| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
0005-tpm-openssl-tpm-engine-parse-an-encrypted-TPM-key-pa.patch to 0.5.0
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
change to a fork that is being maintained and that enabled openssl 1.1
Refresh patches
Drop one no longer needed
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport from meta-security
http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/commit/?id=3bae06e29b60d71177cb63ad0b85bc5c46f7a144
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
- Support openssl 1.1.x
- Fix compile warning
|tpm_extendpcr.c:55:4: warning: 'strncpy' specified bound 4096 equals
destination size [-Wstringop-truncation]
| strncpy(in_filename, aArg, PATH_MAX);
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
| |
- Use CCLD to build executable and library.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
The *_BASE_NAME was renamed to *_NAME in oe-core commit
f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b. So we also need to do the same
thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
| |
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
KERNEL_IMAGE_NAME and KERNEL_IMAGE_SYMLINK_NAME to KERNEL_IMAGE_LINK_NAME
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
- Follow up the regular way to include header file.
- Use CCLD to build executable and library.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
Now cryptfs-tpm2 supports both TSS 1.x and 2.x API.
Please specify "TSS2_VER=1" in EXTRA_OEMAKE to support 1.x API.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
|
|
| |
Refresh patch Build-DBX-by-default.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake efitools lib32-efitools
ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
(matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake seloader lib32-seloader
ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
After postinst was executed at do_rootfs successfully,
there will be no first boot to redo.
Since `229f4e9 package.bbclass: add support for
pkg_postinst_ontarget()' applied in oe-core, use
pkg_postinst_ontarget to instead.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
when configuring lvm2 without udev, lvm2-udevrules package is empty,
causing do_rootfs failure.
Error:
ERROR: wrlinux-image-glibc-std-1.0-r5 do_rootfs: Function failed: do_rootfs
Problem: conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-1.7.4-r0.corei7_64
Move lvm2-udevrules from RDEPEND to RRECOMMENDS could workaround the issue.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
| |
Bump up to the current top of libsign so that we can easily get a copy
of selsign that can be put into an SDK.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk. We also need gnu-efi
to support nativesdk so include that in a bbappend.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
The --with-udevrulesdir configure option has been moved from tpm2-abrmd to
tpm2-tss in the code, therefore move its associated EXTRA_OECONF to suit.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
| |
tpm2-tss: 1.4.0 -> 2.0.0
tpm2-abrmd: 1.3.1 -> 2.0.1
tpm2-tools: 3.0.4 -> 3.1.1
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
In 59a9f43b899c ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream. However, rocko ships with an older version
of RPM and still needs these patches. Add conditional logic to apply
these patches only for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
| |
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi. Add in conditional logic to pass this only
for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
As we also work with the 'rocko' release list that in our
LAYERSERIES_COMPAT.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The kernel-initramfs.bbappend depends on kernel-initramfs.bb in
meta-secure-core/meta/recipes-core/images/
Fix parsing error:
ERROR: No recipes available for:
meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bitbake will try an ls-remote for any recipe whose SRCREV is AUTOREV,
even if that recipe will not ultimately be used for a particular build.
Therefore if the user specifies 'BB_NO_NETWORK = "1"', the _git versions of
the tpm2 recipes will cause the build to fail even if the _git versions are
not going to be built (which they won't be by default on account of their
DEFAULT_PREFERENCE being set to "-1").
This fix follows the same pattern as
https://github.com/sbabic/meta-swupdate/commit/721fcc89c53debcd6582bd1aa972f75297cf12e9
With this fix, the user can disable networking and successfully build the
non-_git versions of the tpm2 recipes. If the user wants to build the _git
versions, networking must be enabled. The build is expected to fail if the
user asks for the _git versions, but disables networking.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
| |
Specify -no-pie to override possible -pie default.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
parsed as true
|
| |
|
|
| |
This reverts commit 0bb383b60a8f61df2c4e078d34294e5ef996445b.
|
| |
|
|
|
|
|
| |
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.
Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
copy kernel p7b file
In commit 1c96c0d09614a3a692a8bee201e34694f26c436a, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
The latest git version has updated to use dl interface to load
the library of tpm2-abrmd, instead of linking it on compilation.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
Use separate directories to store tpm2-abrmd.default for stable
and git version.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
| |
The default value of --with-systemdsystemunitdir with the prefix
"/usr" cannot be used to search tpm2-abrmd.service. In order to
fix this issue, explicitly set --with-systemdsystemunitdir as
before. In addition, place .perset to the dedicated system-preset
directory.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
| |
Replace tab with four spaces.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In the latest git version of abrmd:
- the following option has been renamed:
--max-transient-objects -> --max-transients
- the following option has been removed:
--fail-on-loaded-trans
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup the tpm2-tools recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 3.0.3 to 3.0.4.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup the tpm2-abrmd recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 1.2.0 to 1.3.1.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup the tpm2-tss recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes in an include file.
Update release from 1.3.0 to 1.4.0.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
|
|
|
| |
As the initial support, linux-sgx-driver is integrated into this
layer. SDK and PSW will be provided soon.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
In addition to the expected /dev/tpmX device nodes, newer Linux kernels now
also create /dev/tpmrmX nodes. This causes the daemon's startup script to
fail, meaning the abrmd daemon is not started automatically.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...
Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
