summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* fix sbsigningtool SRC_URIthudJonathan Marler2021-08-241-1/+1
| | | | The SRC_URI git://kernel.ubuntu.com/jk/sbsigntool no longer exists. I've updated the SRC_URI to point to the new location.
* Create the stable branch thudJia Zhang2018-12-102-2/+2
| | | | | | And Yi Zhao becomes the maintainer for this branch. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* grub-efi: fix the potential uninitialized error for variable 'err'Wenzong Fan2018-12-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the build errors with DEBUG_BUILD enabled: grub-core/loader/linux.c: In function 'grub_initrd_load': grub-core/loader/linux.c:326:10: error: 'err' may be used \ uninitialized in this function [-Werror=maybe-uninitialized] In function grub_initrd_load: grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, char *argv[], void *target) { [snip] grub_err_t err; [snip] #ifdef GRUB_MACHINE_EFI [snip] err = grub_verify_file (argv[i]); [snip] #endif [snip] fail: [snip] return err; } If the GRUB_MACHINE_EFI is not defined, the function would return an uninitialized value for 'err'. We should initialize it when this variable is assigned. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* base-files: only apply the bbappend if ima distro flag setYi Zhao2018-12-032-5/+6
| | | | | | | | | | | | | | When the meta-integrity layer is included but feature ima is not set, we would get the following error when the system startup: qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist. qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32. Rename base-files_%.bbappend to base-files-integrity.inc and add a new bbappend. Make sure this piece of code should be applied only if the ima feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* kernel-initramfs: only apply the bbappend if efi-secure-boot distro flag setYi Zhao2018-11-302-37/+38
| | | | | | | | | | | | | | | | | | | | | | | When the meta-efi-secure-boot layer is included but feature efi-secure-boot is not set. We got the following error with kernel-initramfs building: ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995) ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995 Log data follows: | DEBUG: Executing python function sstate_task_prefunc | DEBUG: Python function sstate_task_prefunc finished | DEBUG: Executing shell function do_deploy | install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory | WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs' | ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995) ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1' Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc and add a new bbappend. Make sure this piece of code should be applied only if the efi-secure-boot feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* kernel-initramfs: fix inconsistent indentationYi Zhao2018-11-301-3/+3
| | | | | | Use spaces consistently to indent do_install() Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-efi-secure-boot: Ensure openssl-native exists when we need itTom Rini2018-11-074-2/+5
| | | | | | | | | | | In order to deploy our secure boot keys in DER format we need to use openssl. This must be listed in our DEPENDS line in order for the sysroot to be populated correctly when we run do_sign. Also drop the explicit fakeroot on our empty grub-efi do_sign as we may not have globally populated virtual/fakeroot-native at that point in time. Fixes: 92316d4b402b ("meta-signing-key: When deploying keys UEFI keys, deploy DER format") Signed-off-by: Tom Rini <trini@konsulko.com>
* mtree: update context of configure.ac-automake-error.patchKai Kang2018-11-071-4/+4
| | | | | | | | | | | | | | | | It shows warning when apply configure.ac-automake-error.patch: | WARNING: mtree-1.0.3+gitAUTOINC+4f3e901aea-r0 do_patch: | ... | Details: | Applying patch configure.ac-automake-error.patch | patching file configure.ac | Hunk #1 succeeded at 4 with fuzz 2 (offset -2 lines). Update context of configure.ac-automake-error.patch to sync with current mtree source codes. Signed-off-by: Kai Kang <kai.kang@windriver.com>
* key-store: rename ima private key and certificate on targetYunguo Wei2018-11-074-5/+18
| | | | | | | | | If sample keys are selected, key-store service will deploy IMA private key during first boot, but beople may be confused if we deploy a sample private key like "xxx.crt", so this commit is making sure key/cert on target are consistent with key files on build system. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-signing-key: When deploying keys UEFI keys, deploy DER formatTom Rini2018-10-251-0/+4
| | | | | | | | | Generally speaking, for firmware to import PK/KEK/DB keys they need to be in the binary "DER" format and typically have the "cer" file extension. When deploying our keys, convert what we have to that format and deploy as well for ease of use. Signed-off-by: Tom Rini <trini@konsulko.com>
* initrdscripts-secure-core: remove /sys and /proc from packageYunguo Wei2018-10-251-4/+0
| | | | | | | | | | | | The following failure is shown during secure-core-image-initramfs:do_rootfs(): Error: Transaction check error: file /proc conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64 file /sys conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64 So remove /sys and /proc as base-files has already provided them. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* rpm: disable inhibit plugin for rpm-nativeChen Qi2018-10-171-0/+1
| | | | | | | | | | | | | | | We have a bbappend file which enables plugins for rpm. We need to ensure to also disable the inhibit plugin for rpm-native. Otherwise, we get the following warning at rootfs time. Unable to get systemd shutdown inhibition lock: Socket name too long The inhibit plugin tries to inhibit shutdown during rpm operation. It obviously makes no sense for rpm-native, as 1) we may not build on a systemd based host and 2) the build process does not affect the package management on host. Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
* libsign: Fix build failure with GCC 8.xYunguo Wei2018-10-081-1/+1
| | | | Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* layer.conf: update LAYERSERIES_COMPAT `sumo' -> `thud'Hongxu Jia2018-10-089-9/+9
| | | | | | | | Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and `9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core, update LAYERSERIES_COMPAT `sumo' -> `thud' Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* Set the default password for secure-core-imageJia Zhang2018-09-261-0/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* openssl-tpm-engine: rebase ↵Hongxu Jia2018-09-262-33/+41
| | | | | | 0005-tpm-openssl-tpm-engine-parse-an-encrypted-TPM-key-pa.patch to 0.5.0 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* openssl-tpm-engine: update SRC_URI and update to 0.5.0Armin Kuster2018-09-268-160/+142
| | | | | | | | | | | | | change to a fork that is being maintained and that enabled openssl 1.1 Refresh patches Drop one no longer needed Signed-off-by: Armin Kuster <akuster808@gmail.com> Backport from meta-security http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/commit/?id=3bae06e29b60d71177cb63ad0b85bc5c46f7a144 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* trousers: support openssl 1.1.xHongxu Jia2018-09-261-1/+1
| | | | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* tpm-tools: support openssl 1.1.xHongxu Jia2018-09-262-7/+7
| | | | | | | | | | | - Support openssl 1.1.x - Fix compile warning |tpm_extendpcr.c:55:4: warning: 'strncpy' specified bound 4096 equals destination size [-Wstringop-truncation] | strncpy(in_filename, aArg, PATH_MAX); Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* tpm-tools: refresh patch to fix QA WARNINGHongxu Jia2018-09-261-20/+37
| | | | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* Clean up the stuffs for stable branchesJia Zhang2018-09-2022-808/+11
| | | | | | | | | | | The following commits are reverted by the way: - seloader: Fix building for rocko (bc6bbe2) - meta-integrity: rpm: Add back in required patches for rocko (5fa9c85) Because they are only applicable to rocko. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* libsign: Fix build faiure due to -fstack-protector-strongJia Zhang2018-09-171-0/+1
| | | | | | | SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work with CCLD. To work around this issue, filter out it from LDFLAGS. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* libsign: Update to the latestJia Zhang2018-09-171-1/+2
| | | | | | - Use CCLD to build executable and library. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* mokutil: Fix build failure due to missing crypt.hJia Zhang2018-09-171-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* kernel-initramfs: rename INITRAMFS_BASE_NAME to INITRAMFS_NAMEYi Zhao2018-09-181-2/+2
| | | | | | | | The *_BASE_NAME was renamed to *_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b. So we also need to do the same thing here. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* linux-yocto-efi-secure-boot: rename type variable to imageTypeYi Zhao2018-09-181-12/+12
| | | | | | | | The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type variable to imageType in kernel.bbclass to avoid confusion with "type" command in shell. We also do the same thing here. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* linux-yocto-efi-secure-boot: rename KERNEL_IMAGE_BASE_NAME to ↵Yi Zhao2018-09-181-2/+2
| | | | | | | | | | KERNEL_IMAGE_NAME and KERNEL_IMAGE_SYMLINK_NAME to KERNEL_IMAGE_LINK_NAME The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to *_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b. So we also need to do the same thing here. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* cryptfs-tpm2: Fix build faiure due to -fstack-protector-strongJia Zhang2018-09-171-0/+1
| | | | | | | SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work with CCLD. To work around this issue, filter out it from LDFLAGS. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* cryptfs-tpm2: Update to the latestJia Zhang2018-09-171-3/+4
| | | | | | | - Follow up the regular way to include header file. - Use CCLD to build executable and library. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* cryptfs-tpm2: uprev to 0.7Yunguo Wei2018-09-121-6/+6
| | | | | | | | Now cryptfs-tpm2 supports both TSS 1.x and 2.x API. Please specify "TSS2_VER=1" in EXTRA_OEMAKE to support 1.x API. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* efitools: refresh patch to fix QA warningYi Zhao2018-09-061-6/+3
| | | | | | Refresh patch Build-DBX-by-default.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* efitools: add the deployed artifacts to SSTATE_DUPWHITELISTYi Zhao2018-09-061-0/+2
| | | | | | | | | | | | | | | | | | | The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error when enable multilib: $ bitbake efitools lib32-efitools ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The recipe lib32-efitools is trying to install files into a shared area when those files already exist. Those files and their manifest location are: /buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi (matched in manifest-qemux86_64-efitools.deploy) Please verify which recipe should provide the above files. Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* seloader: add the deployed artifacts to SSTATE_DUPWHITELISTYi Zhao2018-09-061-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error when enable multilib: $ bitbake seloader lib32-seloader ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The recipe lib32-seloader is trying to install files into a shared area when those files already exist. Those files and their manifest location are: /buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi (matched in manifest-qemux86_64-seloader.deploy) /buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi (matched in manifest-qemux86_64-seloader.deploy) /buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi (matched in manifest-qemux86_64-seloader.deploy) /buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi (matched in manifest-qemux86_64-seloader.deploy) Please verify which recipe should provide the above files. Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* key-store: fix incorrect postpone to first bootHongxu Jia2018-09-051-13/+11
| | | | | | | | | | | After postinst was executed at do_rootfs successfully, there will be no first boot to redo. Since `229f4e9 package.bbclass: add support for pkg_postinst_ontarget()' applied in oe-core, use pkg_postinst_ontarget to instead. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* cryptsetup_%.bbappend: move lvm2-udevrules from RDEPEND to RRECOMMENDSHongxu Jia2018-08-271-1/+2
| | | | | | | | | | | | | | when configuring lvm2 without udev, lvm2-udevrules package is empty, causing do_rootfs failure. Error: ERROR: wrlinux-image-glibc-std-1.0-r5 do_rootfs: Function failed: do_rootfs Problem: conflicting requests - nothing provides lvm2-udevrules needed by cryptsetup-1.7.4-r0.corei7_64 Move lvm2-udevrules from RDEPEND to RRECOMMENDS could workaround the issue. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* libsign: Enable nativesdk supportTom Rini2018-08-251-2/+2
| | | | | | | Bump up to the current top of libsign so that we can easily get a copy of selsign that can be put into an SDK. Signed-off-by: Tom Rini <trini@konsulko.com>
* sbsigntool: Enable nativesdk supportTom Rini2018-08-252-2/+5
| | | | | | | | There are times were we might want to include sbsigntool into an SDK so rename the recipe and extend to include nativesdk. We also need gnu-efi to support nativesdk so include that in a bbappend. Signed-off-by: Tom Rini <trini@konsulko.com>
* tpm2: move configure optionTrevor Woerner2018-08-032-1/+4
| | | | | | | The --with-udevrulesdir configure option has been moved from tpm2-abrmd to tpm2-tss in the code, therefore move its associated EXTRA_OECONF to suit. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* tpm2: update release recipesTrevor Woerner2018-08-0315-232/+94
| | | | | | | | tpm2-tss: 1.4.0 -> 2.0.0 tpm2-abrmd: 1.3.1 -> 2.0.1 tpm2-tools: 3.0.4 -> 3.1.1 Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* meta-integrity: rpm: Add back in required patches for rockoTom Rini2018-07-3112-0/+797
| | | | | | | | | | In 59a9f43b899c ("meta-integrity: Drop RPM patches that are upstream now") we removed patches to RPM that were not required with a move up to 4.14.0 as they are upstream. However, rocko ships with an older version of RPM and still needs these patches. Add conditional logic to apply these patches only for rocko. Signed-off-by: Tom Rini <trini@konsulko.com>
* seloader: Fix building for rockoTom Rini2018-07-311-0/+2
| | | | | | | | | When building on rocko we have gnu-efi version 3.0.6 around and seloader needs to be told this for certain string functions to be provided by itself rather than gnu-efi. Add in conditional logic to pass this only for rocko. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Mark as compatible with rockoTom Rini2018-07-259-9/+9
| | | | | | | As we also work with the 'rocko' release list that in our LAYERSERIES_COMPAT. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Include secure-core for kernel-initramfs.bbMark Hatle2018-07-181-0/+1
| | | | | | | | | | | | The kernel-initramfs.bbappend depends on kernel-initramfs.bb in meta-secure-core/meta/recipes-core/images/ Fix parsing error: ERROR: No recipes available for: meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* seloader: Update to 0.4.6Jia Zhang2018-07-171-2/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* tpm2 git AUTOREV fix for BB_NO_NETWORKTrevor Woerner2018-07-103-3/+21
| | | | | | | | | | | | | | | | | | | Bitbake will try an ls-remote for any recipe whose SRCREV is AUTOREV, even if that recipe will not ultimately be used for a particular build. Therefore if the user specifies 'BB_NO_NETWORK = "1"', the _git versions of the tpm2 recipes will cause the build to fail even if the _git versions are not going to be built (which they won't be by default on account of their DEFAULT_PREFERENCE being set to "-1"). This fix follows the same pattern as https://github.com/sbabic/meta-swupdate/commit/721fcc89c53debcd6582bd1aa972f75297cf12e9 With this fix, the user can disable networking and successfully build the non-_git versions of the tpm2 recipes. If the user wants to build the _git versions, networking must be enabled. The build is expected to fail if the user asks for the _git versions, but disables networking. Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* util-linux: allow -static linking for switch_root.staticJoe Slater2018-07-061-1/+3
| | | | | | | Specify -no-pie to override possible -pie default. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Fix parsing bug where SYSTEM_TRUSTED and SECONDARY_TRUSTED were always ↵fraser2018-06-291-2/+2
| | | | parsed as true
* Revert "tpm2-abrmd: move tpm2-abrmd.default to tpm2-abrmd.inc"Trevor Woerner2018-06-265-9/+18
| | | | This reverts commit 0bb383b60a8f61df2c4e078d34294e5ef996445b.
* Add root parameter configuration in boot command line.Jinliang Li2018-06-262-0/+10
| | | | | | | It is helpful when secure boot is enabled, because you can not modify boot command line after boot-menu.inc is signed before deploying. Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
* linux-yocto-efi-secure-boot: using shutil.copyfile instead of shutil.move to ↵Yi Zhao2018-06-201-1/+1
| | | | | | | | | | | | copy kernel p7b file In commit 1c96c0d09614a3a692a8bee201e34694f26c436a, the kernel p7b file is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/ to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-19 21:47:05 +0000