mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 12:47:00 +00:00
@@ -1,4 +1,4 @@
|
||||
### meta-secure-env
|
||||
### meta-secure-core
|
||||
This layer provides the following common and platform-specific security
|
||||
features:
|
||||
|
||||
@@ -9,32 +9,22 @@ key. Whenever this feature is enabled, the bootloader and kernel will be
|
||||
signed automatically during the build, implying the signed binaries are
|
||||
contained by the resulting RPM and rootfs image.
|
||||
|
||||
Refer to [meta-efi-secure-boot](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md) for more details.
|
||||
|
||||
#### MOK Secure Boot
|
||||
For x86 platform, MOK secure boot is based on the UEFI secure boot, adding
|
||||
the shim loader to chainloader the second-stage bootloader. Meanwhile,
|
||||
the shim will also install a protocol which permits the second-stage bootloader
|
||||
to perform similar binary validation, e.g, for linux kernel.
|
||||
|
||||
Refer to [meta-efi-secure-boot](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md) for more details.
|
||||
|
||||
#### User key store
|
||||
By default, the signing key used by UEFI/MOK secure boot is the sample key for
|
||||
the purposes of development and demonstration. It is not recommended that
|
||||
this sample key be used for a production device and should be replaced by
|
||||
a secret key owned by the user.
|
||||
|
||||
Refer to [meta-signing-key](https://github.com/jiazhang0/meta-signing-key/blob/master/README.md)
|
||||
for more details about how to construct an user key store.
|
||||
|
||||
#### TPM 1.x
|
||||
This feature enables Trusted Platform Module 1.x support, including
|
||||
kernel option changes to enable tpm drivers, and picking up TPM 1.x packages.
|
||||
|
||||
Refer to [meta-tpm](https://github.com/jiazhang0/meta-tpm/blob/master/README.md)
|
||||
for more details.
|
||||
|
||||
#### TPM 2.0
|
||||
This feature enables Trusted Platform Module 2.0 support, including
|
||||
kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages.
|
||||
@@ -43,9 +33,6 @@ Trusted Platform Module (TPM 2.0) is a microcontroller that stores keys,
|
||||
passwords, and digital certificates. A discrete TPM 2.0 offers the
|
||||
capabilities as part of the overall platform security requirements.
|
||||
|
||||
Refer to [meta-tpm2](https://github.com/jiazhang0/meta-tpm2/blob/master/README.md)
|
||||
for more details.
|
||||
|
||||
#### Encrypted storage
|
||||
This feature gives 2 types of granularity for storage encryption. Data volume
|
||||
encryption allows the user to create encryption partition with a passphrase
|
||||
@@ -57,8 +44,6 @@ which provides transparent encryption of block devices using the kernel crypto
|
||||
API. Additionally, the utility cryptsetup is used to conveniently setup disk
|
||||
encryption based on device-mapper crypt target.
|
||||
|
||||
Refer to [meta-encrypted-storage](https://github.com/jiazhang0/meta-encrypted-storage/blob/master/README.md) for more details.
|
||||
|
||||
#### Integrity
|
||||
The Linux IMA subsystem introduces hooks within the Linux kernel to support
|
||||
measuring the integrity of files that are loaded (including application code)
|
||||
@@ -80,16 +65,9 @@ files and applications to be loaded if the hashes match (and will save the
|
||||
updated hash if the file is modified) but refuse to load it if it doesn't. This
|
||||
provides some protection against offline tampering of the files.
|
||||
|
||||
Refer to [meta-integrity](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md)
|
||||
for more details.
|
||||
|
||||
#### RPM signing
|
||||
This feature provides the integrity verification for the RPM5 package.
|
||||
|
||||
Refer to [meta-rpm-signing](https://github.com/jiazhang0/meta-rpm-signing/blob/master/README.md)
|
||||
for more details.
|
||||
|
||||
|
||||
### Building the meta-secure-env layer
|
||||
### Building the meta-secure-core layer
|
||||
This layer should be added to the bblayers.conf file. To enable certain
|
||||
feature provided by this layer, add the feature to the local.conf file.
|
||||
|
||||
Reference in New Issue
Block a user