| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Refresh the following patches:
0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch
0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
Grub-get-and-set-efi-variables.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- All valid initramfs types will be listed in INITRAMFS_FSTYPES so use
that variable rather than open-coding a list of possibilities.
- Since we're using the list of things that must exist now we don't need
to test if the files exist anymore. And when signing, we can sign all
of them now.
- Add some python to do_package to update all of the ALTERNATIVES
variables dynamically based on how we're configured. This introduces
an alternative for the initramfs portion as well so there is a stable
name.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- In all cases, when building Linux apps (and thus linking with gcc) we
need to pass in the normal set of LDFLAGS for both rpath and link hash
type.
- Rework Fix-for-the-cross-compilation.patch a bit. When linking EFI
apps (and thus linking with ld) we don't need to pass in other special
flags. When linking the "openssl" apps we do not need to spell out
the crtN files as gcc handles that for us, they are normal Linux apps.
Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.
With all of these changes we are now able to reuse sstate cache between
build directories.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
Our "init" script requires additional directories to exist and since we
don't pull in something like base-files that gives us a full layout we
must make these additional directories on our own.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
| |
- You must ensure that RPM is used in PACKAGE_CLASSES.
- We need to remove image-prelink from USER_CLASSES. Prelinking the
image at creation time (as happens on x86/x86_64) will result in the
IMA hash of files changing from the recorded signature and
verification will fail.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
| |
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
|
| |
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
|
| |
|
|
|
|
|
| |
The sources require that we have pkgconfig support as well, add missing
inherit.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version. This includes all of the patches we had
been applying.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
| |
base_read_file has been removed from oe-core so use the
replacement function oe.utils.read_file.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
| |
|
|
|
|
|
| |
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
|
|
|
| |
The kernel module will be stripped during do_package, including the
modsign signature.
Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
| |
trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
| |
modsign and extra system trusted key
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot. However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother. While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
| |
Include what's required to have rpms be signed in the example section.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
| |
rpm-integrity is required for RPM signing which is enabled by default.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
|
|
|
| |
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
|
|
|
|
| |
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:
| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix 32bit assembler errors:
| /tmp/ccJyZFtJ.s: Assembler messages:
| /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)'
| /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi'
...
| make[1]: *** [<builtin>: security_policy.o] Error 1
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Fix the error:
mok2verify.c:169:53: error: \
format '%lx' expects argument of type 'long unsigned int', \
but argument 3 has type 'grub_efi_status_t {aka int}' \
[-Werror=format=]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rebase patches:
- keyutils_fix_library_install.patch
- keyutils-remove-m32-m64.patch
* append '-Wall' to CFLAGS for fixing:
.../recipe-sysroot/usr/include/features.h:376:4: error: \
#warning _FORTIFY_SOURCE requires compiling with \
optimization (-O) [-Werror=cpp]
* cleanup alternative targets, the *keyring*.7 files have been
removed from keyutils 1.5.10.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
| |
Fix warning:
WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
| |
* install 'packagegroup-tpm2-initramfs' of distro flag 'tpm2' is set
* install 'initrdscripts-ima' if distro flag 'ima' is set
* install 'cryptfs-tpm2-initramfs' if distro flag 'luks' is set
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
| |
meta-oe layer split the udevrules for lvm2 into a new package.
Add lvm2-udevrules into cryptsetup RDEPENDS list.
Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
|
| |
|
|
|
|
|
| |
The "${S}" is not used for kernel-initramfs and it will
cleanup the kernel source codes if it is specified to
${STAGING_KERNEL_DIR}, thus remove this definition.
Signed-off-by: Fupan Li <fupan.li@windriver.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
| |
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
| |
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
| |
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
when openssl-tpm-engine lib is used on an unattended device, there is no
way to input TPM key password. So add this feature to support parse an
encrypted(AES algorithm) TPM key password from env.
The default decrypting AES password and salt is set in bb file.
When we create a TPM key(TSS format), generate a 8 bytes random data
as its password, and then we need to encrypt the password with the same
AES password and salt in bb file.
At last, we set a env as below:
export TPM_KEY_ENC_PW=xxxxxxxx
"xxxxxxxx" is the encrypted TPM key password for libtpm.so.
Signed-off-by: Meng Li <Meng.Li@windriver.com>
|
