summaryrefslogtreecommitdiffstats
path: root/meta-efi-secure-boot
Commit message (Collapse)AuthorAgeFilesLines
* kernel-initramfs: only apply the bbappend if efi-secure-boot distro flag setYi Zhao2018-12-082-37/+38
| | | | | | | | | | | | | | | | | | | | | | | When the meta-efi-secure-boot layer is included but feature efi-secure-boot is not set. We got the following error with kernel-initramfs building: ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995) ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995 Log data follows: | DEBUG: Executing python function sstate_task_prefunc | DEBUG: Python function sstate_task_prefunc finished | DEBUG: Executing shell function do_deploy | install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory | WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs' | ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995) ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1' Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc and add a new bbappend. Make sure this piece of code should be applied only if the efi-secure-boot feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-efi-secure-boot: Ensure openssl-native exists when we need itTom Rini2018-12-084-2/+5
| | | | | | | | | | | In order to deploy our secure boot keys in DER format we need to use openssl. This must be listed in our DEPENDS line in order for the sysroot to be populated correctly when we run do_sign. Also drop the explicit fakeroot on our empty grub-efi do_sign as we may not have globally populated virtual/fakeroot-native at that point in time. Fixes: 92316d4b402b ("meta-signing-key: When deploying keys UEFI keys, deploy DER format") Signed-off-by: Tom Rini <trini@konsulko.com>
* Maintain the stable branch rockoJia Zhang2018-09-212-3/+2
| | | | | | | | | | | | | | | | The modifications based on the following commits are made by the way: - seloader: Fix building for rocko (bc6bbe2) - meta-integrity: rpm: Add back in required patches for rocko (5fa9c85) Because the sanity check for rocko now becomes unnecessary. In addition, the meta-intel-sgx is removed because it is still experimental. - meta-intel-sgx: Initial support of linux-sgx-driver (7d4f711) Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* efitools: refresh patch to fix QA warningYi Zhao2018-09-061-6/+3
| | | | | | Refresh patch Build-DBX-by-default.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* efitools: add the deployed artifacts to SSTATE_DUPWHITELISTYi Zhao2018-09-061-0/+2
| | | | | | | | | | | | | | | | | | | The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error when enable multilib: $ bitbake efitools lib32-efitools ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The recipe lib32-efitools is trying to install files into a shared area when those files already exist. Those files and their manifest location are: /buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi (matched in manifest-qemux86_64-efitools.deploy) Please verify which recipe should provide the above files. Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* seloader: add the deployed artifacts to SSTATE_DUPWHITELISTYi Zhao2018-09-061-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error when enable multilib: $ bitbake seloader lib32-seloader ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The recipe lib32-seloader is trying to install files into a shared area when those files already exist. Those files and their manifest location are: /buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi (matched in manifest-qemux86_64-seloader.deploy) /buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi (matched in manifest-qemux86_64-seloader.deploy) /buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi (matched in manifest-qemux86_64-seloader.deploy) /buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi (matched in manifest-qemux86_64-seloader.deploy) Please verify which recipe should provide the above files. Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sbsigntool: Enable nativesdk supportTom Rini2018-08-251-0/+1
| | | | | | | | There are times were we might want to include sbsigntool into an SDK so rename the recipe and extend to include nativesdk. We also need gnu-efi to support nativesdk so include that in a bbappend. Signed-off-by: Tom Rini <trini@konsulko.com>
* seloader: Fix building for rockoTom Rini2018-07-311-0/+2
| | | | | | | | | When building on rocko we have gnu-efi version 3.0.6 around and seloader needs to be told this for certain string functions to be provided by itself rather than gnu-efi. Add in conditional logic to pass this only for rocko. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Mark as compatible with rockoTom Rini2018-07-251-1/+1
| | | | | | | As we also work with the 'rocko' release list that in our LAYERSERIES_COMPAT. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Include secure-core for kernel-initramfs.bbMark Hatle2018-07-181-0/+1
| | | | | | | | | | | | The kernel-initramfs.bbappend depends on kernel-initramfs.bb in meta-secure-core/meta/recipes-core/images/ Fix parsing error: ERROR: No recipes available for: meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* seloader: Update to 0.4.6Jia Zhang2018-07-171-2/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* Add root parameter configuration in boot command line.Jinliang Li2018-06-261-0/+6
| | | | | | | It is helpful when secure boot is enabled, because you can not modify boot command line after boot-menu.inc is signed before deploying. Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
* linux-yocto-efi-secure-boot: using shutil.copyfile instead of shutil.move to ↵Yi Zhao2018-06-201-1/+1
| | | | | | | | | | | | copy kernel p7b file In commit 1c96c0d09614a3a692a8bee201e34694f26c436a, the kernel p7b file is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/ to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix this issue. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* linux-yocto-efi-secure-boot: fix typoYi Zhao2018-06-201-1/+1
| | | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* layer.conf: add LAYERSERIES_COMPATTrevor Woerner2018-05-261-0/+2
| | | | | | see https://patchwork.openembedded.org/patch/140542/ Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* seloader: sync up with the latestJia Zhang2018-05-201-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* grub-efi: remove aarch64 from COMPATIBLE_HOSTKai Kang2018-05-161-0/+3
| | | | | | | Functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet, so remove 'aarch64' from COMPATIBLE_HOST for now. Signed-off-by: Kai Kang <kai.kang@windriver.com>
* linux-yocto-efi-secure-boot: Package unversioned signature as symlinkTom Rini2018-05-131-1/+3
| | | | | | | | To match the usual user experience of having /boot/${KERNEL_IMAGETYPE} exist as a symlink to the real kernrel, also have our signature file exist for that as a symlink and include it in the package file. Signed-off-by: Tom Rini <trini@konsulko.com>
* grub-efi: fix compile errors for arm64Kai Kang2018-05-112-20/+32
| | | | | | | It fails to build grub-efi for arm64. Add definitions of missing macros and replace x86 specified asm codes with function grub_halt(). Signed-off-by: Kai Kang <kai.kang@windriver.com>
* grub-efi: refresh patches to fix QA warningYi Zhao2018-05-103-13/+23
| | | | | | | | | Refresh the following patches: 0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch 0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch Grub-get-and-set-efi-variables.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-efi-secure-core: Move kernel-initramfs.bbappendTom Rini2018-05-061-0/+0
| | | | | | | As the main recipe resides in meta/recipes-core/images/ move the append to recipes-core/images/ as well for consistency. Signed-off-by: Tom Rini <trini@konsulko.com>
* kernel-initramfs: Rework to use update-alternatives directlyTom Rini2018-05-061-42/+19
| | | | | | | | | | | | | | - All valid initramfs types will be listed in INITRAMFS_FSTYPES so use that variable rather than open-coding a list of possibilities. - Since we're using the list of things that must exist now we don't need to test if the files exist anymore. And when signing, we can sign all of them now. - Add some python to do_package to update all of the ALTERNATIVES variables dynamically based on how we're configured. This introduces an alternative for the initramfs portion as well so there is a stable name. Signed-off-by: Tom Rini <trini@konsulko.com>
* efitools: Rework how we deal with rpath and linking of Linux appsTom Rini2018-05-023-30/+28
| | | | | | | | | | | | | | | | - In all cases, when building Linux apps (and thus linking with gcc) we need to pass in the normal set of LDFLAGS for both rpath and link hash type. - Rework Fix-for-the-cross-compilation.patch a bit. When linking EFI apps (and thus linking with ld) we don't need to pass in other special flags. When linking the "openssl" apps we do not need to spell out the crtN files as gcc handles that for us, they are normal Linux apps. Ensure that all Linux apps get our EXTRA_LDFLAGS passed in. With all of these changes we are now able to reuse sstate cache between build directories. Signed-off-by: Tom Rini <trini@konsulko.com>
* grub/boot-menu: Rename _bakup suffix to _backupJia Zhang2018-03-191-3/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* seloader: sync up with upstreamJia Zhang2018-02-281-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* efitools: use oe.utils.str_filter_outJackie Huang2018-02-071-2/+2
| | | | | | | oe_filter_out has been removed from oe-core so use the replacement function oe.utils.str_filter_out. Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
* meta-signing-key, meta-efi-secure-boot: Rework for dependenciesTom Rini2017-11-1610-549/+0
| | | | | | | | | | | | The content of meta-signing-key depends on a few recipes within meta-efi-secure-boot. However, meta-signing-key can be used without meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will also provide a more correct set of dependencies as we cannot say that both layers depend on eachother. While doing this, within meta-signing-key only depend on content from meta-efi-secure-boot if the efi-secure-boot DISTRO_FEATURE is set. Signed-off-by: Tom Rini <trini@konsulko.com>
* seloader: sync up with upstreamJia Zhang2017-10-271-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* shim: drop fallbackJia Zhang2017-10-277-148/+7
| | | | | | | | | shim will uninstall MOK Verify Protocol when launching fallack, implying it is impossible to get the instance of MOK Verify Protocol for SELoader. This behavior violates the original intention of introducing fallback. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* shim: disable OVERRIDE_SECURITY_POLICY for 32bit target (#25)Wenzong Fan2017-09-301-1/+2
| | | | | | | | | | Fix 32bit assembler errors: | /tmp/ccJyZFtJ.s: Assembler messages: | /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)' | /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi' ... | make[1]: *** [<builtin>: security_policy.o] Error 1 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* grub-efi: fix build error with qemux86 (#24)Wenzong Fan2017-09-291-1/+1
| | | | | | | | | Fix the error: mok2verify.c:169:53: error: \ format '%lx' expects argument of type 'long unsigned int', \ but argument 3 has type 'grub_efi_status_t {aka int}' \ [-Werror=format=] Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-021-2/+1
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-efi-secure-boot/README.md: document shim_cert as unusedJia Zhang2017-08-261-2/+4
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* shim: sync up with upstreamJia Zhang2017-08-237-335/+22
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* encrypted-storage: use luks as the feature name for current implementationJia Zhang2017-08-201-5/+4
| | | | | | | | encrypted-storage layer will include more security features about encrypted storage so the term "encrypted-storage" won't be used to specify a dedicated technology term such as "LUKS". Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* grub-efi: remove the unused patchJia Zhang2017-08-181-30/+0
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* efitools: fix searching openssl.cnf for target buildJia Zhang2017-08-171-2/+1
| | | | | | | Currently, OPENSSL_LIB is only used for locating openssl.cnf in order to work around openssl-1.1.x. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* efitools: support to build with openssl-1.1.xLans Zhang2017-08-163-0/+78
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* sbsigntool: fix build failure with openssl-1.0.xLans Zhang2017-08-162-9/+33
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* sbsigntool: update to support openssl-1.1.0Lans Zhang2017-08-153-0/+209
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: refresh fallback patchsetLans Zhang2017-08-116-14/+294
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: sync up with upstreamLans Zhang2017-08-091-2/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: sync up with upstreamLans Zhang2017-08-032-8/+8
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: don't set CSV boot entry as the first boot optionLans Zhang2017-08-012-0/+50
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* README.md: simplify the commits for boot flowLans Zhang2017-07-311-5/+5
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-secure-core: code style fixupLans Zhang2017-07-282-5/+5
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* grub-efi: remove the depreciated replacement for initrd= parameterLans Zhang2017-07-281-7/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* grub/boot-menu.inc: use linux and initrd commands instead of chainloader to ↵Lans Zhang2017-07-271-2/+4
| | | | | | | | boot kernel Since bzImage is not signed during the build. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-efi-secure-boot/README: update to reflect using fallback to chainloader ↵Lans Zhang2017-07-251-12/+17
| | | | | | SELoader Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* shim: use fallback loading SELoaderLans Zhang2017-07-244-24/+69
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-21 03:40:11 +0000