| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Use variable GRUB_SECURE_BUILDIN to split grub secure
builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will
not contain secure option for others grub-mkimage to
create no secure grub even though secure boot is enabled
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
| |
Operations like XXX:append += "YYY" are almost always wrong and this
is a common mistake made in the metadata. Improve them to use the
standard format.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Peter Hatina <peter@hatina.eu>
|
| |
|
|
|
|
|
| |
Fix openssl.cnf path for openssl 3.0 to make sure openssl command can
find it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
| |
Drop other releases since they are not compatible anymore.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
| |
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
Fixes:
WARNING: shim-12+gitAUTOINC+5202f80c32-r0 do_fetch: Failed to fetch URL git://github.com/rhboot/shim.git, attempting MIRRORS if available
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
|
| | |
|
| |
|
|
|
|
| |
Remove other releases since they are not compatible anymore.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The lockdown support[1] and secure boot detection[2] have been added to
grub 2.06. These verifiers are registered when UEFI Secure Boot is
enabled. Unfortunately, they conflict with the current MOK2 Verify
mechanism. So disable them.
Fixes grub error:
error: failed to verify kernel /bzImage
[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH
changes, it fails to rerun the task:
| Exception: FileExistsError: [Errno 17] File exists:
| 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b'
Remove the link file before create it if exists already.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
grub-efi-native does not benefit from the extra code/modules that get built for
secure-boot support, it just increases the build time of the package.
Therefore, mark all secure-boot related procedures in the recipe for
class-target only.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
- the 'verify' grub module has been renamed to 'pgp' in grub 2.04;
- the 'pgp' grub module is already built-in if GRUB_SIGN_VERIFY is set,
so there's no need to call insmod;
While at it, remove some unnecessary code duplication.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
| |
|
|
|
|
|
|
|
| |
p7b was replaced by the ${SB_FILE_EXT} variable, but one reference
was omitted during the rework.
Fixes: 31d2105b
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
| |
oe-core now uses the git version for grub-efi, so we'd better to
use the '%' wildcard for the bbappend file name.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The systemd switched to meson build long time ago. Somehow this bbappend
didn't update. Switch to meson build otherwise these options do not work
at all.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We encountered a file not found error when the symlink filesize is 60:
$ ls -l initrd
lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz
When booting, we got the following error in grub:
error: file `/initrd' not found
The root cause is although the size of diro->inode.symlink is 60, it
includes the trailing '\0'. So if the symlink filesize is exactly 60, it
is also stored in a separate block rather than in the inode.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
| |
Signed-off-by: Bartłomiej Burdukiewicz <bartlomiej.burdukiewicz@gmail.com>
|
| |
|
|
|
|
|
| |
Refresh mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch to
adapt the recent CVEs fixing.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we do adopt path filtering for pseudo, we may filter out ${DEPLOY_DIR}
as not needing to be tracked for "root" permissions. but we do track
the data in ${D} though, when we copy file from ${D} to ${DEPLOY_DIR},
pseudo report a failure
...
|cp: failed to preserve ownership for 'tmp-glibc/work/corei7-64-wrs-linux/
grub-efi/2.04-r0/deploy-grub-efi/efi-unsigned/x86_64-efi/fdt.lst'
: Operation not permitted
...
Disable pseudo for the copy operation
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
| |
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch to fix compilation error in efi-tool's console.c is required
This reverts commit a6c3d9fcd2da0d20f2916d36557a73ad8790fd1c.
In <=gnu-efi-3.0.9 variable is named EFI_WARN_UNKOWN_GLYPH, and
in gnu-efi-3.0.11 is renamed in EFI_WARN_UNKNOWN_GLYPH. The patch is
only for users with installed >=gnu-efi-3.0.11 because is in this
version that variable has changed name from EFI_WARN_UNKOWN_GLYPH
to EFI_WARN_UNKNOWN_GLYPH. [1]
In oe-core master branch, the gnu-efi is 3.0.11, we need to add
the fix back
[1] https://bugs.gentoo.org/701152
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If ovmf's do_deploy is run before do_sign, there is a failure
...
|install: cannot stat 'tmp-glibc/work/corei7-64-wrs-linux/ovmf/
edk2-stable201911-r0/ovmf/Pkcs7VerifyDxe.efi.signed': No such file or directory
...
Add do_sign before do_deploy
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| | |
|
| |
|
|
| |
files in the DEPLOYDIR
|
| |
|
|
|
|
|
| |
adjust task order to make sure initrd symlink is ready before
do package.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
|
| |
|
|
| |
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
|
| |
|
|
|
|
| |
Append do_deploy function instead of overriding it.
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
|
| |
|
|
|
|
| |
Let the EFI_BOOT_PATH Bitbake variable be overrided if needed.
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
|
| |
|
|
| |
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
The grub-efi-native build doesn't need to run do_sign task but there are
two prefuncs for do_sign still run in native build. This will cause a
build error when there is no gpg command on the host. Move the functions
to do_sign_prepend_class-target to make sure they only run in target
build.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If GRUB_SIGN_VERIFY is not enabled, do_sign will fail in which GPG_PATH
is not set (--homedir None)
...
|DEBUG: Executing python function do_sign
|NOTE: Running: echo "SecureCore" | tmp-glibc/hosttools/gpg --pinentry-mode
loopback --batch --homedir None -u "SecureBootCore" --detach-sign
--passphrase-fd 0 "tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi"
|ERROR: Failed to sign: tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
...
Since GPG_PATH is set in do_sign's prefunc check_boot_public_key if
GRUB_SIGN_VERIFY is enabled, add the same condition to do_sign
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
| |
Since commit [382ffa1 efitools: Fix compilation problem with
latest /usr/include/efi], we should apply the fix to native also.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
While refactoring the code to eliminate the overlap in the copy of the
.sig and .p7b files the UEFI_SELOADER test was not removed. This
results in the .sig files not getting copied to the deploy directory
when using the GRUB_SIGN_VERIFY = "1".
All that is needed is to remove the UEFI_SELOADER test statement.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.
It will be possible in a template or local.conf:
UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow SELoader to be an optional component for secure boot
verification. The GPG_SIGN_VERIFY variable was added to control the
ability to have grub perform all of the verification of the loaded
files using a public key which gets built into grub at the time that
mkimage is run.
It is not intended that GPG_SIGN_VERIFY and UEFI_SELOADER would both
be set to "1". While this configuration could work, it makes very
little sense to use the system that way.
Also enabled is the tftp feature for grub as a builtin. This allows
grub to start from the network when the UEFI is configured to boot off
the network with tftp.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
| gcc -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/git/include/ -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/x86_64 -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/protocol -O2 -g -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check -DGNU_EFI_USE_MS_ABI -DEFI_FUNCTION_WRAPPER -mno-red-zone -DCONFIG_x86_64 -fno-toplevel-reorder -DBUILD_EFI -c console.c -o console.efi.o
| console.c:360:5: error: ‘EFI_WARN_UNKOWN_GLYPH’ undeclared here (not in a function); did you mean ‘EFI_WARN_UNKNOWN_GLYPH’?
| { EFI_WARN_UNKOWN_GLYPH, L"Warning Unknown Glyph"},
| ^~~~~~~~~~~~~~~~~~~~~
| EFI_WARN_UNKNOWN_GLYPH
| ../Make.rules:113: recipe for target 'console.efi.o' failed
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
| x86_64-poky-linux-gcc -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin -Werror=sign-compare -ffreestanding -std=gnu89 -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot-native/usr/bin/x86_64-poky-linux/../../lib/x86_64-poky-linux/gcc/x86_64-poky-linux/9.2.0/include -DDEFAULT_LOADER=L"\SELoaderx64.efi" -DDEFAULT_LOADER_CHAR="\SELoaderx64.efi" -nostdinc -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/Cryptlib -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/Cryptlib/Include -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi/x86_64 -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi/protocol -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/include -iquote /opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git -iquote /opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git -DOVERRIDE_SECURITY_POLICY -DENABLE_HTTPBOOT -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096 -DEFI_ARCH=L"x64" -DDEBUGDIR=L"/usr/lib/debug/usr/share/shim/x64-12-_poky_3.0/" -DVENDOR_CERT_FILE="/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/vendor_cert.cer" -c -o console.o console.c
| console.c:363:5: error: 'EFI_WARN_UNKOWN_GLYPH' undeclared here (not in a function); did you mean 'EFI_WARN_UNKNOWN_GLYPH'?
| 363 | { EFI_WARN_UNKOWN_GLYPH, L"Warning Unknown Glyph"},
| | ^~~~~~~~~~~~~~~~~~~~~
| | EFI_WARN_UNKNOWN_GLYPH
| <builtin>: recipe for target 'console.o' failed
| make[1]: *** [console.o] Error 1
| make[1]: Leaving directory '/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/lib'
| Makefile:223: recipe for target 'lib/lib.a' failed
| make: *** [lib/lib.a] Error 2
| WARNING: exit code 1 from a shell command.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install. It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data. There are several other minor bug fixes, with the short log
shown below.
====
James Bottomley (13):
cert-to-efi-hash-list: fix for openssl 1.1
Version: 1.8.0
Fix Fedora build
Version: 1.8.1
factor out variable signing code
support engine based keys
use SignedData instead of PKCS7 for variable updates
Version: 1.9.0
Makefile: Reverse the order of lib.a and -lcrypto
Version: 1.9.1
sign-efi-sig-list: add man page entry for engine option
sha256: do not align raw section sizes
Version: 1.9.2
pai-yi.huang (1):
efi-updatevar: remove all authenticated attributes from signature
Make.rules | 6 ++---
Makefile | 12 +++++-----
cert-to-efi-hash-list.c | 6 ++++-
efi-updatevar.c | 28 +++++++++++------------
include/openssl_sign.h | 10 ++++++++
include/version.h | 2 +-
lib/Makefile | 2 +-
lib/openssl_sign.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
lib/sha256.c | 8 ++++---
sign-efi-sig-list.c | 59 +++++++++++------------------------------------
10 files changed, 213 insertions(+), 76 deletions(-)
create mode 100644 include/openssl_sign.h
create mode 100644 lib/openssl_sign.c
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
| |
Currently the recovery menuentry is not available because we don't
provide bzImage_backup and initrd_backup. Remove this entry.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
| |
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
|
| |
|
|
|
|
|
| |
Rather than using pre-compiled EFI drivers, use freshly compiled drivers
from OVMF source tree.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
|
| |
|
|
|
|
|
| |
Package Pkcs7VerifyDxe.efi and Hash2DxeCrypto.efi to be used by SELoader
bootloader.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
|
| |
|
|
|
|
|
| |
Add support for verifying PKCS#7 signatures via MOK2 protocol to
multiboot2 command enabling one to load multiboot-capable kernels.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
|
| |
|
|
|
|
|
|
|
| |
Fix the following QA issue:
WARNING: grub-efi-2.04-r0 do_package_qa: QA Issue: grub-efi: /boot/efi/EFI/BOOT/grub.cfg.p7b is owned by uid 19183
chown to root for p7b file to fix uid contamination by host.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
|
