| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Use variable GRUB_SECURE_BUILDIN to split grub secure
builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will
not contain secure option for others grub-mkimage to
create no secure grub even though secure boot is enabled
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
|
|
|
|
|
| |
Fix warning:
WARNING: QA Issue: mtree: No generic license file exists for: BSD in any provider [license-exists]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| |
|
|
|
|
| |
unencrypted rootfs when using full disk encryption.
|
|
|
|
|
|
|
|
| |
Operations like XXX:append += "YYY" are almost always wrong and this
is a common mistake made in the metadata. Improve them to use the
standard format.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
enable this plugin will cause undeterministic build. whether to build
audit plugin depends on whether libaudit exists on the host
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
|
|
|
|
|
| |
Drop backported patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
* Drop backported CVE patch.
* License-Update: Add Copyrights and move it to doc directory.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
| |
Backport 3 patches from master branch for openssl 3.0:
https://github.com/tpm2-software/tpm2-tss/commit/73d25d6834ad362f9a9a907cb78452deaa336ec0
https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5
https://github.com/tpm2-software/tpm2-tss/commit/e5bb5fb9f070c619415160f8889c372b769431b8
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
| |
Add PACKAGECONFIG[fapi] to enable/disable FAPI.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
| |
Signed-off-by: Peter Hatina <peter@hatina.eu>
|
|
|
|
|
|
|
| |
Fix openssl.cnf path for openssl 3.0 to make sure openssl command can
find it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
Backport a patch to disable '-Werror' to fix build error until upstream
addresses openssl 3.0 compatibility issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
Openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it`
to `const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
available. This change should have been transparent to the application,
but only if the `ASN1_ITEM_rptr()` macro is used.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
Disable '-Werror' to prevent openssl 3.0 deprecation warnings turning
into errors until upstream addresses openssl 3.0 compatibility issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
| |
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
|
|
|
|
|
|
|
|
|
| |
Fixes:
encrypt_secret.py -i "H31i05" > "primary_key.secret" || exit 1
ERROR: Unable to encrypt the secret
Suggested-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
| |
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
| selsign.c: In function 'show_banner':
| selsign.c:57:62: error: macro "__DATE__" might prevent reproducible builds [-Werror=date-time]
| 57 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n");
| | ^
| selsign.c:57:34: error: macro "__TIME__" might prevent reproducible builds [-Werror=date-time]
| 57 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n");
| | ^~~~~~~~
| cc1: all warnings being treated as errors
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
| |
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
| |
Add back the append override, as the '+=' operator will make the
default value of BB_HASHBASE_WHITELIST in oe-core not have any
effect.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
|
|
|
|
|
|
|
| |
The image-prelink feature has been disabled by default in oe-core commit
f9719cc1c3fe9d380336e7af418daf27473b2e8b. We don't need to remove it
explicitly in local.conf.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
usermod
In oe-core commit 759df7395908f18b3b68f28d043ac9ebd42dd0c8, the
plaintext password setting function was dropped because of the security
issue. So the plaintext password setting method "usermod -P 'password'
user" is not available. Now we should pass the encrypted password to
usermod via -p option.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
| |
Drop other releases since they are not compatible anymore.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
| |
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
| main.c: In function 'show_banner':
| main.c:43:62: error: macro "__DATE__" might prevent reproducible builds [-Werror=date-time]
| 43 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n");
| | ^
| main.c:43:34: error: macro "__TIME__" might prevent reproducible builds [-Werror=date-time]
| 43 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n");
| | ^~~~~~~~
| cc1: all warnings being treated as errors
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
Fixes:
WARNING: shim-12+gitAUTOINC+5202f80c32-r0 do_fetch: Failed to fetch URL git://github.com/rhboot/shim.git, attempting MIRRORS if available
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
|
|
|
|
|
|
| |
The current latest version is 0.9.4 rather than 0.9.2.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following errors when set DEBUG_BUILD = "1":
fileio.c: In function ‘__fileio_read_file’:
fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
179 | *out_len = len;
| ~~~~~~~~~^~~~~
fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
178 | *out_buf = buf;
| ~~~~~~~~~^~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove unnecessary inherit native
This is a target recipe, the "inherit native" is not needed, the
sbsigntool-native is extended by BBCLASSEXTEND which is already present.
Fixed when multilib is enabled:
$ bitbake lib32-sbsigntool
ERROR: Nothing PROVIDES 'lib32-sbsigntool'.
* Add util-linux-libuuid to DEPENDS since it is required by target build
* Add read_write_all.c to common_SOURCES to fix build errors.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2021-3565:
A flaw was found in tpm2-tools in versions before 5.1.1 and before
4.3.2. tpm2_import used a fixed AES key for the inner wrapper,
potentially allowing a MITM attacker to unwrap the inner portion and
reveal the key being imported. The highest threat from this
vulnerability is to data confidentiality.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3565
Patch from:
https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
| |
grub-mkpasswd-pbkdf2 on RHEL/CentOS/Fedora
On RHEL/CentOS/Fedora, there is no grub-mkpasswd-pbkdf2 command but
grub2-mkpasswd-pbkdf2. Update the script to locate the appropriate
command.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
| |
Remove other releases since they are not compatible anymore.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The lockdown support[1] and secure boot detection[2] have been added to
grub 2.06. These verifiers are registered when UEFI Secure Boot is
enabled. Unfortunately, they conflict with the current MOK2 Verify
mechanism. So disable them.
Fixes grub error:
error: failed to verify kernel /bzImage
[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
| |
This reverts commit fc8969af8a34ff93ede7d44a492750446154d950.
In parallel build this will led sign error because the gpg-agent
in using maybe killed in another task.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH
changes, it fails to rerun the task:
| Exception: FileExistsError: [Errno 17] File exists:
| 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b'
Remove the link file before create it if exists already.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
|
|
|
|
|
|
|
| |
If efi-secure-boot distro flag has not been set, then do not require the
sbsigntool, libsign and efitools.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
|
|
|
|
|
|
|
| |
grub-efi-native does not benefit from the extra code/modules that get built for
secure-boot support, it just increases the build time of the package.
Therefore, mark all secure-boot related procedures in the recipe for
class-target only.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
|
|
|
|
|
|
|
|
|
| |
- the 'verify' grub module has been renamed to 'pgp' in grub 2.04;
- the 'pgp' grub module is already built-in if GRUB_SIGN_VERIFY is set,
so there's no need to call insmod;
While at it, remove some unnecessary code duplication.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
|
|
|
|
|
|
|
|
| |
p7b was replaced by the ${SB_FILE_EXT} variable, but one reference
was omitted during the rework.
Fixes: 31d2105b
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
| |
oe-core now uses the git version for grub-efi, so we'd better to
use the '%' wildcard for the bbappend file name.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following error when set DEBUG_BUILD = "1":
fileio.c: In function ‘__fileio_read_file’:
fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
179 | *out_len = len;
| ~~~~~~~~~^~~~~
fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
178 | *out_buf = buf;
| ~~~~~~~~~^~~~~
cc1: all warnings being treated as errors
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a build error if the /tmp directory is mounted with noexec
option:
lib/ccan.git/tools/create-ccan-tree: line 130: /tmp/tmp.MSe2mg2hM5/ccan_depends: Permission denied
Specify a local TMPDIR to fix it.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit fa5550d97de6("sbsigntool: Update to latest and change repos")
tried to fix compilation for arm architectures.
Due to the changes in the upstream package though host gnu-efi was
required to compile the package. Also that commit removed a useful
commit (-x support on sbsigntool), which I mistakenly remembered it was
already upstreamed.
So fix the gnu-efi error and fixup the useful patch to keep the
existring functionality. The old package was also depending on
binutils-dev being installed on the host. Fix that and depend on
binutils-native.
While at it purge the unused patches.
Fixes: commit fa5550d97de6("sbsigntool: Update to latest and change repos")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
|