mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 20:56:58 +00:00
@@ -1,4 +1,4 @@
|
|||||||
### meta-secure-env
|
### meta-secure-core
|
||||||
This layer provides the following common and platform-specific security
|
This layer provides the following common and platform-specific security
|
||||||
features:
|
features:
|
||||||
|
|
||||||
@@ -9,32 +9,22 @@ key. Whenever this feature is enabled, the bootloader and kernel will be
|
|||||||
signed automatically during the build, implying the signed binaries are
|
signed automatically during the build, implying the signed binaries are
|
||||||
contained by the resulting RPM and rootfs image.
|
contained by the resulting RPM and rootfs image.
|
||||||
|
|
||||||
Refer to [meta-efi-secure-boot](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md) for more details.
|
|
||||||
|
|
||||||
#### MOK Secure Boot
|
#### MOK Secure Boot
|
||||||
For x86 platform, MOK secure boot is based on the UEFI secure boot, adding
|
For x86 platform, MOK secure boot is based on the UEFI secure boot, adding
|
||||||
the shim loader to chainloader the second-stage bootloader. Meanwhile,
|
the shim loader to chainloader the second-stage bootloader. Meanwhile,
|
||||||
the shim will also install a protocol which permits the second-stage bootloader
|
the shim will also install a protocol which permits the second-stage bootloader
|
||||||
to perform similar binary validation, e.g, for linux kernel.
|
to perform similar binary validation, e.g, for linux kernel.
|
||||||
|
|
||||||
Refer to [meta-efi-secure-boot](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md) for more details.
|
|
||||||
|
|
||||||
#### User key store
|
#### User key store
|
||||||
By default, the signing key used by UEFI/MOK secure boot is the sample key for
|
By default, the signing key used by UEFI/MOK secure boot is the sample key for
|
||||||
the purposes of development and demonstration. It is not recommended that
|
the purposes of development and demonstration. It is not recommended that
|
||||||
this sample key be used for a production device and should be replaced by
|
this sample key be used for a production device and should be replaced by
|
||||||
a secret key owned by the user.
|
a secret key owned by the user.
|
||||||
|
|
||||||
Refer to [meta-signing-key](https://github.com/jiazhang0/meta-signing-key/blob/master/README.md)
|
|
||||||
for more details about how to construct an user key store.
|
|
||||||
|
|
||||||
#### TPM 1.x
|
#### TPM 1.x
|
||||||
This feature enables Trusted Platform Module 1.x support, including
|
This feature enables Trusted Platform Module 1.x support, including
|
||||||
kernel option changes to enable tpm drivers, and picking up TPM 1.x packages.
|
kernel option changes to enable tpm drivers, and picking up TPM 1.x packages.
|
||||||
|
|
||||||
Refer to [meta-tpm](https://github.com/jiazhang0/meta-tpm/blob/master/README.md)
|
|
||||||
for more details.
|
|
||||||
|
|
||||||
#### TPM 2.0
|
#### TPM 2.0
|
||||||
This feature enables Trusted Platform Module 2.0 support, including
|
This feature enables Trusted Platform Module 2.0 support, including
|
||||||
kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages.
|
kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages.
|
||||||
@@ -43,9 +33,6 @@ Trusted Platform Module (TPM 2.0) is a microcontroller that stores keys,
|
|||||||
passwords, and digital certificates. A discrete TPM 2.0 offers the
|
passwords, and digital certificates. A discrete TPM 2.0 offers the
|
||||||
capabilities as part of the overall platform security requirements.
|
capabilities as part of the overall platform security requirements.
|
||||||
|
|
||||||
Refer to [meta-tpm2](https://github.com/jiazhang0/meta-tpm2/blob/master/README.md)
|
|
||||||
for more details.
|
|
||||||
|
|
||||||
#### Encrypted storage
|
#### Encrypted storage
|
||||||
This feature gives 2 types of granularity for storage encryption. Data volume
|
This feature gives 2 types of granularity for storage encryption. Data volume
|
||||||
encryption allows the user to create encryption partition with a passphrase
|
encryption allows the user to create encryption partition with a passphrase
|
||||||
@@ -57,8 +44,6 @@ which provides transparent encryption of block devices using the kernel crypto
|
|||||||
API. Additionally, the utility cryptsetup is used to conveniently setup disk
|
API. Additionally, the utility cryptsetup is used to conveniently setup disk
|
||||||
encryption based on device-mapper crypt target.
|
encryption based on device-mapper crypt target.
|
||||||
|
|
||||||
Refer to [meta-encrypted-storage](https://github.com/jiazhang0/meta-encrypted-storage/blob/master/README.md) for more details.
|
|
||||||
|
|
||||||
#### Integrity
|
#### Integrity
|
||||||
The Linux IMA subsystem introduces hooks within the Linux kernel to support
|
The Linux IMA subsystem introduces hooks within the Linux kernel to support
|
||||||
measuring the integrity of files that are loaded (including application code)
|
measuring the integrity of files that are loaded (including application code)
|
||||||
@@ -80,16 +65,9 @@ files and applications to be loaded if the hashes match (and will save the
|
|||||||
updated hash if the file is modified) but refuse to load it if it doesn't. This
|
updated hash if the file is modified) but refuse to load it if it doesn't. This
|
||||||
provides some protection against offline tampering of the files.
|
provides some protection against offline tampering of the files.
|
||||||
|
|
||||||
Refer to [meta-integrity](https://github.com/jiazhang0/meta-efi-secure-boot/blob/master/README.md)
|
|
||||||
for more details.
|
|
||||||
|
|
||||||
#### RPM signing
|
#### RPM signing
|
||||||
This feature provides the integrity verification for the RPM5 package.
|
This feature provides the integrity verification for the RPM5 package.
|
||||||
|
|
||||||
Refer to [meta-rpm-signing](https://github.com/jiazhang0/meta-rpm-signing/blob/master/README.md)
|
### Building the meta-secure-core layer
|
||||||
for more details.
|
|
||||||
|
|
||||||
|
|
||||||
### Building the meta-secure-env layer
|
|
||||||
This layer should be added to the bblayers.conf file. To enable certain
|
This layer should be added to the bblayers.conf file. To enable certain
|
||||||
feature provided by this layer, add the feature to the local.conf file.
|
feature provided by this layer, add the feature to the local.conf file.
|
||||||
|
|||||||
Reference in New Issue
Block a user