summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* secure-core-image-initramfs: enlarge the max sizeJia Zhang2017-08-231-0/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-signing-key: replace the sample RPM signing keyJia Zhang2017-08-232-44/+83
| | | | | | The previous cannot be handled by gpg v2 properly when importing it. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* shim: sync up with upstreamJia Zhang2017-08-237-335/+22
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Fix the user rpm sign key can not be found issue (#5)Guojian2017-08-221-4/+0
| | | | | | | | When the SIGNING_MODEL is set to "user", the signing-keys recipes will run failed on the get_public_keys task. uks_rpm_keys_dir() function could not return the right rpm_keys directory when the SIGNING_MODEL is set to "user". Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* signing-keys: fix the race condition when concurrent import operations occurJia Zhang2017-08-201-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-tpm: tss 1.x always depends on openssl 1.0.xJia Zhang2017-08-203-3/+3
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* encrypted-storage: use luks as the feature name for current implementationJia Zhang2017-08-2014-30/+29
| | | | | | | | encrypted-storage layer will include more security features about encrypted storage so the term "encrypted-storage" won't be used to specify a dedicated technology term such as "LUKS". Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* create-user-key-store.sh: support gpg 2.x used to generate rpm signing keyJia Zhang2017-08-201-18/+26
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failure due to wrong option positionJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: clean upJia Zhang2017-08-201-3/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: define the location of default gpg keyring to TMPDIRJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: fix permission warningJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failureJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: clean upJia Zhang2017-08-191-9/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: Fix the GPG_PATH directory not exist issue (#4)Guojian2017-08-191-8/+7
| | | | | | | | | | | | | | | If "GPG_PATH" is set in the init script, then "signing-keys" get_public_keys task will execute failed. So the "GPG_PATH" directory would be created when "GPG_PATH" is set. The do_get_public_keys failed to import gpg key error information is as following: ---------------------------------------------------------------------------------------- ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key (layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore): gpg: fatal: can't create directory `tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)Guojian2017-08-191-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The keyutils-doc package supply some same name man7 files with man-pages, it will cause the rpm package installation or upgrade failed. The keyutils-doc and man-pages rpm packages' transction check error information is as following: -------------------------------------------------------------------- Running transaction test Error: Transaction check error: file /usr/share/man/man7/keyrings.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/persistent-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/process-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/thread-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-193-16/+5
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: set default GPG_PATH if it is not specified (#2)yunguowei2017-08-191-0/+15
| | | | | | | | | | | commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization to signing-keys) tried to initialize keyring in the task check_public_keys of the recipe signing-keys. However, it does work with the recipe signing-keys only, and GPG_PATH can't be passed to other recipes. We bring the python anonymous function back, and it makes sure GPG_PATH is set before signing the packages for every recipe. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* grub-efi: remove the unused patchJia Zhang2017-08-181-30/+0
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: move gpg keyring initialization to signing-keysJia Zhang2017-08-172-38/+37
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* efitools: fix searching openssl.cnf for target buildJia Zhang2017-08-171-2/+1
| | | | | | | Currently, OPENSSL_LIB is only used for locating openssl.cnf in order to work around openssl-1.1.x. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: support RPM signingLans Zhang2017-08-174-8/+113
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* efitools: support to build with openssl-1.1.xLans Zhang2017-08-163-0/+78
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* ima-evm-utils: support to build with openssl-1.1.xLans Zhang2017-08-162-0/+300
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* cryptfs-tpm2: sync up with upstreamLans Zhang2017-08-161-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* README.md: update reference linksLans Zhang2017-08-162-4/+4
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-161-12/+25
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* sbsigntool: fix build failure with openssl-1.0.xLans Zhang2017-08-162-9/+33
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* init.ima: clean up and allow to load extra IMA policies from the real rootfsLans Zhang2017-08-151-10/+18
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* ima_policy: update the commentLans Zhang2017-08-151-1/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-151-15/+14
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* sbsigntool: update to support openssl-1.1.0Lans Zhang2017-08-153-0/+209
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-151-30/+38
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-key: clean up the default values of sample RPM signing keyLans Zhang2017-08-151-1/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-key: renew the sample keys for UEFI Secure BootLans Zhang2017-08-146-127/+129
| | | | | | The DB and KEK now are self-signed. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* create-user-key-store.sh: gpg key creation updatesLans Zhang2017-08-112-20/+34
| | | | | | | | - code style fixup - remove gen_rpm_keyring script - check gpg version Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: refresh fallback patchsetLans Zhang2017-08-116-14/+294
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* init: don't explicitly set the LUKS partition nameLans Zhang2017-08-091-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* cryptfs-tpm2: sync up with upstreamLans Zhang2017-08-091-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: sync up with upstreamLans Zhang2017-08-091-2/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: work around circular dependency chains found if systemd is ↵Lans Zhang2017-08-091-4/+4
| | | | | | configured to enable cryptsetup Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: fix the conditions of PACKAGECONFIG for ima and cryptsetupLans Zhang2017-08-042-2/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: enable ima and cryptsetupLans Zhang2017-08-042-0/+8
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* cryptsetup: depend on lvm2 to include dmsetupLans Zhang2017-08-041-0/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* cryptfs-tpm2: fix RDEPENDSLans Zhang2017-08-041-5/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-encrypted-storage: depend on meta-oeLans Zhang2017-08-041-0/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* kernel-initramfs: set the default priority to -1Lans Zhang2017-08-031-0/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: sync up with upstreamLans Zhang2017-08-032-8/+8
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: don't set CSV boot entry as the first boot optionLans Zhang2017-08-012-0/+50
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* create-user-key-store.sh: self-sign KEK and DBLans Zhang2017-08-011-2/+2
| | | | | | | UEFI spec never ask for the fact that KEK must be signed by PK and DB must be signed by KEK. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-04 13:53:52 +0000