mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
@@ -0,0 +1,18 @@
|
||||
FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
|
||||
|
||||
IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
|
||||
|
||||
DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}"
|
||||
# key-store-ima-cert is required in runtime but we hope it is available
|
||||
# in initramfs only. So we don't add it to RDEPENDS_${PN} here.
|
||||
|
||||
SRC_URI += " \
|
||||
${@'file://ima.scc file://ima.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
|
||||
"
|
||||
|
||||
do_configure_append() {
|
||||
[ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ] &&
|
||||
openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \
|
||||
-outform DER -out "${B}/system_trusted_cert.x509" ||
|
||||
true
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
include linux-yocto-integrity.inc
|
||||
@@ -0,0 +1,35 @@
|
||||
..........................................................................
|
||||
. WARNING
|
||||
.
|
||||
. This file is a kernel configuration fragment, and not a full kernel
|
||||
. configuration file. The final kernel configuration is made up of
|
||||
. an assembly of processed fragments, each of which is designed to
|
||||
. capture a specific part of the final configuration (e.g. platform
|
||||
. configuration, feature configuration, and board specific hardware
|
||||
. configuration). For more information on kernel configuration, please
|
||||
. consult the product documentation.
|
||||
.
|
||||
..........................................................................
|
||||
|
||||
CONFIG_IMA=y
|
||||
CONFIG_IMA_MEASURE_PCR_IDX=10
|
||||
# CONFIG_IMA_TEMPLATE is not set
|
||||
# CONFIG_IMA_NG_TEMPLATE=y is not set
|
||||
CONFIG_IMA_SIG_TEMPLATE=y
|
||||
CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
|
||||
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
|
||||
CONFIG_IMA_DEFAULT_HASH_SHA256=y
|
||||
# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
|
||||
# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
|
||||
CONFIG_IMA_DEFAULT_HASH="sha256"
|
||||
CONFIG_IMA_APPRAISE=y
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_TRUSTED_KEYRING=y
|
||||
CONFIG_SYSTEM_TRUSTED_KEYRING=y
|
||||
CONFIG_IMA_LOAD_X509=y
|
||||
CONFIG_IMA_TRUSTED_KEYRING=y
|
||||
CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der"
|
||||
# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
|
||||
CONFIG_AUDIT=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
@@ -0,0 +1,4 @@
|
||||
define KFEATURE_DESCRIPTION "Integrity Measurement Architecture (IMA) enablement"
|
||||
define KFEATURE_COMPATIBILITY board
|
||||
|
||||
kconf non-hardware ima.cfg
|
||||
@@ -0,0 +1 @@
|
||||
include linux-yocto-integrity.inc
|
||||
Reference in New Issue
Block a user