README: cleanup

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-07-11 14:08:45 +08:00
parent 0f3911c740
commit 473d7cf3fd
+2 -24
View File
@@ -1,4 +1,4 @@
### meta-secure-env ### meta-secure-core
This layer provides the following common and platform-specific security This layer provides the following common and platform-specific security
features: features:
@@ -9,32 +9,22 @@ key. Whenever this feature is enabled, the bootloader and kernel will be
signed automatically during the build, implying the signed binaries are signed automatically during the build, implying the signed binaries are
contained by the resulting RPM and rootfs image. contained by the resulting RPM and rootfs image.
Refer to [meta-efi-secure-boot](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md) for more details.
#### MOK Secure Boot #### MOK Secure Boot
For x86 platform, MOK secure boot is based on the UEFI secure boot, adding For x86 platform, MOK secure boot is based on the UEFI secure boot, adding
the shim loader to chainloader the second-stage bootloader. Meanwhile, the shim loader to chainloader the second-stage bootloader. Meanwhile,
the shim will also install a protocol which permits the second-stage bootloader the shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation, e.g, for linux kernel. to perform similar binary validation, e.g, for linux kernel.
Refer to [meta-efi-secure-boot](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md) for more details.
#### User key store #### User key store
By default, the signing key used by UEFI/MOK secure boot is the sample key for By default, the signing key used by UEFI/MOK secure boot is the sample key for
the purposes of development and demonstration. It is not recommended that the purposes of development and demonstration. It is not recommended that
this sample key be used for a production device and should be replaced by this sample key be used for a production device and should be replaced by
a secret key owned by the user. a secret key owned by the user.
Refer to [meta-signing-key](https://github.com/jiazhang0/meta-signing-key/blob/master/README.md)
for more details about how to construct an user key store.
#### TPM 1.x #### TPM 1.x
This feature enables Trusted Platform Module 1.x support, including This feature enables Trusted Platform Module 1.x support, including
kernel option changes to enable tpm drivers, and picking up TPM 1.x packages. kernel option changes to enable tpm drivers, and picking up TPM 1.x packages.
Refer to [meta-tpm](https://github.com/jiazhang0/meta-tpm/blob/master/README.md)
for more details.
#### TPM 2.0 #### TPM 2.0
This feature enables Trusted Platform Module 2.0 support, including This feature enables Trusted Platform Module 2.0 support, including
kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages. kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages.
@@ -43,9 +33,6 @@ Trusted Platform Module (TPM 2.0) is a microcontroller that stores keys,
passwords, and digital certificates. A discrete TPM 2.0 offers the passwords, and digital certificates. A discrete TPM 2.0 offers the
capabilities as part of the overall platform security requirements. capabilities as part of the overall platform security requirements.
Refer to [meta-tpm2](https://github.com/jiazhang0/meta-tpm2/blob/master/README.md)
for more details.
#### Encrypted storage #### Encrypted storage
This feature gives 2 types of granularity for storage encryption. Data volume This feature gives 2 types of granularity for storage encryption. Data volume
encryption allows the user to create encryption partition with a passphrase encryption allows the user to create encryption partition with a passphrase
@@ -57,8 +44,6 @@ which provides transparent encryption of block devices using the kernel crypto
API. Additionally, the utility cryptsetup is used to conveniently setup disk API. Additionally, the utility cryptsetup is used to conveniently setup disk
encryption based on device-mapper crypt target. encryption based on device-mapper crypt target.
Refer to [meta-encrypted-storage](https://github.com/jiazhang0/meta-encrypted-storage/blob/master/README.md) for more details.
#### Integrity #### Integrity
The Linux IMA subsystem introduces hooks within the Linux kernel to support The Linux IMA subsystem introduces hooks within the Linux kernel to support
measuring the integrity of files that are loaded (including application code) measuring the integrity of files that are loaded (including application code)
@@ -80,16 +65,9 @@ files and applications to be loaded if the hashes match (and will save the
updated hash if the file is modified) but refuse to load it if it doesn't. This updated hash if the file is modified) but refuse to load it if it doesn't. This
provides some protection against offline tampering of the files. provides some protection against offline tampering of the files.
Refer to [meta-integrity](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md)
for more details.
#### RPM signing #### RPM signing
This feature provides the integrity verification for the RPM5 package. This feature provides the integrity verification for the RPM5 package.
Refer to [meta-rpm-signing](https://github.com/jiazhang0/meta-rpm-signing/blob/master/README.md) ### Building the meta-secure-core layer
for more details.
### Building the meta-secure-env layer
This layer should be added to the bblayers.conf file. To enable certain This layer should be added to the bblayers.conf file. To enable certain
feature provided by this layer, add the feature to the local.conf file. feature provided by this layer, add the feature to the local.conf file.