| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
- Follow up the regular way to include header file.
- Use CCLD to build executable and library.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
Now cryptfs-tpm2 supports both TSS 1.x and 2.x API.
Please specify "TSS2_VER=1" in EXTRA_OEMAKE to support 1.x API.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
|
|
| |
Refresh patch Build-DBX-by-default.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake efitools lib32-efitools
ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
(matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake seloader lib32-seloader
ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
After postinst was executed at do_rootfs successfully,
there will be no first boot to redo.
Since `229f4e9 package.bbclass: add support for
pkg_postinst_ontarget()' applied in oe-core, use
pkg_postinst_ontarget to instead.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
when configuring lvm2 without udev, lvm2-udevrules package is empty,
causing do_rootfs failure.
Error:
ERROR: wrlinux-image-glibc-std-1.0-r5 do_rootfs: Function failed: do_rootfs
Problem: conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-1.7.4-r0.corei7_64
Move lvm2-udevrules from RDEPEND to RRECOMMENDS could workaround the issue.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
| |
Bump up to the current top of libsign so that we can easily get a copy
of selsign that can be put into an SDK.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk. We also need gnu-efi
to support nativesdk so include that in a bbappend.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
The --with-udevrulesdir configure option has been moved from tpm2-abrmd to
tpm2-tss in the code, therefore move its associated EXTRA_OECONF to suit.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
| |
tpm2-tss: 1.4.0 -> 2.0.0
tpm2-abrmd: 1.3.1 -> 2.0.1
tpm2-tools: 3.0.4 -> 3.1.1
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
In 59a9f43b899c ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream. However, rocko ships with an older version
of RPM and still needs these patches. Add conditional logic to apply
these patches only for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
| |
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi. Add in conditional logic to pass this only
for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
As we also work with the 'rocko' release list that in our
LAYERSERIES_COMPAT.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The kernel-initramfs.bbappend depends on kernel-initramfs.bb in
meta-secure-core/meta/recipes-core/images/
Fix parsing error:
ERROR: No recipes available for:
meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bitbake will try an ls-remote for any recipe whose SRCREV is AUTOREV,
even if that recipe will not ultimately be used for a particular build.
Therefore if the user specifies 'BB_NO_NETWORK = "1"', the _git versions of
the tpm2 recipes will cause the build to fail even if the _git versions are
not going to be built (which they won't be by default on account of their
DEFAULT_PREFERENCE being set to "-1").
This fix follows the same pattern as
https://github.com/sbabic/meta-swupdate/commit/721fcc89c53debcd6582bd1aa972f75297cf12e9
With this fix, the user can disable networking and successfully build the
non-_git versions of the tpm2 recipes. If the user wants to build the _git
versions, networking must be enabled. The build is expected to fail if the
user asks for the _git versions, but disables networking.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
| |
Specify -no-pie to override possible -pie default.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
parsed as true
|
| |
|
|
| |
This reverts commit 0bb383b60a8f61df2c4e078d34294e5ef996445b.
|
| |
|
|
|
|
|
| |
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.
Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
copy kernel p7b file
In commit 1c96c0d09614a3a692a8bee201e34694f26c436a, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
The latest git version has updated to use dl interface to load
the library of tpm2-abrmd, instead of linking it on compilation.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
Use separate directories to store tpm2-abrmd.default for stable
and git version.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
| |
The default value of --with-systemdsystemunitdir with the prefix
"/usr" cannot be used to search tpm2-abrmd.service. In order to
fix this issue, explicitly set --with-systemdsystemunitdir as
before. In addition, place .perset to the dedicated system-preset
directory.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
| |
Replace tab with four spaces.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In the latest git version of abrmd:
- the following option has been renamed:
--max-transient-objects -> --max-transients
- the following option has been removed:
--fail-on-loaded-trans
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup the tpm2-tools recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 3.0.3 to 3.0.4.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup the tpm2-abrmd recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 1.2.0 to 1.3.1.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup the tpm2-tss recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes in an include file.
Update release from 1.3.0 to 1.4.0.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
| |
As the initial support, linux-sgx-driver is integrated into this
layer. SDK and PSW will be provided soon.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
In addition to the expected /dev/tpmX device nodes, newer Linux kernels now
also create /dev/tpmrmX nodes. This causes the daemon's startup script to
fail, meaning the abrmd daemon is not started automatically.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...
Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
| |
Unify how the TPM2 recipes are named.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
| |
Unify how the TPM2 recipes are named.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
| |
see https://patchwork.openembedded.org/patch/140542/
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...
The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.
Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create. To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".
Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
| |
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
| |
|
|
|
|
|
|
| |
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
We're missing a leading '-' when we combine pn and ima-privkey here,
add.
Signed-off-by: Michael Grigorov <michael.grigorov@konsulko.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
