summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* grub-efi: fix build error with qemux86 (#24)Wenzong Fan2017-09-291-1/+1
| | | | | | | | | Fix the error: mok2verify.c:169:53: error: \ format '%lx' expects argument of type 'long unsigned int', \ but argument 3 has type 'grub_efi_status_t {aka int}' \ [-Werror=format=] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* keyutils: update to 1.5.10 (#22)Wenzong Fan2017-09-273-49/+57
| | | | | | | | | | | | | | | * rebase patches: - keyutils_fix_library_install.patch - keyutils-remove-m32-m64.patch * append '-Wall' to CFLAGS for fixing: .../recipe-sysroot/usr/include/features.h:376:4: error: \ #warning _FORTIFY_SOURCE requires compiling with \ optimization (-O) [-Werror=cpp] * cleanup alternative targets, the *keyring*.7 files have been removed from keyutils 1.5.10. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* user-key-store.bbclass: add deploy_rpm_keys (#20)Wenzong Fan2017-09-251-0/+10
| | | | | | Fix warning: WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* Install packages if distro flag set (#21)Wenzong Fan2017-09-252-3/+3
| | | | | | | * install 'packagegroup-tpm2-initramfs' of distro flag 'tpm2' is set * install 'initrdscripts-ima' if distro flag 'ima' is set * install 'cryptfs-tpm2-initramfs' if distro flag 'luks' is set Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* cryptsetup:add lvm2-udevrules into RDEPENDS (#19)WarrickJiang2017-09-251-1/+1
| | | | | | meta-oe layer split the udevrules for lvm2 into a new package. Add lvm2-udevrules into cryptsetup RDEPENDS list. Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
* kernel-initramfs: fix the issue rm kernel source codes (#18)fli2017-09-251-1/+0
| | | | | | | The "${S}" is not used for kernel-initramfs and it will cleanup the kernel source codes if it is specified to ${STAGING_KERNEL_DIR}, thus remove this definition. Signed-off-by: Fupan Li <fupan.li@windriver.com>
* meta-tpm2: clean up bootstrapJia Zhang2017-09-203-3/+3
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* Change the email address of MAINTAINERJia Zhang2017-09-201-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* packagegroup-tpm: include tpm-quote-tools (#17)Wenzong Fan2017-09-121-0/+1
| | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-0210-15/+10
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* tpm : openssl-tpm-engine: parse an encrypted TPM key password from env (#15)limeng-linux2017-09-022-7/+285
| | | | | | | | | | | | | | when openssl-tpm-engine lib is used on an unattended device, there is no way to input TPM key password. So add this feature to support parse an encrypted(AES algorithm) TPM key password from env. The default decrypting AES password and salt is set in bb file. When we create a TPM key(TSS format), generate a 8 bytes random data as its password, and then we need to encrypt the password with the same AES password and salt in bb file. At last, we set a env as below: export TPM_KEY_ENC_PW=xxxxxxxx "xxxxxxxx" is the encrypted TPM key password for libtpm.so. Signed-off-by: Meng Li <Meng.Li@windriver.com>
* Update BB_HASHBASE_WHITELISTJia Zhang2017-09-012-3/+11
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* create-user-key-store.sh: Add arguments to specify gpg's key name and email ↵yunguowei2017-08-281-1/+27
| | | | | address (#14) Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-efi-secure-boot/README.md: document shim_cert as unusedJia Zhang2017-08-261-2/+4
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-ids: install packagegroup-ids if the feature ids configuredJia Zhang2017-08-243-1/+7
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* key-store: Fix two key-store-rpm-pubkey user key issues (#13)Guojian2017-08-241-5/+5
| | | | | | | | | | 1. user key pub rpm package also could be created. 2. The latest bitbake could not support the d.getVar() function nest call. Such as the following function call always return "None" d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True) It caused the key-store-rpm-pubkey rpm package could not be created in the latest oe-core project. Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* meta-ids: initial commit for IDS support (#11)Wenzong Fan2017-08-247-0/+157
| | | | | | * Add new layer for IDS support * Add package mtree to provide basic IDS functions Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-integrity: add tpm2, tpm as LAYERRECOMMENDS (#9)Wenzong Fan2017-08-241-0/+3
| | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* sign_rpm_ext: make sure all target recipes are signedJia Zhang2017-08-242-24/+26
| | | | | | | | Placing the key import logic under signing-keys cannot ensure all target recipes are always signed. Instead, place it before do_package_write_rpm. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: remove INHERIT += "sign_rpm_ext"Jia Zhang2017-08-231-2/+0
| | | | | | This definition should be placed in local.conf. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* secure-core-image: install dnf by defaultJia Zhang2017-08-231-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* secure-core-image-initramfs: enlarge the max sizeJia Zhang2017-08-231-0/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-signing-key: replace the sample RPM signing keyJia Zhang2017-08-232-44/+83
| | | | | | The previous cannot be handled by gpg v2 properly when importing it. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* shim: sync up with upstreamJia Zhang2017-08-237-335/+22
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Fix the user rpm sign key can not be found issue (#5)Guojian2017-08-221-4/+0
| | | | | | | | When the SIGNING_MODEL is set to "user", the signing-keys recipes will run failed on the get_public_keys task. uks_rpm_keys_dir() function could not return the right rpm_keys directory when the SIGNING_MODEL is set to "user". Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* signing-keys: fix the race condition when concurrent import operations occurJia Zhang2017-08-201-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-tpm: tss 1.x always depends on openssl 1.0.xJia Zhang2017-08-203-3/+3
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* encrypted-storage: use luks as the feature name for current implementationJia Zhang2017-08-2014-30/+29
| | | | | | | | encrypted-storage layer will include more security features about encrypted storage so the term "encrypted-storage" won't be used to specify a dedicated technology term such as "LUKS". Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* create-user-key-store.sh: support gpg 2.x used to generate rpm signing keyJia Zhang2017-08-201-18/+26
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failure due to wrong option positionJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: clean upJia Zhang2017-08-201-3/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: define the location of default gpg keyring to TMPDIRJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: fix permission warningJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failureJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: clean upJia Zhang2017-08-191-9/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: Fix the GPG_PATH directory not exist issue (#4)Guojian2017-08-191-8/+7
| | | | | | | | | | | | | | | If "GPG_PATH" is set in the init script, then "signing-keys" get_public_keys task will execute failed. So the "GPG_PATH" directory would be created when "GPG_PATH" is set. The do_get_public_keys failed to import gpg key error information is as following: ---------------------------------------------------------------------------------------- ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key (layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore): gpg: fatal: can't create directory `tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)Guojian2017-08-191-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The keyutils-doc package supply some same name man7 files with man-pages, it will cause the rpm package installation or upgrade failed. The keyutils-doc and man-pages rpm packages' transction check error information is as following: -------------------------------------------------------------------- Running transaction test Error: Transaction check error: file /usr/share/man/man7/keyrings.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/persistent-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/process-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/thread-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-193-16/+5
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: set default GPG_PATH if it is not specified (#2)yunguowei2017-08-191-0/+15
| | | | | | | | | | | commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization to signing-keys) tried to initialize keyring in the task check_public_keys of the recipe signing-keys. However, it does work with the recipe signing-keys only, and GPG_PATH can't be passed to other recipes. We bring the python anonymous function back, and it makes sure GPG_PATH is set before signing the packages for every recipe. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* grub-efi: remove the unused patchJia Zhang2017-08-181-30/+0
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: move gpg keyring initialization to signing-keysJia Zhang2017-08-172-38/+37
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* efitools: fix searching openssl.cnf for target buildJia Zhang2017-08-171-2/+1
| | | | | | | Currently, OPENSSL_LIB is only used for locating openssl.cnf in order to work around openssl-1.1.x. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: support RPM signingLans Zhang2017-08-174-8/+113
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* efitools: support to build with openssl-1.1.xLans Zhang2017-08-163-0/+78
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* ima-evm-utils: support to build with openssl-1.1.xLans Zhang2017-08-162-0/+300
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* cryptfs-tpm2: sync up with upstreamLans Zhang2017-08-161-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* README.md: update reference linksLans Zhang2017-08-162-4/+4
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-161-12/+25
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* sbsigntool: fix build failure with openssl-1.0.xLans Zhang2017-08-162-9/+33
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* init.ima: clean up and allow to load extra IMA policies from the real rootfsLans Zhang2017-08-151-10/+18
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-21 15:30:49 +0000