| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
After postinst was executed at do_rootfs successfully,
there will be no first boot to redo.
Since `229f4e9 package.bbclass: add support for
pkg_postinst_ontarget()' applied in oe-core, use
pkg_postinst_ontarget to instead.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create. To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".
Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
|
|
| |
We're missing a leading '-' when we combine pn and ima-privkey here,
add.
Signed-off-by: Michael Grigorov <michael.grigorov@konsulko.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
|
| |
|
|
|
|
| |
trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
|
| |
|
|
|
|
|
|
| |
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
1. user key pub rpm package also could be created.
2. The latest bitbake could not support the d.getVar() function nest
call. Such as the following function call always return "None"
d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True)
It caused the key-store-rpm-pubkey rpm package could not be created in
the latest oe-core project.
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
|
| |
|
|
|
|
| |
packagegroups are not the end consumers of using user-key-store.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
| |
|
|
| |
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
|
|
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
