There is already a BBFILE_COLLECTIONS named integrity in
meta-security/meta-integrity layer, which will casue conflicts.
Rename BBFILE_COLLECTIONS to integrity-layer.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
linux-yocto-integrity.inc is shared among linux-yocto linux-yocto-rt and
linux-yocto-dev and cannot be found with ${BPN} in the latter two.
ERROR: ParseError at layers/meta-secure-core/meta-integrity/recipes-kernel/linux/linux-yocto-dev.bbappend:1:
Could not include required file linux-yocto-dev-integrity.inc
ERROR: ParseError at layers/meta-secure-core/meta-integrity/recipes-kernel/linux/linux-yocto-rt_5.%.bbappend:1:
Could not include required file linux-yocto-rt-integrity.inc
Signed-off-by: He Zhe <zhe.he@windriver.com>
There exists only linux-yocto-tpm2.inc. BPN will resolve to
linux-yocto-rt and linux-yocto-dev which don't have a recipe specific
include files.
Fixes bitbake recipe parsing errors like:
ERROR: ParseError at
/home/builder/src/build/../meta-secure-core/meta-tpm2/recipes-kernel/linux/linux-yocto-rt_5.%.bbappend:1:
Could not include required file linux-yocto-rt-tpm2.inc
ERROR: Parsing halted due to errors, see error messages above
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
CVE-2022-28736 has 3 patches as below was conflicted with some meta-secure-boot layers patches.
loader-efi-chainloader-Simplify-the-loader-state.patch
commands-boot-Add-API-to-pass-context-to-loader.patch
CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Add ld option '-z noexecstack' for cryptfs-tpm2 to fix link warnings:
ld: warning: secret_area.o: missing .note.GNU-stack section implies executable stack
ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
Signed-off-by: Kai Kang <kai.kang@windriver.com>
If tpm/tpm2 is enabled in DISTRO features, add the grub 'tpm' module to
GRUB_BUILDIN.
This is now required for secureboot to work w/ TPM is also enabled in a
BIOS.
This is the result of automated script conversion:
poky/scripts/contrib/convert-variable-renames.py meta-secure-core
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Use variable GRUB_SECURE_BUILDIN to split grub secure
builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will
not contain secure option for others grub-mkimage to
create no secure grub even though secure boot is enabled
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Operations like XXX:append += "YYY" are almost always wrong and this
is a common mistake made in the metadata. Improve them to use the
standard format.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
enable this plugin will cause undeterministic build. whether to build
audit plugin depends on whether libaudit exists on the host
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Backport a patch to disable '-Werror' to fix build error until upstream
addresses openssl 3.0 compatibility issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
Openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it`
to `const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
available. This change should have been transparent to the application,
but only if the `ASN1_ITEM_rptr()` macro is used.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fixes:
encrypt_secret.py -i "H31i05" > "primary_key.secret" || exit 1
ERROR: Unable to encrypt the secret
Suggested-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add back the append override, as the '+=' operator will make the
default value of BB_HASHBASE_WHITELIST in oe-core not have any
effect.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
The image-prelink feature has been disabled by default in oe-core commit
f9719cc1c3fe9d380336e7af418daf27473b2e8b. We don't need to remove it
explicitly in local.conf.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
In oe-core commit 759df7395908f18b3b68f28d043ac9ebd42dd0c8, the
plaintext password setting function was dropped because of the security
issue. So the plaintext password setting method "usermod -P 'password'
user" is not available. Now we should pass the encrypted password to
usermod via -p option.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
