summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* grub-efi: split grub serure builtin option from GRUB_BUILDINHEADmasterHongxu Jia2022-03-151-2/+3
| | | | | | | | | Use variable GRUB_SECURE_BUILDIN to split grub secure builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will not contain secure option for others grub-mkimage to create no secure grub even though secure boot is enabled Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* mtree: update LICENSE variantChangqing Li2022-02-201-1/+1
| | | | | | | Fix warning: WARNING: QA Issue: mtree: No generic license file exists for: BSD in any provider [license-exists] Signed-off-by: Changqing Li <changqing.li@windriver.com>
* added newlinerichard2021-11-191-1/+1
|
* changed init file from the secure-core-image-initramfs to not load an ↵richard2021-11-192-7/+15
| | | | unencrypted rootfs when using full disk encryption.
* meta-secure-core: fix wrong operator combinationYi Zhao2021-11-186-6/+6
| | | | | | | | Operations like XXX:append += "YYY" are almost always wrong and this is a common mistake made in the metadata. Improve them to use the standard format. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* recipes: update SRC_URI branch and protocolsYi Zhao2021-11-1517-18/+18
| | | | | | | Update SRC_URIs using git to include branch=master if no branch is set and also to use protocol=https for github urls. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* rpm-native: disable audit pluginChangqing Li2021-11-121-1/+1
| | | | | | | enable this plugin will cause undeterministic build. whether to build audit plugin depends on whether libaudit exists on the host Signed-off-by: Changqing Li <changqing.li@windriver.com>
* cryptfs-tpm2: upgrade to latest git revYi Zhao2021-11-123-83/+1
| | | | | | Drop backported patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* tpm2-tools: upgrade 4.1.3 -> 4.3.2Yi Zhao2021-11-122-57/+3
| | | | | | | * Drop backported CVE patch. * License-Update: Add Copyrights and move it to doc directory. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* tpm2-abrmd: upgrade 2.3.2 -> 2.3.3Yi Zhao2021-11-121-1/+1
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* tpm2-tss: backport fixes for openssl 3.0Yi Zhao2021-11-124-1/+1307
| | | | | | | | | Backport 3 patches from master branch for openssl 3.0: https://github.com/tpm2-software/tpm2-tss/commit/73d25d6834ad362f9a9a907cb78452deaa336ec0 https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5 https://github.com/tpm2-software/tpm2-tss/commit/e5bb5fb9f070c619415160f8889c372b769431b8 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* tpm2-tss: upgrade 2.3.3 -> 2.4.6Yi Zhao2021-11-121-2/+3
| | | | | | Add PACKAGECONFIG[fapi] to enable/disable FAPI. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* grub-efi: Remove $cmdpath from configuration for for grub-mkimagePeter Hatina2021-10-291-1/+1
| | | | Signed-off-by: Peter Hatina <peter@hatina.eu>
* efitools: fix openssl.cnf path for openssl 3.0Yi Zhao2021-10-212-14/+19
| | | | | | | Fix openssl.cnf path for openssl 3.0 to make sure openssl command can find it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* tpm2-tools: fix build with openssl 3.0Yi Zhao2021-10-212-0/+35
| | | | | | | Backport a patch to disable '-Werror' to fix build error until upstream addresses openssl 3.0 compatibility issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: fix openssl-3.0 issue involving ASN1_ITEM TYPE_itYi Zhao2021-10-212-0/+42
| | | | | | | | | | | | Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it. Openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to `const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is available. This change should have been transparent to the application, but only if the `ASN1_ITEM_rptr()` macro is used. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: fix build with openssl 3.0Yi Zhao2021-10-212-0/+32
| | | | | | | Disable '-Werror' to prevent openssl 3.0 deprecation warnings turning into errors until upstream addresses openssl 3.0 compatibility issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: fix commented-out override syntaxYi Zhao2021-08-261-2/+2
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* trousers: fix init script with multi-tpm systemsMathieu Dubois-Briand2021-08-211-1/+1
| | | | Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
* cryptfs-tpm2: fix encrypt_secret.py for python3Yi Zhao2021-08-202-0/+57
| | | | | | | | | Fixes: encrypt_secret.py -i "H31i05" > "primary_key.secret" || exit 1 ERROR: Unable to encrypt the secret Suggested-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* libsign: fix LDFLAGS expansionYi Zhao2021-08-202-0/+41
| | | | | | | | When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will be prefixed with -Wl, which will cause compilation error: ld: -f may not be used without -shared Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* libsign: fix build reproducibility issueYi Zhao2021-08-202-0/+40
| | | | | | | | | | | | | | Fixes: | selsign.c: In function 'show_banner': | selsign.c:57:62: error: macro "__DATE__" might prevent reproducible builds [-Werror=date-time] | 57 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n"); | | ^ | selsign.c:57:34: error: macro "__TIME__" might prevent reproducible builds [-Werror=date-time] | 57 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n"); | | ^~~~~~~~ | cc1: all warnings being treated as errors Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* cryptfs-tpm2: fix LDFLAGS expansionYi Zhao2021-08-202-0/+44
| | | | | | | | When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will be prefixed with -Wl, which will cause compilation error: ld: -f may not be used without -shared Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* README: fix typosYi Zhao2021-08-201-7/+7
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* layer.conf: add back append to BB_HASHBASE_WHITELISTChen Qi2021-08-162-2/+2
| | | | | | | | Add back the append override, as the '+=' operator will make the default value of BB_HASHBASE_WHITELIST in oe-core not have any effect. Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
* README: updateYi Zhao2021-08-091-2/+1
| | | | | | | | The image-prelink feature has been disabled by default in oe-core commit f9719cc1c3fe9d380336e7af418daf27473b2e8b. We don't need to remove it explicitly in local.conf. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* secure-core-image: pass encrypted password rather than plaintext password to ↵Yi Zhao2021-08-091-1/+2
| | | | | | | | | | | | usermod In oe-core commit 759df7395908f18b3b68f28d043ac9ebd42dd0c8, the plaintext password setting function was dropped because of the security issue. So the plaintext password setting method "usermod -P 'password' user" is not available. Now we should pass the encrypted password to usermod via -p option. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* layer.conf: add honister to LAYERSERIES_COMPATYi Zhao2021-08-099-9/+9
| | | | | | Drop other releases since they are not compatible anymore. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-secure-core: Convert to new override syntaxYi Zhao2021-08-0956-202/+202
| | | | | | Converting the metadata to use ":" as the override character instead of "_". Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* cryptfs-tpm2: fix build reproducibility issueYi Zhao2021-08-092-0/+59
| | | | | | | | | | | | | | Fixes: | main.c: In function 'show_banner': | main.c:43:62: error: macro "__DATE__" might prevent reproducible builds [-Werror=date-time] | 43 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n"); | | ^ | main.c:43:34: error: macro "__TIME__" might prevent reproducible builds [-Werror=date-time] | 43 | info_cont("Build Time: " __DATE__ " " __TIME__ "\n\n"); | | ^~~~~~~~ | cc1: all warnings being treated as errors Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* shim_git: fix the do_fetch warningMingli Yu2021-07-291-1/+1
| | | | | | | Fixes: WARNING: shim-12+gitAUTOINC+5202f80c32-r0 do_fetch: Failed to fetch URL git://github.com/rhboot/shim.git, attempting MIRRORS if available Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
* sbsigntool: update PVYi Zhao2021-07-071-1/+1
| | | | | | The current latest version is 0.9.4 rather than 0.9.2. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: fix compile error when enable DEBUG_BUILDYi Zhao2021-07-072-2/+44
| | | | | | | | | | | | | Fixes the following errors when set DEBUG_BUILD = "1": fileio.c: In function ‘__fileio_read_file’: fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 179 | *out_len = len; | ~~~~~~~~~^~~~~ fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 178 | *out_buf = buf; | ~~~~~~~~~^~~~~ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: Fix for target buildRobert Yang2021-07-072-3/+37
| | | | | | | | | | | | | | | | * Remove unnecessary inherit native This is a target recipe, the "inherit native" is not needed, the sbsigntool-native is extended by BBCLASSEXTEND which is already present. Fixed when multilib is enabled: $ bitbake lib32-sbsigntool ERROR: Nothing PROVIDES 'lib32-sbsigntool'. * Add util-linux-libuuid to DEPENDS since it is required by target build * Add read_write_all.c to common_SOURCES to fix build errors. Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
* tpm2-tools: fix CVE-2021-3565Yi Zhao2021-07-072-0/+54
| | | | | | | | | | | | | | | | | CVE-2021-3565: A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3565 Patch from: https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* create-user-key-store.sh: use grub2-mkpasswd-pbkdf2 rather than ↵Yi Zhao2021-06-111-1/+5
| | | | | | | | | | grub-mkpasswd-pbkdf2 on RHEL/CentOS/Fedora On RHEL/CentOS/Fedora, there is no grub-mkpasswd-pbkdf2 command but grub2-mkpasswd-pbkdf2. Update the script to locate the appropriate command. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* prevent contamining the cache with embeded cfgjbouchard2021-05-011-0/+2
|
* layer.conf: add hardknott to LAYERSERIES_COMPATYi Zhao2021-04-219-9/+9
| | | | | | Remove other releases since they are not compatible anymore. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* grub: disable inside lockdown and shim_lock verifiersYi Zhao2021-04-212-0/+48
| | | | | | | | | | | | | | | The lockdown support[1] and secure boot detection[2] have been added to grub 2.06. These verifiers are registered when UEFI Secure Boot is enabled. Unfortunately, they conflict with the current MOK2 Verify mechanism. So disable them. Fixes grub error: error: failed to verify kernel /bzImage [1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc [2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Revert "user-key-store.bbclass: Kill gpg agent daemon after gpg sign"Liwei Song2021-04-211-4/+0
| | | | | | | | | This reverts commit fc8969af8a34ff93ede7d44a492750446154d950. In parallel build this will led sign error because the gpg-agent in using maybe killed in another task. Signed-off-by: Liwei Song <liwei.song@windriver.com>
* linux-yocto-efi-secure-boot.inc: fix rerun failureKai Kang2021-04-211-1/+4
| | | | | | | | | | | | Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH changes, it fails to rerun the task: | Exception: FileExistsError: [Errno 17] File exists: | 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b' Remove the link file before create it if exists already. Signed-off-by: Kai Kang <kai.kang@windriver.com>
* meta-signing-key user-key-store.bbclass: don't req tools from efi-secure-bootMark Hatle2021-04-211-2/+2
| | | | | | | | If efi-secure-boot distro flag has not been set, then do not require the sbsigntool, libsign and efitools. Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* grub-efi: enable secure-boot support only for target buildsOvidiu Panait2021-04-041-4/+5
| | | | | | | | | grub-efi-native does not benefit from the extra code/modules that get built for secure-boot support, it just increases the build time of the package. Therefore, mark all secure-boot related procedures in the recipe for class-target only. Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
* grub: Drop useless insmod verify from cfgAlexandru Avadanii2021-03-291-6/+2
| | | | | | | | | | - the 'verify' grub module has been renamed to 'pgp' in grub 2.04; - the 'pgp' grub module is already built-in if GRUB_SIGN_VERIFY is set, so there's no need to call insmod; While at it, remove some unnecessary code duplication. Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
* kernel-initramfs: Fix leftover p7b referenceAlexandru Avadanii2021-03-261-1/+1
| | | | | | | | | p7b was replaced by the ${SB_FILE_EXT} variable, but one reference was omitted during the rework. Fixes: 31d2105b Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
* grub-efi: refresh patches for grub 2.06Yi Zhao2021-03-245-84/+52
| | | | | | | | | | | | Rebase patch: 0001-grub-verify-Add-strict_security-variable.patch Grub-get-and-set-efi-variables.patch mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch since it has been merged upstream. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* grub-efi: update the bbapepnd file nameChen Qi2021-03-241-0/+0
| | | | | | | oe-core now uses the git version for grub-efi, so we'd better to use the '%' wildcard for the bbappend file name. Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
* sbsigntool: fix compile error when enable DEBUG_BUILDYi Zhao2021-03-241-0/+2
| | | | | | | | | | | | | | Fixes the following error when set DEBUG_BUILD = "1": fileio.c: In function ‘__fileio_read_file’: fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 179 | *out_len = len; | ~~~~~~~~~^~~~~ fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized] 178 | *out_buf = buf; | ~~~~~~~~~^~~~~ cc1: all warnings being treated as errors Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: specify TMPDIRJoe Slater2021-03-241-1/+1
| | | | | | | | | | | | | There is a build error if the /tmp directory is mounted with noexec option: lib/ccan.git/tools/create-ccan-tree: line 130: /tmp/tmp.MSe2mg2hM5/ccan_depends: Permission denied Specify a local TMPDIR to fix it. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: Fix compilation when gnu-efi is missing and re-add patchesIlias Apalodimas2021-03-1411-380/+144
| | | | | | | | | | | | | | | | | | commit fa5550d97de6("sbsigntool: Update to latest and change repos") tried to fix compilation for arm architectures. Due to the changes in the upstream package though host gnu-efi was required to compile the package. Also that commit removed a useful commit (-x support on sbsigntool), which I mistakenly remembered it was already upstreamed. So fix the gnu-efi error and fixup the useful patch to keep the existring functionality. The old package was also depending on binutils-dev being installed on the host. Fix that and depend on binutils-native. While at it purge the unused patches. Fixes: commit fa5550d97de6("sbsigntool: Update to latest and change repos") Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-08 20:12:22 +0000