| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Peter Hatina <peter@hatina.eu>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH
changes, it fails to rerun the task:
| Exception: FileExistsError: [Errno 17] File exists:
| 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b'
Remove the link file before create it if exists already.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Gatesgarth still uses grub 2.04.
This reverts commit 4e1cc676dc566de9b9f779d4209dd28fa7a80788.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
| |
|
|
|
|
|
|
|
| |
grub-efi-native does not benefit from the extra code/modules that get built for
secure-boot support, it just increases the build time of the package.
Therefore, mark all secure-boot related procedures in the recipe for
class-target only.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
- the 'verify' grub module has been renamed to 'pgp' in grub 2.04;
- the 'pgp' grub module is already built-in if GRUB_SIGN_VERIFY is set,
so there's no need to call insmod;
While at it, remove some unnecessary code duplication.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
| |
|
|
|
|
|
|
|
| |
p7b was replaced by the ${SB_FILE_EXT} variable, but one reference
was omitted during the rework.
Fixes: 31d2105b
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
oe-core now uses the git version for grub-efi, so we'd better to
use the '%' wildcard for the bbappend file name.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following error when set DEBUG_BUILD = "1":
fileio.c: In function ‘__fileio_read_file’:
fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
179 | *out_len = len;
| ~~~~~~~~~^~~~~
fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
178 | *out_buf = buf;
| ~~~~~~~~~^~~~~
cc1: all warnings being treated as errors
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
There is a build error if the /tmp directory is mounted with noexec
option:
lib/ccan.git/tools/create-ccan-tree: line 130: /tmp/tmp.MSe2mg2hM5/ccan_depends: Permission denied
Specify a local TMPDIR to fix it.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit fa5550d97de6("sbsigntool: Update to latest and change repos")
tried to fix compilation for arm architectures.
Due to the changes in the upstream package though host gnu-efi was
required to compile the package. Also that commit removed a useful
commit (-x support on sbsigntool), which I mistakenly remembered it was
already upstreamed.
So fix the gnu-efi error and fixup the useful patch to keep the
existring functionality. The old package was also depending on
binutils-dev being installed on the host. Fix that and depend on
binutils-native.
While at it purge the unused patches.
Fixes: commit fa5550d97de6("sbsigntool: Update to latest and change repos")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
|
| |
|
|
|
|
| |
Get rid of meta-python2 dependency because python2 is EOL.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
| |
Remove the recipe because no one depends on it anymore.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
Remove the recipe because it is unmaintained and its dependency python2
is EOL. Users can use ibmswtpm2 in meta-security as a replacement.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
The current sbsigntool repo is ancient and doesn't support native arm
binaries. Let's switch to the current upstream and adjust the recipe
accordingly, allowing the package to be used in native arm machines
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
|
| |
|
|
|
|
|
|
|
| |
The glibc 2.33 remove macro _STAT_VER_LINUX [1],
do not use it to represent linux system
[1] https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=sysdeps/unix/sysv/linux/bits/stat.h;h=b5426232088df446f502e6aea76a6cf03e71e1c4;hp=240628a6f4c9028a774c26a04a145c24110f669b;hb=8ed005daf0ab03e142500324a34087ce179ae78e;hpb=428985c436f442e91e27173bccaf28f547233586
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Classes native/nativesdk must be inherited last to prevent unexpected
behaviour.
Fixes QA warning:
QA Issue: tpm2simulator-native: native/nativesdk class is not inherited
last, this can result in unexpected behaviour. Classes inherited after
native/nativesdk: cmake.bbclass lib_package.bbclass python-dir.bbclass
pythonnative.bbclass [native-last]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
fix below error caused by: openssl->libsign-native->openssl
DEBUG: Dependency loop #1 found:
Dependency loop #1 found:
...
oe-core commits "bitbake.conf/python: Drop setting RDEPENDS/RPROVIDES default"
and "native: Stop clearing PACKAGES" refactor usage of RDEPENDS
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The systemd switched to meson build long time ago. Somehow this bbappend
didn't update. Switch to meson build otherwise these options do not work
at all.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We encountered a file not found error when the symlink filesize is 60:
$ ls -l initrd
lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz
When booting, we got the following error in grub:
error: file `/initrd' not found
The root cause is although the size of diro->inode.symlink is 60, it
includes the trailing '\0'. So if the symlink filesize is exactly 60, it
is also stored in a separate block rather than in the inode.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| | |
|
| |
|
|
| |
Signed-off-by: Bartłomiej Burdukiewicz <bartlomiej.burdukiewicz@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adapt to recent psuedo changes.
Fixes:
ERROR: grub-efi-2.04-r0 do_sign: Failed to import gpg key
gpg: key 9E3086F96EEECC34/9E3086F96EEECC34: error sending to agent: End of file
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
| |
allow openssl x509 '--days' parameter to be specified via command line argument
Signed-off-by: Corey Cothrum <contact@coreycothrum.com>
|
| |
|
|
|
|
|
|
|
| |
Since rpm 4.15, the users can control over the installation of
signatures on config files through a variable named
%_ima_sign_config_files. But this is disabled by default. Add a macro
configuration file to enable it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
CONFIG_HW_RANDOM_TPM is bool, not tristate, and thus it cannot be
set to "m"
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
|
| |
|
|
|
|
|
| |
Refresh mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch to
adapt the recent CVEs fixing.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If GPG_PATH is already created by signing-keys do_get_public_keys task,
subsequent executions of do_package_write_rpm will not create the
gpg-agent.conf file anymore.
Therefore, the spawned gpg-agent will miss important features such as
auto-expand-secmem, leading to the following intermittent build errors:
....
Subprocess output:
gpg: signing failed: Cannot allocate memory
gpg: signing failed: Cannot allocate memory
error: gpg exec failed (2)
gpg: signing failed: Cannot allocate memory
gpg: signing failed: Cannot allocate memory
error: gpg exec failed (2)
...
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we do adopt path filtering for pseudo, we may filter out ${DEPLOY_DIR}
as not needing to be tracked for "root" permissions. but we do track
the data in ${D} though, when we copy file from ${D} to ${DEPLOY_DIR},
pseudo report a failure
...
|cp: failed to preserve ownership for 'tmp-glibc/work/corei7-64-wrs-linux/
grub-efi/2.04-r0/deploy-grub-efi/efi-unsigned/x86_64-efi/fdt.lst'
: Operation not permitted
...
Disable pseudo for the copy operation
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix the following warning:
[INFO]: the following symbols were not found in the active configuration:
- CONFIG_IMA_NG_TEMPLATE=y
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
|
| |
|
|
|
|
|
| |
gcc-10 uses '-fno-common' by default, causing build error of
multiple definition. Use '-fcommon' to fix this problem.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The Standard output type "syslog" is obsolete, causing a warning since systemd
version 246 [1].
Please consider using "journal" or "journal+console"
[1] https://github.com/systemd/systemd/blob/master/NEWS#L202
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
|
| |
|
|
|
|
|
|
| |
Replace weak des3 encryption with more secure algorithm aes256 to
generate ima key in script create-user-key-store.sh.
Signed-off-by: David Dunlap <david.dunlap@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security fixes:
CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks
CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed
CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
* License-Update: BSD -> BSD-3-Clause
* Add a patch to switch to python3 in test scripts
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current soname of libcryptfs-tpm2 is libcryptfs-tpm2.so:
$ readelf -d libcryptfs-tpm2.so.0.7.0 | grep SONAME
0x000000000000000e (SONAME) Library soname: [libcryptfs-tpm2.so]
The libcryptfs-tpm2.so is a symbolic link of libcryptfs-tmp2.so.0.7.0
and it is not installed by default because it is packaged to dev
package. Then we will encounter an error when run command cryptfs-tpm2:
$ cryptfs-tpm2
cryptfs-tpm2: error while loading shared libraries: libcryptfs-tpm2.so:
cannot open shared object file: No such file or directory
$ ldd cryptfs-tpm2 | grep libcryptfs-tpm2
libcryptfs-tpm2.so => not found
Set the soname to libcryptfs-tpm2.so.$(MAJOR_VERSION) to fix the issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tpm2-abrmd daemon needs TCTI library for TPM2 device or simulator.
But the libtss2-tcti-device and libtss2-tcti-mssim packages are not
installed by default which causes the tpm2-abrmd daemon startup failure:
systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
tpm2-abrmd[459]: tcti_conf before: "device:/dev/tpm0"
tpm2-abrmd[459]: tcti_conf after: "device:/dev/tpm0"
tpm2-abrmd[459]: ERROR:tcti:../tpm2-tss-2.3.2/src/tss2-tcti/tctildr.c:418:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
tpm2-abrmd[459]: init_thread_func: failed to create TCTI with conf "device:/dev/tpm0"
tpm2-abrmd[459]: g_bus_unown_name: assertion 'owner_id > 0' failed
Add libtss2-tcti-device and libtss2-tcti-mssim to runtime dependencies.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
fix do_package_qa error:
ERROR: QA Issue: tpm2-tss package is not obeying usrmerge distro feature. /lib should be relocated to /usr. [usrmerge]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
