| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
This reverts commit fc8969af8a34ff93ede7d44a492750446154d950.
In parallel build this will led sign error because the gpg-agent
in using maybe killed in another task.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
|
| |
|
|
|
|
|
|
| |
If efi-secure-boot distro flag has not been set, then do not require the
sbsigntool, libsign and efitools.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Adapt to recent psuedo changes.
Fixes:
ERROR: grub-efi-2.04-r0 do_sign: Failed to import gpg key
gpg: key 9E3086F96EEECC34/9E3086F96EEECC34: error sending to agent: End of file
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If GPG_PATH is already created by signing-keys do_get_public_keys task,
subsequent executions of do_package_write_rpm will not create the
gpg-agent.conf file anymore.
Therefore, the spawned gpg-agent will miss important features such as
auto-expand-secmem, leading to the following intermittent build errors:
....
Subprocess output:
gpg: signing failed: Cannot allocate memory
gpg: signing failed: Cannot allocate memory
error: gpg exec failed (2)
gpg: signing failed: Cannot allocate memory
gpg: signing failed: Cannot allocate memory
error: gpg exec failed (2)
...
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
The gpg-agent daemon will be triggered to run in function boot_sign,
This daemon will not exit even after building project.
So kill the gpg-agent daemon after gpg signing process
at the end of function boot_sign.
Signed-off-by: De Huo <De.Huo@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If GPG_PATH is already created by signing-keys do_get_public_keys task,
subsequent executions of do_package_write_rpm will fail with "Filename too
long" errors (this only affects builds using GPG paths larger than 80
characters).
Fix this race condition by making sure that the redirection files are always
present in the gpg homedir even if the directory already exists when the first
package_write_rpm task executes.
Also, make sure this new approach does not affect GPG_PATHs smaller than 80
chars.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, an error will be thrown when trying to use a GPG homedir whose path
length exceeds 80 characters. This limitation can be worked around by providing
libassuan socket redirection files for "S.gpg-agent.yocto-native",
"S.gpg-agent.ssh", "S.gpg-agent.browser" and "S.gpg-agent.extra"
sockets. The redirection files will point to the real sockets in /tmp
directory. The sockets will be automatically cleaned up by gpg agent.
References:
[1] https://dev.gnupg.org/T1752
[2] https://gnupg.org/documentation/manuals/assuan.pdf
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
If efi-secure-boot distro feature is enabled, let the possibility to
enable only the UEFI SecureBoot (through UEFI_SB Bitbake variable)
without MOK_SB variable.
Allow explicitly overriding the MOK_SB Bitbake variable.
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On some host configuration such as ubuntu 16.04 the gnupg in /usr/bin
is the 1.x version. This can cause problems between the import and
signing process if the gpg version is different. The commands in the
user-key-store class assume gnupg is at least version 2.2 or newer.
To avoid the signing phase failing for the efitools and the kernel,
the user-key-store class should depend on the gnupg-native binaries.
It avoids this specific error:
ERROR: efitools-1.9.2+gitAUTOINC+392836a46c-r0 do_sign: Failed to sign: /opt/tmp-glibc/work/corei7-64-wrs-linux/efitools/1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
ERROR: Logfile of failure stored in: /opt/tmp-glibc/work/corei7-64-wrs-linux/efitools/1.9.2+gitAUTOINC+392836a46c-r0/temp/log.do_sign.22969
NOTE: recipe efitools-1.9.2+gitAUTOINC+392836a46c-r0: task do_sign: Failed
[ Issue: LIN1019-3757 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.
It will be possible in a template or local.conf:
UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This changes the rpm signing setup to use a generic routine
check_gpg_key(), in order that the boot loader gpg signing can use the
same infrastructure.
For now the boot loader gpg signing will only support grub and
introduces the variable:
GRUB_SIGN_VERIFY = "1"
This variable is a control point to activate the code in grub-efi to
perform file verification of any file it loads against a gpg key which
is linked into the boot loader with grub-mkimage. It will also cause
all the other files such as the kernel, initramfs and LockDown.efi to
be signed such that grub will verify the files.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
| | |
|
| |
|
|
|
|
|
| |
The bb.build.FuncFailed had been removed in bitbake with commit
cfeffb602dd5319f071cd6bcf84139ec77f2d170. Use bb.fatal instead of it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
| |
|
|
|
|
|
|
|
| |
Generally speaking, for firmware to import PK/KEK/DB keys they need to
be in the binary "DER" format and typically have the "cer" file
extension. When deploying our keys, convert what we have to that format
and deploy as well for ease of use.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
| |
parsed as true
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create. To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".
Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
| |
trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot. However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother. While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
| |
Fix warning:
WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
| |
|
|
|
|
|
|
| |
When the SIGNING_MODEL is set to "user", the signing-keys recipes will
run failed on the get_public_keys task. uks_rpm_keys_dir() function
could not return the right rpm_keys directory when the
SIGNING_MODEL is set to "user".
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Set lockfile for task check_deploy_keys() to avoid the race error from
'cp -af':
cp: cannot create regular file '.../tmp/deploy/images/intel-x86-64/
sample-keys/uefi_sb_keys/DBX/DBX.key': File exists
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
|
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
