19 Commits

Author SHA1 Message Date
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Kai Kang f6963bf84b linux-yocto-efi-secure-boot.inc: fix rerun failure
Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH
changes, it fails to rerun the task:

| Exception: FileExistsError: [Errno 17] File exists:
| 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b'

Remove the link file before create it if exists already.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2021-04-21 12:57:22 +08:00
Sandra Tobajas 84ee95f92a linux-yocto: remove unused FILESEXTRAPATHS_prepend
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
2020-01-16 08:35:40 +08:00
Jason Wessel 31d2105b7a secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.

It will be possible in a template or local.conf:

UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Yi Zhao 8d1b7c2a29 meta-secure-core: add linux-yocto-dev bbappend
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Mark Hatle ed0de6b295 meta-efi-secure-boot: only apply if efi-secure-boot distro flag set
Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot
set

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Tom Rini 6274757665 meta-efi-secure-boot: Ensure openssl-native exists when we need it
In order to deploy our secure boot keys in DER format we need to use
openssl.  This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign.  Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.

Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-11-07 23:40:20 +08:00
Yi Zhao f998cc01a8 linux-yocto-efi-secure-boot: rename type variable to imageType
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-18 11:11:12 +08:00
Yi Zhao 32037a3aa7 linux-yocto-efi-secure-boot: rename KERNEL_IMAGE_BASE_NAME to KERNEL_IMAGE_NAME and KERNEL_IMAGE_SYMLINK_NAME to KERNEL_IMAGE_LINK_NAME
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-18 11:11:12 +08:00
Yi Zhao 33ec1d1f82 linux-yocto-efi-secure-boot: using shutil.copyfile instead of shutil.move to copy kernel p7b file
In commit 1c96c0d096, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Yi Zhao 231fc4906f linux-yocto-efi-secure-boot: fix typo
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Tom Rini 1c96c0d096 linux-yocto-efi-secure-boot: Package unversioned signature as symlink
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-13 14:16:05 +08:00
Tom Rini 8ee475b6dc meta-efi-secure-core: Move kernel-initramfs.bbappend
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Tom Rini 4d27285e28 kernel-initramfs: Rework to use update-alternatives directly
- All valid initramfs types will be listed in INITRAMFS_FSTYPES so use
  that variable rather than open-coding a list of possibilities.
- Since we're using the list of things that must exist now we don't need
  to test if the files exist anymore.  And when signing, we can sign all
  of them now.
- Add some python to do_package to update all of the ALTERNATIVES
  variables dynamically based on how we're configured.  This introduces
  an alternative for the initramfs portion as well so there is a stable
  name.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Lans Zhang 676968891f Fix the occurrence of checking the existence of signing keys
packagegroups are not the end consumers of using user-key-store.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-12 11:22:40 +08:00
Lans Zhang 5135786fa3 kernel-initramfs: define this package to include the initramfs image for kernel boot
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-03 09:21:44 +08:00
Lans Zhang e664a331d5 code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-29 10:52:06 +08:00
Lans Zhang dcc933df6e linux-yocto-efi-secure-boot: don't use sccs to define the included kernel cfg
The variable sccs is used internally and thus it will be corrupted by the external
definition.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-26 11:25:31 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00