summaryrefslogtreecommitdiffstats
path: root/meta-signing-key
Commit message (Collapse)AuthorAgeFilesLines
* Updated the URI for Jeremy Kerr's sbsigntoolssumoDimitri Bouras2022-02-091-1/+1
| | | Jeremy Kerr's sbsigntools are no longer hosted on git://kernel.ubuntu.com/jk/sbsigntool. A copy exists at git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools. This change is required to build meta-secure-core under sumo.
* meta-signing-key: When deploying keys UEFI keys, deploy DER formatTom Rini2018-10-251-0/+4
| | | | | | | | | Generally speaking, for firmware to import PK/KEK/DB keys they need to be in the binary "DER" format and typically have the "cer" file extension. When deploying our keys, convert what we have to that format and deploy as well for ease of use. Signed-off-by: Tom Rini <trini@konsulko.com>
* Maintain the stable branch sumoJia Zhang2018-09-211-1/+1
| | | | | | | | | | | The following commits are reverted by the way: - meta-integrity: rpm: Add back in required patches for rocko (5fa9c85) - meta-intel-sgx: Initial support of linux-sgx-driver (7d4f711) The former is applicable to rocko only, and the latter is still experimental. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* libsign: Fix build faiure due to -fstack-protector-strongJia Zhang2018-09-201-0/+1
| | | | | | | SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work with CCLD. To work around this issue, filter out it from LDFLAGS. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* libsign: Update to the latestJia Zhang2018-09-201-1/+2
| | | | | | - Use CCLD to build executable and library. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* key-store: fix incorrect postpone to first bootHongxu Jia2018-09-051-13/+11
| | | | | | | | | | | After postinst was executed at do_rootfs successfully, there will be no first boot to redo. Since `229f4e9 package.bbclass: add support for pkg_postinst_ontarget()' applied in oe-core, use pkg_postinst_ontarget to instead. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* libsign: Enable nativesdk supportTom Rini2018-08-251-2/+2
| | | | | | | Bump up to the current top of libsign so that we can easily get a copy of selsign that can be put into an SDK. Signed-off-by: Tom Rini <trini@konsulko.com>
* sbsigntool: Enable nativesdk supportTom Rini2018-08-251-2/+4
| | | | | | | | There are times were we might want to include sbsigntool into an SDK so rename the recipe and extend to include nativesdk. We also need gnu-efi to support nativesdk so include that in a bbappend. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Mark as compatible with rockoTom Rini2018-07-251-1/+1
| | | | | | | As we also work with the 'rocko' release list that in our LAYERSERIES_COMPAT. Signed-off-by: Tom Rini <trini@konsulko.com>
* Fix parsing bug where SYSTEM_TRUSTED and SECONDARY_TRUSTED were always ↵fraser2018-06-291-2/+2
| | | | parsed as true
* layer.conf: add LAYERSERIES_COMPATTrevor Woerner2018-05-261-0/+2
| | | | | | see https://patchwork.openembedded.org/patch/140542/ Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* meta-integrity, meta-signing-key: Populate the secondary keyringTom Rini2018-05-171-2/+11
| | | | | | | | | | | | Currently we provide a secondary trusted key that is signed by the primary key. We do not however DER encode this certificate. Update the key-store recipe to also make a DER encoding of this certificate and include it in the same package as the PEM version of the certificate. In the IMA init script, if we have any secondary certificate in a DER encoding, load them into the secondary keyring before we try and load the IMA keys. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-signing-key: Rename "extra trusted" to "secondary"Tom Rini2018-05-176-39/+39
| | | | | | | | | | | | The way that the create-user-key-store.sh script creates what it has been calling "extra_system_trusted_key" is really what would be considered a "secondary" trusted key as it is signed by the primary key that we create. To make this clearer, as there are other cases for an "extra trusted system key" that are not this key, update the variables, package names, etc, to reflect "secondary" not "extra system". Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com> Signed-off-by: Tom Rini <trini@konsulko.com>
* key-store: Fix typo in key-store-ima-privkey nameTom Rini2018-05-121-1/+1
| | | | | | | | We're missing a leading '-' when we combine pn and ima-privkey here, add. Signed-off-by: Michael Grigorov <michael.grigorov@konsulko.com> Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-signing-key: support to build key-store with modsign and extra system ↵Jia Zhang2017-11-213-6/+120
| | | | | | trusted key support Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* scripts/create-user-key-store.sh: support to generate the user keys for ↵Jia Zhang2017-11-211-0/+26
| | | | | | modsign and extra system trusted key Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-signing-key: add the sample keys for modsign and extra system trusted keyJia Zhang2017-11-214-0/+94
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-signing-key, meta-efi-secure-boot: Rework for dependenciesTom Rini2017-11-1611-1/+550
| | | | | | | | | | | | The content of meta-signing-key depends on a few recipes within meta-efi-secure-boot. However, meta-signing-key can be used without meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will also provide a more correct set of dependencies as we cannot say that both layers depend on eachother. While doing this, within meta-signing-key only depend on content from meta-efi-secure-boot if the efi-secure-boot DISTRO_FEATURE is set. Signed-off-by: Tom Rini <trini@konsulko.com>
* user-key-store.bbclass: add deploy_rpm_keys (#20)Wenzong Fan2017-09-251-0/+10
| | | | | | Fix warning: WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-021-1/+1
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Update BB_HASHBASE_WHITELISTJia Zhang2017-09-011-3/+7
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* create-user-key-store.sh: Add arguments to specify gpg's key name and email ↵yunguowei2017-08-281-1/+27
| | | | | address (#14) Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* key-store: Fix two key-store-rpm-pubkey user key issues (#13)Guojian2017-08-241-5/+5
| | | | | | | | | | 1. user key pub rpm package also could be created. 2. The latest bitbake could not support the d.getVar() function nest call. Such as the following function call always return "None" d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True) It caused the key-store-rpm-pubkey rpm package could not be created in the latest oe-core project. Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* meta-signing-key: replace the sample RPM signing keyJia Zhang2017-08-232-44/+83
| | | | | | The previous cannot be handled by gpg v2 properly when importing it. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Fix the user rpm sign key can not be found issue (#5)Guojian2017-08-221-4/+0
| | | | | | | | When the SIGNING_MODEL is set to "user", the signing-keys recipes will run failed on the get_public_keys task. uks_rpm_keys_dir() function could not return the right rpm_keys directory when the SIGNING_MODEL is set to "user". Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* create-user-key-store.sh: support gpg 2.x used to generate rpm signing keyJia Zhang2017-08-201-18/+26
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-191-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: support RPM signingLans Zhang2017-08-173-2/+68
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-key: clean up the default values of sample RPM signing keyLans Zhang2017-08-151-1/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-key: renew the sample keys for UEFI Secure BootLans Zhang2017-08-146-127/+129
| | | | | | The DB and KEK now are self-signed. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* create-user-key-store.sh: gpg key creation updatesLans Zhang2017-08-112-20/+34
| | | | | | | | - code style fixup - remove gen_rpm_keyring script - check gpg version Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* create-user-key-store.sh: self-sign KEK and DBLans Zhang2017-08-011-2/+2
| | | | | | | UEFI spec never ask for the fact that KEK must be signed by PK and DB must be signed by KEK. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-secure-core: code style fixupLans Zhang2017-07-281-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* user-key-store.bbclass: set SYSTEM_TRUSTED only if ima is configuredLans Zhang2017-07-251-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* user-key-store.bbclass: don't run check_deploy_keys in parallelLans Zhang2017-07-251-0/+2
| | | | | | | | | | | Set lockfile for task check_deploy_keys() to avoid the race error from 'cp -af': cp: cannot create regular file '.../tmp/deploy/images/intel-x86-64/ sample-keys/uefi_sb_keys/DBX/DBX.key': File exists Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-secure-core: define the oe index nameLans Zhang2017-07-201-0/+4
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* Add the missing COPYING.MIT filesLans Zhang2017-07-131-0/+17
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* create-user-key-store.sh: add the support of the creation for RPM signingLans Zhang2017-07-132-0/+67
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* Fix the occurrence of checking the existence of signing keysLans Zhang2017-07-121-0/+2
| | | | | | packagegroups are not the end consumers of using user-key-store. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* key-store-rpm-pubkey: fix installation failureLans Zhang2017-07-111-2/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* README: cleanupLans Zhang2017-07-111-7/+3
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* user-key-store: don't call anonymous functionLans Zhang2017-07-111-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* create-user-key-store.sh: clean up subject and support password protection ↵Lans Zhang2017-07-111-12/+23
| | | | | | for private key Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-key: replace the sample keysLans Zhang2017-07-1114-283/+286
| | | | | | | - Remove USER@host from the certificate subject field - IMA signing key is protected by a password Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* Code style fixupLans Zhang2017-07-041-14/+14
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity: implement the system trusted cert and IMA trusted certLans Zhang2017-07-049-76/+101
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-key: enable authorityKeyIdentifier for x509 v3Lans Zhang2017-07-036-54/+57
| | | | | | | Otherwise the x509 parser in kernel cannot load a x509 certificate without authorityKeyIdentifier. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-signing-keys: use DER-formatted system trusted key and signed IMA ↵Lans Zhang2017-07-034-52/+52
| | | | | | trusted key Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* user-key-store: clean up the code styleLans Zhang2017-07-031-80/+16
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* Use the DER-formatted system trusted keyLans Zhang2017-07-032-4/+26
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-20 22:38:38 +0000