14 Commits

Author SHA1 Message Date
Mingli Yu 5a8d5924a2 meta-efi-secure-boot: check efi-secure-boot DISTRO_FEATURES
Fix the below yocto compliance issue:
  INFO: ======================================================================
  INFO: FAIL: test_signatures (common.CommonCheckLayer)
  INFO: ----------------------------------------------------------------------
  INFO: Traceback (most recent call last):
   File "/build/layers/oe-core/scripts/lib/checklayer/cases/common.py", line 81, in test_signatures
    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
AssertionError: Adding layer meta-efi-secure-boot changed signatures.
17 signatures changed, initial differences (first hash before, second after):
   ovmf-native:do_configure: 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e -> 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      bitbake-diffsigs --task ovmf-native do_configure --signature 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      NOTE: Starting bitbake server...
      basehash changed from 8b274e0d376c63104cbbcc0004a3758f2673d9e7f959854a0ffaa82ea04a9653 to d53127a75e96264ab92cffc956f93864435d48d1a0bf22899b35f78f1daf3bb3
      Variable PACKAGECONFIG value changed:
      @@ -1,3 +1,3 @@
      - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}
      + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)} secureboot
       MACHINE_FEATURES{tpm} = Unset
       MACHINE_FEATURES{tpm2} = Unset

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
2022-12-06 09:16:14 +08:00
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Alexandru Avadanii ab13b08e43 kernel-initramfs: Fix leftover p7b reference
p7b was replaced by the ${SB_FILE_EXT} variable, but one reference
was omitted during the rework.

Fixes: 31d2105b

Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
2021-03-26 14:13:04 +08:00
Yi Zhao d05fc08f90 meta-efi-secure-boot/systemd: switch to meson build
The systemd switched to meson build long time ago. Somehow this bbappend
didn't update. Switch to meson build otherwise these options do not work
at all.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-01-19 17:44:02 +08:00
Hongxu Jia 82c404fe33 ovmf_%.bbappend: tweak do_sign task order to avoid racing issue
If ovmf's do_deploy is run before do_sign, there is a failure
...
|install: cannot stat 'tmp-glibc/work/corei7-64-wrs-linux/ovmf/
edk2-stable201911-r0/ovmf/Pkcs7VerifyDxe.efi.signed': No such file or directory
...

Add do_sign before do_deploy

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2020-04-10 16:12:35 +08:00
Liwei Song 8853e39b1e initramfs: adjust task order to aviod initrd symlink unavailable
adjust task order to make sure initrd symlink is ready before
do package.

Signed-off-by: Liwei Song <liwei.song@windriver.com>
2020-02-27 16:24:34 +08:00
Jason Wessel 691252f79f kernel-initramfs-efi-secure-boot.inc: Copy .sig files and .p7b
While refactoring the code to eliminate the overlap in the copy of the
.sig and .p7b files the UEFI_SELOADER test was not removed.  This
results in the .sig files not getting copied to the deploy directory
when using the GRUB_SIGN_VERIFY = "1".

All that is needed is to remove the UEFI_SELOADER test statement.

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-14 08:42:17 +08:00
Jason Wessel 31d2105b7a secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.

It will be possible in a template or local.conf:

UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Dmitry Eremin-Solenikov b0dfb596da ovmf: package PKCS7 verification drivers
Package Pkcs7VerifyDxe.efi and Hash2DxeCrypto.efi to be used by SELoader
bootloader.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 16:32:05 +03:00
Yi Zhao ca566bb615 kernel-initramfs: only apply the bbappend if efi-secure-boot distro flag set
When the meta-efi-secure-boot layer is included but feature
efi-secure-boot is not set. We got the following error with
kernel-initramfs building:

ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995
Log data follows:
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory
| WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs'
| ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1'

Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc
and add a new bbappend. Make sure this piece of code should be applied
only if the efi-secure-boot feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-11-30 13:46:35 +08:00
Tom Rini 6274757665 meta-efi-secure-boot: Ensure openssl-native exists when we need it
In order to deploy our secure boot keys in DER format we need to use
openssl.  This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign.  Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.

Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-11-07 23:40:20 +08:00
Tom Rini 8ee475b6dc meta-efi-secure-core: Move kernel-initramfs.bbappend
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Lans Zhang e664a331d5 code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-29 10:52:06 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00