14 Commits

Author SHA1 Message Date
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Kai Kang f6963bf84b linux-yocto-efi-secure-boot.inc: fix rerun failure
Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH
changes, it fails to rerun the task:

| Exception: FileExistsError: [Errno 17] File exists:
| 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b'

Remove the link file before create it if exists already.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2021-04-21 12:57:22 +08:00
Sandra Tobajas 84ee95f92a linux-yocto: remove unused FILESEXTRAPATHS_prepend
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
2020-01-16 08:35:40 +08:00
Jason Wessel 31d2105b7a secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.

It will be possible in a template or local.conf:

UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Tom Rini 6274757665 meta-efi-secure-boot: Ensure openssl-native exists when we need it
In order to deploy our secure boot keys in DER format we need to use
openssl.  This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign.  Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.

Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-11-07 23:40:20 +08:00
Yi Zhao f998cc01a8 linux-yocto-efi-secure-boot: rename type variable to imageType
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-18 11:11:12 +08:00
Yi Zhao 32037a3aa7 linux-yocto-efi-secure-boot: rename KERNEL_IMAGE_BASE_NAME to KERNEL_IMAGE_NAME and KERNEL_IMAGE_SYMLINK_NAME to KERNEL_IMAGE_LINK_NAME
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-18 11:11:12 +08:00
Yi Zhao 33ec1d1f82 linux-yocto-efi-secure-boot: using shutil.copyfile instead of shutil.move to copy kernel p7b file
In commit 1c96c0d096, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Yi Zhao 231fc4906f linux-yocto-efi-secure-boot: fix typo
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Tom Rini 1c96c0d096 linux-yocto-efi-secure-boot: Package unversioned signature as symlink
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-13 14:16:05 +08:00
Lans Zhang 676968891f Fix the occurrence of checking the existence of signing keys
packagegroups are not the end consumers of using user-key-store.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-12 11:22:40 +08:00
Lans Zhang e664a331d5 code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-29 10:52:06 +08:00
Lans Zhang dcc933df6e linux-yocto-efi-secure-boot: don't use sccs to define the included kernel cfg
The variable sccs is used internally and thus it will be corrupted by the external
definition.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-26 11:25:31 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00