encrypted-storage: use luks as the feature name for current implementation

encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
This commit is contained in:
Jia Zhang
2017-08-20 15:31:11 +08:00
parent cbdefad44c
commit b1e14f4e88
14 changed files with 29 additions and 30 deletions
+3 -3
View File
@@ -75,14 +75,14 @@ The full features in meta-secure-core can be configured with these definitions
in local.conf:
INITRAMFS_IMAGE = "secure-core-image-initramfs"
DISTRO_FEATURES_NATIVE_append += " ima tpm tpm2 efi-secure-boot encrypted-storage"
DISTRO_FEATURES_append += " ima tpm tpm2 efi-secure-boot encrypted-storage"
DISTRO_FEATURES_NATIVE_append += " ima tpm tpm2 efi-secure-boot luks"
DISTRO_FEATURES_append += " ima tpm tpm2 efi-secure-boot luks"
SECURE_CORE_IMAGE_EXTRA_INSTALL ?= "\
packagegroup-efi-secure-boot \
packagegroup-tpm \
packagegroup-tpm2 \
packagegroup-ima \
packagegroup-encrypted-storage \
packagegroup-luks \
"
DEBUG_FLAGS_forcevariable = ""
@@ -65,11 +65,10 @@ do_install_append_class-native() {
do_install_append_class-target() {
local menu="${WORKDIR}/boot-menu.inc"
# Enable the default IMA rules if IMA is enabled and encrypted-storage is
# disabled. This is because unseal operation will fail when any PCR is
# extended due to updating the aggregate integrity value by the default
# IMA rules.
[ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', '1', '0', d)}" != x"1" ] && {
# Enable the default IMA rules if IMA is enabled and luks is disabled.
# This is because unseal operation will fail when any PCR is extended
# due to updating the aggregate integrity value by the default IMA rules.
[ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
! grep -q "ima_policy=tcb" "$menu" &&
sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu"
}
@@ -1,8 +0,0 @@
DESCRIPTION = "The packages used for encrypted storage in initramfs."
require packagegroup-encrypted-storage.inc
RDEPENDS_${PN} += "\
cryptfs-tpm2-initramfs \
packagegroup-tpm2-initramfs \
"
@@ -0,0 +1,8 @@
DESCRIPTION = "The packages used for luks in initramfs."
require packagegroup-luks.inc
RDEPENDS_${PN} += "\
cryptfs-tpm2-initramfs \
packagegroup-tpm2-initramfs \
"
@@ -1,6 +1,6 @@
DESCRIPTION = "The packages used for encrypted storage."
DESCRIPTION = "The packages used for LUKS."
require packagegroup-encrypted-storage.inc
require packagegroup-luks.inc
# Install the minimal stuffs only for the linux rootfs.
# The common packages shared between initramfs and rootfs
@@ -1,4 +1,4 @@
#PACKAGECONFIG_append += "\
# ${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', \
# ${@bb.utils.contains('DISTRO_FEATURES', 'luks', \
# 'cryptsetup', '', d)} \
#"
@@ -1,6 +1,6 @@
FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
SRC_URI += "\
${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', \
${@bb.utils.contains('DISTRO_FEATURES', 'luks', \
'file://dmcrypt.scc file://dmcrypt.cfg', '', d)} \
"
@@ -1 +1 @@
include linux-yocto-encrypted-storage.inc
include linux-yocto-luks.inc
@@ -1 +1 @@
include linux-yocto-encrypted-storage.inc
include linux-yocto-luks.inc
@@ -44,7 +44,7 @@ PARALLEL_MAKE = ""
do_install() {
oe_runmake install DESTDIR="${D}"
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'encrypted-storage', '1', '0', d)}" = "1" ]; then
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" = "1" ]; then
install -m 0500 "${S}/scripts/init.cryptfs" "${D}"
fi
}
+3 -3
View File
@@ -170,9 +170,9 @@ The following best practices should be applied with using IMA.
- The default IMA rules provides the ability of measuring the boot components
and calculating the aggregate integrity value for attesting. However, this
function conflicts with encrypted-storage feature which employs PCR policy
session to retrieve the passphrase in a safe way. If both of them are
enabled, the default IMA rules will be not used.
function conflicts with the luks feature which employs PCR policy session to
retrieve the passphrase in a safe way. If both of them are enabled, the
default IMA rules will be not used.
### Reference
[Official IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
@@ -8,8 +8,8 @@ ROOTFS_BOOTSTRAP_INSTALL_append += "\
"packagegroup-tpm2-initramfs", "", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "ima", \
"packagegroup-ima-initramfs", "", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "encrypted-storage", \
"packagegroup-encrypted-storage-initramfs", "", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "luks", \
"packagegroup-luks-initramfs", "", d)} \
"
PACKAGE_INSTALL = "\
@@ -10,8 +10,8 @@ SECURE_CORE_IMAGE_EXTRA_INSTALL_append += "\
"packagegroup-tpm2", "", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "ima", \
"packagegroup-ima", "", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "encrypted-storage", \
"packagegroup-encrypted-storage", "", d)} \
${@bb.utils.contains("DISTRO_FEATURES", "luks", \
"packagegroup-luks", "", d)} \
"
IMAGE_INSTALL = "\