summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* grub-efi/boot-menu.inc: remove invalid menuentry (#122)Zhao Yi2019-11-011-5/+0
| | | | | | Currently the recovery menuentry is not available because we don't provide bzImage_backup and initrd_backup. Remove this entry. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* conf/layer.conf: Add zeus to LAYERSERIES_COMPAT (#121)muvarov2019-11-019-9/+9
| | | Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
* lib-evm-utils: using the correct algo for v2 signature (#120)Yunguo Wei2019-10-102-0/+27
| | | | | | | | | | | | | | | | | | | | When using rpmsign (with --signfiles --fskpath) to sign RPM package, the IMA signature is not correct, see: $ getfattr -d -m - rootfs/usr/sbin/grpconv file: rootfs/usr/sbin/grpconv security.ima=0sAwIEDy1SEQP3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA== And the expected signature is like this: $ getfattr -d -m - rootfs/usr/sbin/grpconv file: rootfs/usr/sbin/grpconv security.ima=0sAwIEDy1SEQEAA6s8DwmRCVutcrE8NvHWWYXlg8L1AwH5teu44prkKRwmhZQ52Oa4UQoZZlxER/SJ9tijbve8ZAv++KW8EqgP4iZjEGh8ke76rpiRU5glnG/U+HUjnilJBpzpMJHxyNbAiFoHMESeCOtrhY0zZIUXK3DnIuIJSwpfl2HaNFxRrE38EaqgV9IQ8QiWFCvgDYXoJDwc3KdhjKjs214tCfZpKO1w4QJl2n4llZHw2RTHIuUOsMhRDEXs6onLHmdmhvqgxIHt7IvsT9v7H8GnoaiX0xgzxk2o/mE5EtPrnMtUoGSQwdY8CAfUbCwAp0c5QlsrHk5RBmewjJ/jxd/K1uKp7w== The root cause is libimaevm doesn't retrieve correct signing algo, so this patch is making things right. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* linux-yocto-integrity.inc: fix 'uks_modsign_keys_dir' is not defined (#119)Hongxu Jia2019-10-071-2/+6
| | | | | | | | | | Since commit [b41010c linux-yocto-integrity: fix modsign key path] applied, if MODSIGN_ENABLED is "0", bbclass user-key-store will not be inherited which causing 'uks_modsign_keys_dir' is not defined Unconditionally inherit user-key-store, but conditionally invoke uks_modsign_keys_dir Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* Merge pull request #118 from lumag/drop-privkeysJia Zhang2019-10-014-61/+10
|\ | | | | Security: do not install private keys into rootfs
| * meta-integrity: fix documentationDmitry Eremin-Solenikov2019-09-301-4/+5
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * linux-yocto-integrity: fix modsign key pathDmitry Eremin-Solenikov2019-09-161-1/+3
| | | | | | | | | | | | | | Use modsign key directly from uks_modsign_keys_path(d), rather than from installed package. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * packagegroup-ima: RRECOMMEND certificates rather than private keysDmitry Eremin-Solenikov2019-09-161-2/+2
| | | | | | | | | | | | Do not even try pulling private keys into rootfs. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * key-store: drop private keys packagesDmitry Eremin-Solenikov2019-09-161-54/+0
| | | | | | | | | | | | | | Having a private key package might allow one to pull it into rootfs which is really, really bad. So drop all private key packages. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
* | Merge pull request #117 from 2005songliwei/masterJia Zhang2019-09-121-1/+1
|\ \ | |/ |/| secure-core:allow other layer overwrite INITRAMFS_IMAGE
| * secure-core:allow other layer overwrite INITRAMFS_IMAGEJiang Lu2019-09-121-1/+1
| | | | | | | | | | | | | | Allow other layer overwrite $INITRAMFS_IMAGE. Signed-off-by: Jiang Lu <lu.jiang@windriver.com> Signed-off-by: Liwei Song <liwei.song@windriver.com>
* | Merge pull request #116 from lumag/masterJia Zhang2019-09-042-13/+65
|\ \ | | | | | | Use PKCS7 drivers compiled from OVMF source
| * | seloader: use pkcs7 drivers from OVMFDmitry Eremin-Solenikov2019-09-041-13/+6
| | | | | | | | | | | | | | | | | | | | | Rather than using pre-compiled EFI drivers, use freshly compiled drivers from OVMF source tree. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * | ovmf: package PKCS7 verification driversDmitry Eremin-Solenikov2019-09-041-0/+59
| | | | | | | | | | | | | | | | | | | | | Package Pkcs7VerifyDxe.efi and Hash2DxeCrypto.efi to be used by SELoader bootloader. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
* | | Merge pull request #115 from lumag/masterJia Zhang2019-09-0411-315/+89
|\| | | | | | | | Several updates and additional patch for grub-efi MOK2 support
| * | ima-inspect: add patch to fix compilation with newer ima-evm-utilsDmitry Eremin-Solenikov2019-09-042-1/+17
| | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * | ima-evm-utils: update to release 1.2.1Dmitry Eremin-Solenikov2019-09-043-307/+7
| | | | | | | | | | | | | | | | | | Bump ima-evm-utils to latest release (1.2.1). Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * | grub-efi: support mok2 verify in multiboot2 protocolDmitry Eremin-Solenikov2019-09-042-0/+55
| | | | | | | | | | | | | | | | | | | | | Add support for verifying PKCS#7 signatures via MOK2 protocol to multiboot2 command enabling one to load multiboot-capable kernels. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * | meta-tpm2: tpm2-tools: update to version 3.2.0Dmitry Eremin-Solenikov2019-09-041-2/+2
| | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
| * | meta-tpm2: tpm2-tss: update to version 2.2.3Dmitry Eremin-Solenikov2019-09-043-5/+8
|/ / | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
* | Merge pull request #113 from 2005songliwei/masterJia Zhang2019-08-271-0/+10
|\| | | | | grub-efi: fix uid contamination by host QA warning
| * grub-efi: fix uid contamination by host QA warningLiwei Song2019-08-261-0/+10
|/ | | | | | | | | Fix the following QA issue: WARNING: grub-efi-2.04-r0 do_package_qa: QA Issue: grub-efi: /boot/efi/EFI/BOOT/grub.cfg.p7b is owned by uid 19183 chown to root for p7b file to fix uid contamination by host. Signed-off-by: Liwei Song <liwei.song@windriver.com>
* Merge pull request #112 from yizhao1/fix2Jia Zhang2019-08-191-2/+2
|\ | | | | meta-signing-key/conf/layer.conf: use weak assignment for RPM_GPG_NAM…
| * meta-signing-key/conf/layer.conf: use weak assignment for RPM_GPG_NAME and ↵Yi Zhao2019-08-191-2/+2
| | | | | | | | | | | | | | | | | | RPM_GPG_PASSPHRASE Use weak assignment for RPM_GPG_NAME and RPM_GPG_PASSPHRASE so these values could be overridden in other conf files. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* | fixup! meta-secure-core: use bb.fatal instead of bb.build.FuncFailedYi Zhao2019-08-191-1/+1
|/
* meta-secure-core: use bb.fatal instead of bb.build.FuncFailedYi Zhao2019-08-192-8/+6
| | | | | | | The bb.build.FuncFailed had been removed in bitbake with commit cfeffb602dd5319f071cd6bcf84139ec77f2d170. Use bb.fatal instead of it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-secure-core: add linux-yocto-dev bbappendYi Zhao2019-08-135-0/+5
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* linux-yocto: upgrade bbappend from 4.% to 5.%Yi Zhao2019-08-136-0/+0
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-efi-secure-boot: only apply if efi-secure-boot distro flag setMark Hatle2019-08-134-150/+151
| | | | | | | | Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot set Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* grub-efi: update bbappend and refresh patchesYi Zhao2019-08-132-22/+28
| | | | | | | The grub-efi has been upgraded to 2.04 in oe-core. Update the bbappend and refresh patches to adapt it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* keyutils: remove itChangqing Li2019-08-026-204/+0
| | | | | | | | keyutils under meta-security have been moved to meta-openembeded by this commit https://git.openembedded.org/meta-openembedded/commit/?id=415e213ad75ec9a93171c963395a1c4b92c6233b and is higher version than keyutils, so remove this one Signed-off-by: Changqing Li <changqing.li@windriver.com>
* tpm2-abrmd: fix do_compile errorMingli Yu2019-07-242-0/+70
| | | | | | | | | | | | | After commit [5ef547b autoconf-archive: update to 2019.01.06] applied in oe-core, there comes below error when build tpm2-abrmd: | NOTE: make -j 48 | Makefile:4381: *** missing separator. Stop. So backport a patch from tpm2-abrmd upstream to fix this failure. Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
* tpm2-tss: fix do_compile errorMingli Yu2019-07-232-1/+53
| | | | | | | | | | | | | After commit [5ef547b autoconf-archive: update to 2019.01.06] applied in oe-core, there comes below error when build tpm2-tss: | NOTE: make -j 48 | Makefile:14636: *** missing separator. Stop. So backport a patch from tpm2-tss upstream to fix this failure. Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
* util-linux: only apply the bbappend if ima distro flag setYi Zhao2019-06-262-19/+20
| | | | | | | | | | | | | | | | Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error: util-linux:do_compile: 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 -> 53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99 bitbake-diffsigs --task util-linux do_compile --signature 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99 Rename util-linux_%.bbappend to util-linux-integrity.inc and add a new bbappend. Make sure this piece of code should be applied only if the ima feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Revert "rpm: always include rpm-integrity.inc for RPM signing"Yi Zhao2019-06-261-1/+1
| | | | | | | | | | | | | | | | This reverts commit 0477a93cf98bd2946320d90cadb54a0fc2c2c0df. Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error: rpm-native:do_configure: c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b -> d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca bitbake-diffsigs --task rpm-native do_configure --signature c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca Revert the patch to fix it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-integrity/conf/layer.conf: add opemembedded-layer as layer dependencyYi Zhao2019-06-211-0/+1
| | | | | | | | | | | | | Fix ima-inspect build failure: $ bitbake ima-inspect ERROR: Nothing PROVIDES 'tclap' (but /build/poky/meta-secure-core/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb DEPENDS on or otherwise requires it). ERROR: Required build target 'ima-inspect' has no buildable providers. Missing or unbuildable dependency chain was: ['ima-inspect', 'tclap'] Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* shim: fix build failure with gcc9Yi Zhao2019-06-052-0/+76
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Backport patch to fix build error with gcc9 for option "-Werror=address-of-packed-member" MokManager.c: In function 'write_back_mok_list': MokManager.c:1125:19: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member] 1125 | if (CompareGuid(&(list[i].Type), &CertType) == 0) | ^~~~~~~~~~~~~~~ MokManager.c:1147:19: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member] 1147 | if (CompareGuid(&(list[i].Type), &CertType) == 0) { | ^~~~~~~~~~~~~~~ MokManager.c: In function 'delete_cert': MokManager.c:1188:19: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member] 1188 | if (CompareGuid(&(mok[i].Type), &CertType) != 0) | ^~~~~~~~~~~~~~ MokManager.c: In function 'delete_hash_in_list': MokManager.c:1239:20: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member] 1239 | if ((CompareGuid(&(mok[i].Type), &Type) != 0) || | ^~~~~~~~~~~~~~ MokManager.c: In function 'delete_keys': MokManager.c:1410:19: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member] 1410 | if (CompareGuid(&(del_key[i].Type), &CertType) == 0) { | ^~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors <builtin>: recipe for target 'MokManager.o' failed Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* kernel-initramfs: depends on do_image_complete rather than do_rootfsHongxu Jia2019-05-241-1/+1
| | | | | | | | | | | ... |install: cannot stat 'tmp-glibc/deploy/images/intel-x86-64/secure-core-image-init ramfs-intel-x86-64.cpio.gz': No such file or directory ... Depends do_image_complete after required image generated Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* meta: create README symbolic linkYi Zhao2019-04-241-0/+1
| | | | | | | | | | | | | | | | | | | | | Run yocto-check-layer to check layer compliance of Yocto will report the following error: $ yocto-check-layer ../meta-secure-core/meta INFO: Detected layers: [snip] INFO: test_readme (common.CommonCheckLayer) INFO: ... FAIL INFO: Traceback (most recent call last): File "/buildarea/poky/scripts/lib/checklayer/cases/common.py", line 15, in test_readme msg="Layer doesn't contains README file.") AssertionError: False is not true : Layer doesn't contains README file. [snip] There is no need to create a new README for this layer. We just create a symbolic link of README from the top-level. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* conf/layer.conf: Add warrior to LAYERSERIES_COMPATYi Zhao2019-04-239-9/+9
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Patch ima-evm-utils to fix build with muslLuca Boccassi2019-02-282-0/+38
| | | | | | | | Third party programs including libimaevm fails to build with musl due to a missing include in the public header. Add it. The build with glibc is unaffected. Patch sent upstream. Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
* Bump tpm2-abrmd from 2.0.1 to 2.0.3 to fix build with muslLuca Boccassi2019-02-261-2/+2
| | | | | | | | | | Several bug fixes were merged in 2.0.1 and 2.0.3, including the following PRs that fix building tpm2-abrmd with the musl C library: https://github.com/tpm2-software/tpm2-abrmd/pull/502 https://github.com/tpm2-software/tpm2-abrmd/pull/503 Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
* grub-efi: fix the potential uninitialized error for variable 'err'Wenzong Fan2018-12-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the build errors with DEBUG_BUILD enabled: grub-core/loader/linux.c: In function 'grub_initrd_load': grub-core/loader/linux.c:326:10: error: 'err' may be used \ uninitialized in this function [-Werror=maybe-uninitialized] In function grub_initrd_load: grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, char *argv[], void *target) { [snip] grub_err_t err; [snip] #ifdef GRUB_MACHINE_EFI [snip] err = grub_verify_file (argv[i]); [snip] #endif [snip] fail: [snip] return err; } If the GRUB_MACHINE_EFI is not defined, the function would return an uninitialized value for 'err'. We should initialize it when this variable is assigned. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* base-files: only apply the bbappend if ima distro flag setYi Zhao2018-12-032-5/+6
| | | | | | | | | | | | | | When the meta-integrity layer is included but feature ima is not set, we would get the following error when the system startup: qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist. qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32. Rename base-files_%.bbappend to base-files-integrity.inc and add a new bbappend. Make sure this piece of code should be applied only if the ima feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* kernel-initramfs: only apply the bbappend if efi-secure-boot distro flag setYi Zhao2018-11-302-37/+38
| | | | | | | | | | | | | | | | | | | | | | | When the meta-efi-secure-boot layer is included but feature efi-secure-boot is not set. We got the following error with kernel-initramfs building: ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995) ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995 Log data follows: | DEBUG: Executing python function sstate_task_prefunc | DEBUG: Python function sstate_task_prefunc finished | DEBUG: Executing shell function do_deploy | install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory | WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs' | ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995) ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1' Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc and add a new bbappend. Make sure this piece of code should be applied only if the efi-secure-boot feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* kernel-initramfs: fix inconsistent indentationYi Zhao2018-11-301-3/+3
| | | | | | Use spaces consistently to indent do_install() Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-efi-secure-boot: Ensure openssl-native exists when we need itTom Rini2018-11-074-2/+5
| | | | | | | | | | | In order to deploy our secure boot keys in DER format we need to use openssl. This must be listed in our DEPENDS line in order for the sysroot to be populated correctly when we run do_sign. Also drop the explicit fakeroot on our empty grub-efi do_sign as we may not have globally populated virtual/fakeroot-native at that point in time. Fixes: 92316d4b402b ("meta-signing-key: When deploying keys UEFI keys, deploy DER format") Signed-off-by: Tom Rini <trini@konsulko.com>
* mtree: update context of configure.ac-automake-error.patchKai Kang2018-11-071-4/+4
| | | | | | | | | | | | | | | | It shows warning when apply configure.ac-automake-error.patch: | WARNING: mtree-1.0.3+gitAUTOINC+4f3e901aea-r0 do_patch: | ... | Details: | Applying patch configure.ac-automake-error.patch | patching file configure.ac | Hunk #1 succeeded at 4 with fuzz 2 (offset -2 lines). Update context of configure.ac-automake-error.patch to sync with current mtree source codes. Signed-off-by: Kai Kang <kai.kang@windriver.com>
* key-store: rename ima private key and certificate on targetYunguo Wei2018-11-074-5/+18
| | | | | | | | | If sample keys are selected, key-store service will deploy IMA private key during first boot, but beople may be confused if we deploy a sample private key like "xxx.crt", so this commit is making sure key/cert on target are consistent with key files on build system. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-signing-key: When deploying keys UEFI keys, deploy DER formatTom Rini2018-10-251-0/+4
| | | | | | | | | Generally speaking, for firmware to import PK/KEK/DB keys they need to be in the binary "DER" format and typically have the "cer" file extension. When deploying our keys, convert what we have to that format and deploy as well for ease of use. Signed-off-by: Tom Rini <trini@konsulko.com>