23 Commits

Author SHA1 Message Date
Yi Zhao bbd671ca72 meta-secure-core: Handle bitbake variable renaming
This is the result of automated script conversion:
poky/scripts/contrib/convert-variable-renames.py meta-secure-core

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2022-04-08 09:05:06 +08:00
Yi Zhao 56731a69db recipes: Update LICENSE variable to use SPDX license identifiers
Fix QA warnings:
WARNING: efitools-1.9.2+gitAUTOINC+392836a46c-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license]
WARNING: mokutil-0.3.0+gitAUTOINC+e19adc575c-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv3 [obsolete-license]

This is the result of automated script conversion:
poky/scripts/contrib/convert-spdx-licenses.py meta-secure-core

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2022-04-08 09:05:06 +08:00
Yi Zhao fea6a37625 recipes: update SRC_URI branch and protocols
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-11-15 09:56:02 +08:00
Yi Zhao 3fa3fc6dcb efitools: fix openssl.cnf path for openssl 3.0
Fix openssl.cnf path for openssl 3.0 to make sure openssl command can
find it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-10-21 15:57:54 +08:00
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Hongxu Jia 8834753407 Revert "Removed unneeded patch to fix compilation error in efi-tool's console.c"
The patch to fix compilation error in efi-tool's console.c is required

This reverts commit a6c3d9fcd2.

In <=gnu-efi-3.0.9 variable is named EFI_WARN_UNKOWN_GLYPH, and
in gnu-efi-3.0.11 is renamed in EFI_WARN_UNKNOWN_GLYPH. The patch is
only for users with installed >=gnu-efi-3.0.11 because is in this
version that variable has changed name from EFI_WARN_UNKOWN_GLYPH
to EFI_WARN_UNKNOWN_GLYPH. [1]

In oe-core master branch, the gnu-efi is 3.0.11, we need to add
the fix back

[1] https://bugs.gentoo.org/701152

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2020-04-16 16:33:23 +08:00
Abdelrahman Ibrahem a6c3d9fcd2 Removed unneeded patch to fix compilation error in efi-tool's console.c 2020-04-08 21:52:18 +08:00
Hongxu Jia 08c3f81a5f efitools: do not do_sign if GRUB_SIGN_VERIFY not enabled
If GRUB_SIGN_VERIFY is not enabled, do_sign will fail in which GPG_PATH
is not set (--homedir None)
...
|DEBUG: Executing python function do_sign
|NOTE: Running: echo "SecureCore" | tmp-glibc/hosttools/gpg  --pinentry-mode
loopback --batch --homedir None -u "SecureBootCore" --detach-sign
--passphrase-fd 0 "tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi"
|ERROR: Failed to sign: tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
...

Since GPG_PATH is set in do_sign's prefunc check_boot_public_key if
GRUB_SIGN_VERIFY is enabled, add the same condition to do_sign

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-11-19 18:09:03 +08:00
Hongxu Jia 73602a5eea efitools-native: Fix compilation problem with latest /usr/include/efi
Since commit [382ffa1 efitools: Fix compilation problem with
latest /usr/include/efi], we should apply the fix to native also.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-11-19 16:05:17 +08:00
Jason Wessel 31d2105b7a secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.

It will be possible in a template or local.conf:

UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel 382ffa19cf efitools: Fix compilation problem with latest /usr/include/efi
| gcc  -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/git/include/ -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/x86_64 -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/protocol -O2 -g  -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check -DGNU_EFI_USE_MS_ABI -DEFI_FUNCTION_WRAPPER -mno-red-zone -DCONFIG_x86_64 -fno-toplevel-reorder -DBUILD_EFI -c console.c -o console.efi.o
| console.c:360:5: error: ‘EFI_WARN_UNKOWN_GLYPH’ undeclared here (not in a function); did you mean ‘EFI_WARN_UNKNOWN_GLYPH’?
|   {  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
|      ^~~~~~~~~~~~~~~~~~~~~
|      EFI_WARN_UNKNOWN_GLYPH
| ../Make.rules:113: recipe for target 'console.efi.o' failed

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel 1473c05286 efitools: Uprev to fix LockDown.efi for UEFI built after 2018
Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install.  It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data.  There are several other minor bug fixes, with the short log
shown below.

====

James Bottomley (13):
      cert-to-efi-hash-list: fix for openssl 1.1
      Version: 1.8.0
      Fix Fedora build
      Version: 1.8.1
      factor out variable signing code
      support engine based keys
      use SignedData instead of PKCS7 for variable updates
      Version: 1.9.0
      Makefile: Reverse the order of lib.a and -lcrypto
      Version: 1.9.1
      sign-efi-sig-list: add man page entry for engine option
      sha256: do not align raw section sizes
      Version: 1.9.2

pai-yi.huang (1):
      efi-updatevar: remove all authenticated attributes from signature

 Make.rules              |   6 ++---
 Makefile                |  12 +++++-----
 cert-to-efi-hash-list.c |   6 ++++-
 efi-updatevar.c         |  28 +++++++++++------------
 include/openssl_sign.h  |  10 ++++++++
 include/version.h       |   2 +-
 lib/Makefile            |   2 +-
 lib/openssl_sign.c      | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/sha256.c            |   8 ++++---
 sign-efi-sig-list.c     |  59 +++++++++++------------------------------------
 10 files changed, 213 insertions(+), 76 deletions(-)
 create mode 100644 include/openssl_sign.h
 create mode 100644 lib/openssl_sign.c

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Yi Zhao 41c93d4802 efitools: refresh patch to fix QA warning
Refresh patch Build-DBX-by-default.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:58:07 +08:00
Yi Zhao ec8e07c9fd efitools: add the deployed artifacts to SSTATE_DUPWHITELIST
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:

$ bitbake efitools lib32-efitools

ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
      (matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.

Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:57:21 +08:00
Tom Rini e00aed3e08 efitools: Rework how we deal with rpath and linking of Linux apps
- In all cases, when building Linux apps (and thus linking with gcc) we
  need to pass in the normal set of LDFLAGS for both rpath and link hash
  type.
- Rework Fix-for-the-cross-compilation.patch a bit.  When linking EFI
  apps (and thus linking with ld) we don't need to pass in other special
  flags.  When linking the "openssl" apps we do not need to spell out
  the crtN files as gcc handles that for us, they are normal Linux apps.
  Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.

With all of these changes we are now able to reuse sstate cache between
build directories.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-02 14:29:20 +08:00
Jackie Huang cfb63e60d7 efitools: use oe.utils.str_filter_out
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
2018-02-07 14:56:59 +08:00
Jia Zhang e11a0bd8de efitools: fix searching openssl.cnf for target build
Currently, OPENSSL_LIB is only used for locating openssl.cnf in order
to work around openssl-1.1.x.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-17 20:39:48 +08:00
Lans Zhang d5a4de8f09 efitools: support to build with openssl-1.1.x
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 23:01:13 +08:00
Lans Zhang 8dbce3e3a0 efitools: code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-13 13:09:41 +08:00
Lans Zhang 676968891f Fix the occurrence of checking the existence of signing keys
packagegroups are not the end consumers of using user-key-store.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-12 11:22:40 +08:00
Lans Zhang 81553a81fb Rename .pem to .crt
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-03 15:47:53 +08:00
Lans Zhang e664a331d5 code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-29 10:52:06 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00