$ bitbake ima-inspect
ERROR: Nothing PROVIDES 'tclap' (but
/build/poky/meta-secure-core/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb
DEPENDS on or otherwise requires it).
ERROR: Required build target 'ima-inspect' has no buildable providers.
Missing or unbuildable dependency chain was: ['ima-inspect', 'tclap']
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport patch to fix build error with gcc9 for option
"-Werror=address-of-packed-member"
MokManager.c: In function 'write_back_mok_list':
MokManager.c:1125:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1125 | if (CompareGuid(&(list[i].Type), &CertType) == 0)
| ^~~~~~~~~~~~~~~
MokManager.c:1147:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1147 | if (CompareGuid(&(list[i].Type), &CertType) == 0) {
| ^~~~~~~~~~~~~~~
MokManager.c: In function 'delete_cert':
MokManager.c:1188:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1188 | if (CompareGuid(&(mok[i].Type), &CertType) != 0)
| ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_hash_in_list':
MokManager.c:1239:20: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1239 | if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
| ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_keys':
MokManager.c:1410:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1410 | if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
<builtin>: recipe for target 'MokManager.o' failed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
...
|install: cannot stat 'tmp-glibc/deploy/images/intel-x86-64/secure-core-image-init
ramfs-intel-x86-64.cpio.gz': No such file or directory
...
Depends do_image_complete after required image generated
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Run yocto-check-layer to check layer compliance of Yocto will report the
following error:
$ yocto-check-layer ../meta-secure-core/meta
INFO: Detected layers:
[snip]
INFO: test_readme (common.CommonCheckLayer)
INFO: ... FAIL
INFO: Traceback (most recent call last):
File "/buildarea/poky/scripts/lib/checklayer/cases/common.py", line 15, in test_readme
msg="Layer doesn't contains README file.")
AssertionError: False is not true : Layer doesn't contains README file.
[snip]
There is no need to create a new README for this layer. We just create a
symbolic link of README from the top-level.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
| |
Third party programs including libimaevm fails to build with musl
due to a missing include in the public header. Add it.
The build with glibc is unaffected. Patch sent upstream.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
|
| |
|
|
|
|
|
|
|
|
| |
Several bug fixes were merged in 2.0.1 and 2.0.3, including the
following PRs that fix building tpm2-abrmd with the musl C library:
https://github.com/tpm2-software/tpm2-abrmd/pull/502
https://github.com/tpm2-software/tpm2-abrmd/pull/503
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the build errors with DEBUG_BUILD enabled:
grub-core/loader/linux.c: In function 'grub_initrd_load':
grub-core/loader/linux.c:326:10: error: 'err' may be used \
uninitialized in this function [-Werror=maybe-uninitialized]
In function grub_initrd_load:
grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
char *argv[], void *target)
{
[snip]
grub_err_t err;
[snip]
#ifdef GRUB_MACHINE_EFI
[snip]
err = grub_verify_file (argv[i]);
[snip]
#endif
[snip]
fail:
[snip]
return err;
}
If the GRUB_MACHINE_EFI is not defined, the function would return an
uninitialized value for 'err'. We should initialize it when this
variable is assigned.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:
qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.
Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the meta-efi-secure-boot layer is included but feature
efi-secure-boot is not set. We got the following error with
kernel-initramfs building:
ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995
Log data follows:
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory
| WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs'
| ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1'
Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc
and add a new bbappend. Make sure this piece of code should be applied
only if the efi-secure-boot feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
| |
Use spaces consistently to indent do_install()
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In order to deploy our secure boot keys in DER format we need to use
openssl. This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign. Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.
Fixes: 92316d4b402b ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It shows warning when apply configure.ac-automake-error.patch:
| WARNING: mtree-1.0.3+gitAUTOINC+4f3e901aea-r0 do_patch:
| ...
| Details:
| Applying patch configure.ac-automake-error.patch
| patching file configure.ac
| Hunk #1 succeeded at 4 with fuzz 2 (offset -2 lines).
Update context of configure.ac-automake-error.patch to sync with current
mtree source codes.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Generally speaking, for firmware to import PK/KEK/DB keys they need to
be in the binary "DER" format and typically have the "cer" file
extension. When deploying our keys, convert what we have to that format
and deploy as well for ease of use.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The following failure is shown during secure-core-image-initramfs:do_rootfs():
Error: Transaction check error:
file /proc conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64
file /sys conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64
So remove /sys and /proc as base-files has already provided them.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a bbappend file which enables plugins for rpm. We need to
ensure to also disable the inhibit plugin for rpm-native. Otherwise,
we get the following warning at rootfs time.
Unable to get systemd shutdown inhibition lock: Socket name too long
The inhibit plugin tries to inhibit shutdown during rpm operation. It
obviously makes no sense for rpm-native, as 1) we may not build on a
systemd based host and 2) the build process does not affect the package
management on host.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
|
|
|
|
| |
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
| |
0005-tpm-openssl-tpm-engine-parse-an-encrypted-TPM-key-pa.patch to 0.5.0
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
change to a fork that is being maintained and that enabled openssl 1.1
Refresh patches
Drop one no longer needed
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport from meta-security
http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/commit/?id=3bae06e29b60d71177cb63ad0b85bc5c46f7a144
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
- Support openssl 1.1.x
- Fix compile warning
|tpm_extendpcr.c:55:4: warning: 'strncpy' specified bound 4096 equals
destination size [-Wstringop-truncation]
| strncpy(in_filename, aArg, PATH_MAX);
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
| |
- Use CCLD to build executable and library.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
The *_BASE_NAME was renamed to *_NAME in oe-core commit
f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b. So we also need to do the same
thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
| |
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
KERNEL_IMAGE_NAME and KERNEL_IMAGE_SYMLINK_NAME to KERNEL_IMAGE_LINK_NAME
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
