summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* layer.conf: Mark as compatible with rockoTom Rini2018-07-259-9/+9
| | | | | | | As we also work with the 'rocko' release list that in our LAYERSERIES_COMPAT. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Include secure-core for kernel-initramfs.bbMark Hatle2018-07-181-0/+1
| | | | | | | | | | | | The kernel-initramfs.bbappend depends on kernel-initramfs.bb in meta-secure-core/meta/recipes-core/images/ Fix parsing error: ERROR: No recipes available for: meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* seloader: Update to 0.4.6Jia Zhang2018-07-171-2/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2 git AUTOREV fix for BB_NO_NETWORKTrevor Woerner2018-07-103-3/+21
| | | | | | | | | | | | | | | | | | | Bitbake will try an ls-remote for any recipe whose SRCREV is AUTOREV, even if that recipe will not ultimately be used for a particular build. Therefore if the user specifies 'BB_NO_NETWORK = "1"', the _git versions of the tpm2 recipes will cause the build to fail even if the _git versions are not going to be built (which they won't be by default on account of their DEFAULT_PREFERENCE being set to "-1"). This fix follows the same pattern as https://github.com/sbabic/meta-swupdate/commit/721fcc89c53debcd6582bd1aa972f75297cf12e9 With this fix, the user can disable networking and successfully build the non-_git versions of the tpm2 recipes. If the user wants to build the _git versions, networking must be enabled. The build is expected to fail if the user asks for the _git versions, but disables networking. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* util-linux: allow -static linking for switch_root.staticJoe Slater2018-07-061-1/+3
| | | | | | | Specify -no-pie to override possible -pie default. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Fix parsing bug where SYSTEM_TRUSTED and SECONDARY_TRUSTED were always ↵fraser2018-06-291-2/+2
| | | | parsed as true
* Revert "tpm2-abrmd: move tpm2-abrmd.default to tpm2-abrmd.inc"Trevor Woerner2018-06-265-9/+18
| | | | This reverts commit 0bb383b60a8f61df2c4e078d34294e5ef996445b.
* Add root parameter configuration in boot command line.Jinliang Li2018-06-262-0/+10
| | | | | | | It is helpful when secure boot is enabled, because you can not modify boot command line after boot-menu.inc is signed before deploying. Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
* linux-yocto-efi-secure-boot: using shutil.copyfile instead of shutil.move to ↵Yi Zhao2018-06-201-1/+1
| | | | | | | | | | | | copy kernel p7b file In commit 1c96c0d09614a3a692a8bee201e34694f26c436a, the kernel p7b file is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/ to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* linux-yocto-efi-secure-boot: fix typoYi Zhao2018-06-201-1/+1
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* cryptfs-tpm2: update to 0.6.3Jia Zhang2018-06-161-2/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-tools: refresh the dlopen patch for 3.0.4Jia Zhang2018-06-162-1/+81
| | | | | | | The latest git version has updated to use dl interface to load the library of tpm2-abrmd, instead of linking it on compilation. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-abrmd: move tpm2-abrmd.default to tpm2-abrmd.incJia Zhang2018-06-165-18/+9
| | | | | | | Use separate directories to store tpm2-abrmd.default for stable and git version. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-abrmd: code style cleanupJia Zhang2018-06-162-10/+10
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-abrmd: Fix missing tpm2-abrmd.serviceJia Zhang2018-06-161-1/+7
| | | | | | | | | | The default value of --with-systemdsystemunitdir with the prefix "/usr" cannot be used to search tpm2-abrmd.service. In order to fix this issue, explicitly set --with-systemdsystemunitdir as before. In addition, place .perset to the dedicated system-preset directory. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-tss: code style cleanupJia Zhang2018-06-161-36/+36
| | | | | | Replace tab with four spaces. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-abrmd: update daemon cmdline optionsTrevor Woerner2018-06-154-11/+25
| | | | | | | | | | | In the latest git version of abrmd: - the following option has been renamed: --max-transient-objects -> --max-transients - the following option has been removed: --fail-on-loaded-trans Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* tpm2-tools: cleanup and updateTrevor Woerner2018-06-154-97/+32
| | | | | | | | | | | Cleanup the tpm2-tools recipe such that there is a recipe for building the latest release (the default) and one for building the latest, auto-incrementing version from git master placing all pieces common to the two recipes into an include file. Update release from 3.0.3 to 3.0.4. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* tpm2-abrmd: cleanup and updateTrevor Woerner2018-06-153-62/+63
| | | | | | | | | | | Cleanup the tpm2-abrmd recipe such that there is a recipe for building the latest release (the default) and one for building the latest, auto-incrementing version from git master placing all pieces common to the two recipes into an include file. Update release from 1.2.0 to 1.3.1. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* tpm2-tss: cleanup and updateTrevor Woerner2018-06-153-71/+131
| | | | | | | | | | | Cleanup the tpm2-tss recipe such that there is a recipe for building the latest release (the default) and one for building the latest, auto-incrementing version from git master placing all pieces common to the two recipes in an include file. Update release from 1.3.0 to 1.4.0. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* meta-intel-sgx: Initial support of linux-sgx-driverJia Zhang2018-06-063-0/+75
| | | | | | | As the initial support, linux-sgx-driver is integrated into this layer. SDK and PSW will be provided soon. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2-abrmd-init: fix for /dev/tpmrmXTrevor Woerner2018-06-061-1/+1
| | | | | | | | In addition to the expected /dev/tpmX device nodes, newer Linux kernels now also create /dev/tpmrmX nodes. This causes the daemon's startup script to fail, meaning the abrmd daemon is not started automatically. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* Update MAINTAINERS infoJia Zhang2018-05-301-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* sign_rpm_ext.bbclass: fix check_rpm_public_key racing at recipe parsing timeHongxu Jia2018-05-311-4/+1
| | | | | | | | | | | | | | | | All recipe will be parsed which caused lockfile of check_rpm_public_key racing issue. ... |WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb: oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file <_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'> ... Refer do_package_write_rpm, add check_rpm_public_key to prefunc of do_rootfs, only the running image recipe will invoke check_rpm_public_key. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* tpm2.0-tss: rename -> tpm2-tssTrevor Woerner2018-05-304-4/+4
| | | | | | Unify how the TPM2 recipes are named. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* tpm2.0-tools: rename -> tpm2-toolsTrevor Woerner2018-05-304-4/+4
| | | | | | Unify how the TPM2 recipes are named. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* layer.conf: add LAYERSERIES_COMPATTrevor Woerner2018-05-268-0/+16
| | | | | | see https://patchwork.openembedded.org/patch/140542/ Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* sign_rpm_ext.bbclass: check rpm public key at image recipe parsing timeHongxu Jia2018-05-231-0/+4
| | | | | | | | | | | | | | | | | While multiple builds share a common sstate, the latter build failed to build image which the public key not found. ... |ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed. Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1: ... The latter build will not regenerate rpm packages and check_rpm_public_key will not be invoked. Explicitly invoke check_rpm_public_key at image recipe parsing time, which make sure gpg public key be imported. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* seloader: sync up with the latestJia Zhang2018-05-201-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* meta-integrity, meta-signing-key: Populate the secondary keyringTom Rini2018-05-172-2/+24
| | | | | | | | | | | | Currently we provide a secondary trusted key that is signed by the primary key. We do not however DER encode this certificate. Update the key-store recipe to also make a DER encoding of this certificate and include it in the same package as the PEM version of the certificate. In the IMA init script, if we have any secondary certificate in a DER encoding, load them into the secondary keyring before we try and load the IMA keys. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-signing-key: Rename "extra trusted" to "secondary"Tom Rini2018-05-176-39/+39
| | | | | | | | | | | | The way that the create-user-key-store.sh script creates what it has been calling "extra_system_trusted_key" is really what would be considered a "secondary" trusted key as it is signed by the primary key that we create. To make this clearer, as there are other cases for an "extra trusted system key" that are not this key, update the variables, package names, etc, to reflect "secondary" not "extra system". Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com> Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: init.ima: Switch to using keyctlTom Rini2018-05-172-3/+5
| | | | | | | | | Rather than parse /proc/keys directly to find out the ID of the keyring that we're using, let keyctl do this for us. In order to do that we need to have /proc available as /proc, so move it around before and after working with keyctl. Signed-off-by: Tom Rini <trini@konsulko.com>
* grub-efi: remove aarch64 from COMPATIBLE_HOSTKai Kang2018-05-161-0/+3
| | | | | | | Functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet, so remove 'aarch64' from COMPATIBLE_HOST for now. Signed-off-by: Kai Kang <kai.kang@windriver.com>
* linux-yocto-efi-secure-boot: Package unversioned signature as symlinkTom Rini2018-05-131-1/+3
| | | | | | | | To match the usual user experience of having /boot/${KERNEL_IMAGETYPE} exist as a symlink to the real kernrel, also have our signature file exist for that as a symlink and include it in the package file. Signed-off-by: Tom Rini <trini@konsulko.com>
* key-store: Fix typo in key-store-ima-privkey nameTom Rini2018-05-121-1/+1
| | | | | | | | We're missing a leading '-' when we combine pn and ima-privkey here, add. Signed-off-by: Michael Grigorov <michael.grigorov@konsulko.com> Signed-off-by: Tom Rini <trini@konsulko.com>
* grub-efi: fix compile errors for arm64Kai Kang2018-05-112-20/+32
| | | | | | | It fails to build grub-efi for arm64. Add definitions of missing macros and replace x86 specified asm codes with function grub_halt(). Signed-off-by: Kai Kang <kai.kang@windriver.com>
* grub-efi: refresh patches to fix QA warningYi Zhao2018-05-103-13/+23
| | | | | | | | | Refresh the following patches: 0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch 0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch Grub-get-and-set-efi-variables.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-efi-secure-core: Move kernel-initramfs.bbappendTom Rini2018-05-061-0/+0
| | | | | | | As the main recipe resides in meta/recipes-core/images/ move the append to recipes-core/images/ as well for consistency. Signed-off-by: Tom Rini <trini@konsulko.com>
* kernel-initramfs: Rework to use update-alternatives directlyTom Rini2018-05-062-63/+39
| | | | | | | | | | | | | | - All valid initramfs types will be listed in INITRAMFS_FSTYPES so use that variable rather than open-coding a list of possibilities. - Since we're using the list of things that must exist now we don't need to test if the files exist anymore. And when signing, we can sign all of them now. - Add some python to do_package to update all of the ALTERNATIVES variables dynamically based on how we're configured. This introduces an alternative for the initramfs portion as well so there is a stable name. Signed-off-by: Tom Rini <trini@konsulko.com>
* efitools: Rework how we deal with rpath and linking of Linux appsTom Rini2018-05-023-30/+28
| | | | | | | | | | | | | | | | - In all cases, when building Linux apps (and thus linking with gcc) we need to pass in the normal set of LDFLAGS for both rpath and link hash type. - Rework Fix-for-the-cross-compilation.patch a bit. When linking EFI apps (and thus linking with ld) we don't need to pass in other special flags. When linking the "openssl" apps we do not need to spell out the crtN files as gcc handles that for us, they are normal Linux apps. Ensure that all Linux apps get our EXTRA_LDFLAGS passed in. With all of these changes we are now able to reuse sstate cache between build directories. Signed-off-by: Tom Rini <trini@konsulko.com>
* initrdscripts-secure-core: Provide all directories init requiresTom Rini2018-04-271-0/+6
| | | | | | | | Our "init" script requires additional directories to exist and since we don't pull in something like base-files that gives us a full layout we must make these additional directories on our own. Signed-off-by: Tom Rini <trini@konsulko.com>
* README: Clarify local.conf required changes for IMATom Rini2018-04-201-0/+2
| | | | | | | | | | - You must ensure that RPM is used in PACKAGE_CLASSES. - We need to remove image-prelink from USER_CLASSES. Prelinking the image at creation time (as happens on x86/x86_64) will result in the IMA hash of files changing from the recorded signature and verification will fail. Signed-off-by: Tom Rini <trini@konsulko.com>
* keyutils: refresh patches to fix QA warningYi Zhao2018-04-113-23/+26
| | | | | | | | | Refresh the following patches: keyutils-fix-the-cflags-for-all-of-targets.patch keyutils_fix_x86-64_cflags.patch keyutils_fix_x86_cflags.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* init.ima: Fix up the syntax errorJia Zhang2018-03-191-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* grub/boot-menu: Rename _bakup suffix to _backupJia Zhang2018-03-191-3/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* ima/linux-yocto: Enable CONFIG_IMA_READ_POLICY and CONFIG_IMA_APPRAISE_BOOTPARAMJia Zhang2018-03-191-1/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* integrity/linux-yocto: Enable CONFIG_SYSTEM_BLACKLIST_KEYRINGJia Zhang2018-03-191-0/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* init.ima: Fix the failure when importing the external policy from real rootfsJia Zhang2018-03-191-1/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* README: Document the instruction to install kernel imageJia Zhang2018-03-191-0/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* cryptfs-tpm2: Update the upstream URLJia Zhang2018-03-131-2/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-04 07:43:10 +0000