495 Commits

Author SHA1 Message Date
Jason Wessel 382ffa19cf efitools: Fix compilation problem with latest /usr/include/efi
| gcc  -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/git/include/ -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/x86_64 -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/protocol -O2 -g  -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check -DGNU_EFI_USE_MS_ABI -DEFI_FUNCTION_WRAPPER -mno-red-zone -DCONFIG_x86_64 -fno-toplevel-reorder -DBUILD_EFI -c console.c -o console.efi.o
| console.c:360:5: error: ‘EFI_WARN_UNKOWN_GLYPH’ undeclared here (not in a function); did you mean ‘EFI_WARN_UNKNOWN_GLYPH’?
|   {  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
|      ^~~~~~~~~~~~~~~~~~~~~
|      EFI_WARN_UNKNOWN_GLYPH
| ../Make.rules:113: recipe for target 'console.efi.o' failed

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel fab7b8d93d shim: Fix compilation problem with latest /usr/include/efi
| x86_64-poky-linux-gcc -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin -Werror=sign-compare -ffreestanding -std=gnu89 -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot-native/usr/bin/x86_64-poky-linux/../../lib/x86_64-poky-linux/gcc/x86_64-poky-linux/9.2.0/include -DDEFAULT_LOADER=L"\SELoaderx64.efi" -DDEFAULT_LOADER_CHAR="\SELoaderx64.efi" -nostdinc -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/Cryptlib -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/Cryptlib/Include -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi/x86_64 -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi/protocol -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/include -iquote /opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git -iquote /opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git -DOVERRIDE_SECURITY_POLICY -DENABLE_HTTPBOOT -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096 -DEFI_ARCH=L"x64" -DDEBUGDIR=L"/usr/lib/debug/usr/share/shim/x64-12-_poky_3.0/" -DVENDOR_CERT_FILE="/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/vendor_cert.cer"   -c -o console.o console.c
| console.c:363:5: error: 'EFI_WARN_UNKOWN_GLYPH' undeclared here (not in a function); did you mean 'EFI_WARN_UNKNOWN_GLYPH'?
|   363 |  {  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
|       |     ^~~~~~~~~~~~~~~~~~~~~
|       |     EFI_WARN_UNKNOWN_GLYPH
| <builtin>: recipe for target 'console.o' failed
| make[1]: *** [console.o] Error 1
| make[1]: Leaving directory '/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/lib'
| Makefile:223: recipe for target 'lib/lib.a' failed
| make: *** [lib/lib.a] Error 2
| WARNING: exit code 1 from a shell command.

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel 1473c05286 efitools: Uprev to fix LockDown.efi for UEFI built after 2018
Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install.  It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data.  There are several other minor bug fixes, with the short log
shown below.

====

James Bottomley (13):
      cert-to-efi-hash-list: fix for openssl 1.1
      Version: 1.8.0
      Fix Fedora build
      Version: 1.8.1
      factor out variable signing code
      support engine based keys
      use SignedData instead of PKCS7 for variable updates
      Version: 1.9.0
      Makefile: Reverse the order of lib.a and -lcrypto
      Version: 1.9.1
      sign-efi-sig-list: add man page entry for engine option
      sha256: do not align raw section sizes
      Version: 1.9.2

pai-yi.huang (1):
      efi-updatevar: remove all authenticated attributes from signature

 Make.rules              |   6 ++---
 Makefile                |  12 +++++-----
 cert-to-efi-hash-list.c |   6 ++++-
 efi-updatevar.c         |  28 +++++++++++------------
 include/openssl_sign.h  |  10 ++++++++
 include/version.h       |   2 +-
 lib/Makefile            |   2 +-
 lib/openssl_sign.c      | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/sha256.c            |   8 ++++---
 sign-efi-sig-list.c     |  59 +++++++++++------------------------------------
 10 files changed, 213 insertions(+), 76 deletions(-)
 create mode 100644 include/openssl_sign.h
 create mode 100644 lib/openssl_sign.c

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Sandy 393b80fa35 sign_rpm_ext.bbclass: fix check_rpm_public_key failed while host not install gpg (#124)
Due to the following reasons, need to add the dependency to
task who needs to run check_rpm_public_key:
* packagegroup recipe don't have task prepare_recipe_sysroot
* varflags depends don't work for prefuncs

Signed-off-by: Changqing Li <changqing.li@windriver.com>
2019-11-07 17:31:03 +08:00
Sandy 99760f4771 sign_rpm_ext.bbclass: fix compile fail since missing gpg (#123)
there is a scenario that this bbclass is enabled globally,
all targets will inherit sign_rpm_ext. but this bbclass
need gpg to work, on some new distro like
ubuntun 19.04, gpg is not installed, so compile will failed.

fail cmd:
cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
            (gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
error:
base-files-3.0.14-r89 do_package_write_rpm: Failed to import gpg key (): /bin/sh: 1: --batch: not found

Signed-off-by: Changqing Li <changqing.li@windriver.com>
2019-11-06 15:35:51 +08:00
Zhao Yi 5698bb8529 grub-efi/boot-menu.inc: remove invalid menuentry (#122)
Currently the recovery menuentry is not available because we don't
provide bzImage_backup and initrd_backup. Remove this entry.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-11-01 18:21:09 +08:00
muvarov e3678e964c conf/layer.conf: Add zeus to LAYERSERIES_COMPAT (#121)
Signed-off-by: Maxim Uvarov <maxim.uvarov@linaro.org>
2019-11-01 08:39:17 +08:00
Yunguo Wei 701cbaf3c3 lib-evm-utils: using the correct algo for v2 signature (#120)
When using rpmsign (with --signfiles --fskpath) to sign RPM package,
the IMA signature is not correct, see:

$ getfattr -d -m - rootfs/usr/sbin/grpconv

file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQP3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

And the expected signature is like this:
$ getfattr -d -m - rootfs/usr/sbin/grpconv

file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQEAA6s8DwmRCVutcrE8NvHWWYXlg8L1AwH5teu44prkKRwmhZQ52Oa4UQoZZlxER/SJ9tijbve8ZAv++KW8EqgP4iZjEGh8ke76rpiRU5glnG/U+HUjnilJBpzpMJHxyNbAiFoHMESeCOtrhY0zZIUXK3DnIuIJSwpfl2HaNFxRrE38EaqgV9IQ8QiWFCvgDYXoJDwc3KdhjKjs214tCfZpKO1w4QJl2n4llZHw2RTHIuUOsMhRDEXs6onLHmdmhvqgxIHt7IvsT9v7H8GnoaiX0xgzxk2o/mE5EtPrnMtUoGSQwdY8CAfUbCwAp0c5QlsrHk5RBmewjJ/jxd/K1uKp7w==

The root cause is libimaevm doesn't retrieve correct signing algo, so this patch
is making things right.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2019-10-10 18:10:52 +08:00
Hongxu Jia 69117bef3a linux-yocto-integrity.inc: fix 'uks_modsign_keys_dir' is not defined (#119)
Since commit [b41010c linux-yocto-integrity: fix modsign key path] applied,
if MODSIGN_ENABLED is "0", bbclass user-key-store will not be inherited
which causing 'uks_modsign_keys_dir' is not defined

Unconditionally inherit user-key-store, but conditionally invoke
uks_modsign_keys_dir

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-10-07 11:51:32 +08:00
Jia Zhang 2d8b45a3d8 Merge pull request #118 from lumag/drop-privkeys
Security: do not install private keys into rootfs
2019-10-01 09:29:24 +08:00
Dmitry Eremin-Solenikov f2db9e0de6 meta-integrity: fix documentation
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-30 17:10:15 +03:00
Dmitry Eremin-Solenikov b41010c80c linux-yocto-integrity: fix modsign key path
Use modsign key directly from uks_modsign_keys_path(d), rather than from
installed package.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-16 16:00:09 +03:00
Dmitry Eremin-Solenikov 24d27e9f97 packagegroup-ima: RRECOMMEND certificates rather than private keys
Do not even try pulling private keys into rootfs.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-16 14:07:11 +03:00
Dmitry Eremin-Solenikov 51b2da4a41 key-store: drop private keys packages
Having a private key package might allow one to pull it into rootfs
which is really, really bad. So drop all private key packages.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-16 14:06:06 +03:00
Jia Zhang 809a4774a0 Merge pull request #117 from 2005songliwei/master
secure-core:allow other layer overwrite INITRAMFS_IMAGE
2019-09-12 17:56:30 +08:00
Jiang Lu 56dbf2a67a secure-core:allow other layer overwrite INITRAMFS_IMAGE
Allow other layer overwrite $INITRAMFS_IMAGE.

Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
Signed-off-by: Liwei Song <liwei.song@windriver.com>
2019-09-12 05:17:43 -04:00
Jia Zhang 0cea6e869f Merge pull request #116 from lumag/master
Use PKCS7 drivers compiled from OVMF source
2019-09-04 22:20:29 +08:00
Dmitry Eremin-Solenikov 883be5aff5 seloader: use pkcs7 drivers from OVMF
Rather than using pre-compiled EFI drivers, use freshly compiled drivers
from OVMF source tree.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 16:39:59 +03:00
Dmitry Eremin-Solenikov b0dfb596da ovmf: package PKCS7 verification drivers
Package Pkcs7VerifyDxe.efi and Hash2DxeCrypto.efi to be used by SELoader
bootloader.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 16:32:05 +03:00
Jia Zhang df51a87b5a Merge pull request #115 from lumag/master
Several updates and additional patch for grub-efi MOK2 support
2019-09-04 20:01:13 +08:00
Dmitry Eremin-Solenikov 6d1bd0da1f ima-inspect: add patch to fix compilation with newer ima-evm-utils
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Dmitry Eremin-Solenikov d139491c9a ima-evm-utils: update to release 1.2.1
Bump ima-evm-utils to latest release (1.2.1).

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Dmitry Eremin-Solenikov 26ced755f5 grub-efi: support mok2 verify in multiboot2 protocol
Add support for verifying PKCS#7 signatures via MOK2 protocol to
multiboot2 command enabling one to load multiboot-capable kernels.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Dmitry Eremin-Solenikov 99ec1bedbb meta-tpm2: tpm2-tools: update to version 3.2.0
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Dmitry Eremin-Solenikov fe4f5b1122 meta-tpm2: tpm2-tss: update to version 2.2.3
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Jia Zhang 127542429b Merge pull request #113 from 2005songliwei/master
grub-efi: fix uid contamination by host QA warning
2019-08-27 11:36:23 +08:00
Liwei Song c624ea2843 grub-efi: fix uid contamination by host QA warning
Fix the following QA issue:
WARNING: grub-efi-2.04-r0 do_package_qa: QA Issue: grub-efi: /boot/efi/EFI/BOOT/grub.cfg.p7b is owned by uid 19183

chown to root for p7b file to fix uid contamination by host.

Signed-off-by: Liwei Song <liwei.song@windriver.com>
2019-08-26 22:47:38 -04:00
Jia Zhang 51b5089a60 Merge pull request #112 from yizhao1/fix2
meta-signing-key/conf/layer.conf: use weak assignment for RPM_GPG_NAM…
2019-08-19 17:20:59 +08:00
Yi Zhao 729916e322 fixup! meta-secure-core: use bb.fatal instead of bb.build.FuncFailed 2019-08-19 17:20:45 +08:00
Yi Zhao 0ae8bf25f1 meta-signing-key/conf/layer.conf: use weak assignment for RPM_GPG_NAME and RPM_GPG_PASSPHRASE
Use weak assignment for RPM_GPG_NAME and RPM_GPG_PASSPHRASE so these
values could be overridden in other conf files.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-19 16:44:20 +08:00
Yi Zhao 1be79730bf meta-secure-core: use bb.fatal instead of bb.build.FuncFailed
The bb.build.FuncFailed had been removed in bitbake with commit
cfeffb602dd5319f071cd6bcf84139ec77f2d170. Use bb.fatal instead of it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-19 13:47:55 +08:00
Yi Zhao 8d1b7c2a29 meta-secure-core: add linux-yocto-dev bbappend
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Yi Zhao b0a4ae0fe3 linux-yocto: upgrade bbappend from 4.% to 5.%
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Mark Hatle ed0de6b295 meta-efi-secure-boot: only apply if efi-secure-boot distro flag set
Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot
set

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Yi Zhao 70e22755a6 grub-efi: update bbappend and refresh patches
The grub-efi has been upgraded to 2.04 in oe-core. Update the bbappend
and refresh patches to adapt it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Changqing Li 73bc9f68f9 keyutils: remove it
keyutils under meta-security have been moved to meta-openembeded by this commit
https://git.openembedded.org/meta-openembedded/commit/?id=415e213ad75ec9a93171c963395a1c4b92c6233b
and is higher version than keyutils, so remove this one

Signed-off-by: Changqing Li <changqing.li@windriver.com>
2019-08-02 12:57:36 +08:00
Mingli Yu a32ad2f61d tpm2-abrmd: fix do_compile error
After commit [5ef547b autoconf-archive: update to 2019.01.06]
applied in oe-core, there comes below error
when build tpm2-abrmd:
| NOTE: make -j 48
| Makefile:4381: *** missing separator.  Stop.

So backport a patch from tpm2-abrmd upstream to fix
this failure.

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
2019-07-24 12:07:13 +08:00
Mingli Yu 075c5e687e tpm2-tss: fix do_compile error
After commit [5ef547b autoconf-archive: update to 2019.01.06]
applied in oe-core, there comes below error
when build tpm2-tss:
| NOTE: make -j 48
| Makefile:14636: *** missing separator.  Stop.

So backport a patch from tpm2-tss upstream to fix
this failure.

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
2019-07-23 17:59:57 +08:00
Yi Zhao 392371e4b0 util-linux: only apply the bbappend if ima distro flag set
Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error:

util-linux:do_compile: 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 ->
53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99
bitbake-diffsigs --task util-linux do_compile --signature
9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374
53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99

Rename util-linux_%.bbappend to util-linux-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-26 13:05:38 +08:00
Yi Zhao 06f4d3eece Revert "rpm: always include rpm-integrity.inc for RPM signing"
This reverts commit 0477a93cf9.

Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error:

rpm-native:do_configure: c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b ->
d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca
bitbake-diffsigs --task rpm-native do_configure --signature
c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b
d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca

Revert the patch to fix it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-26 13:05:38 +08:00
Yi Zhao 990593c179 meta-integrity/conf/layer.conf: add opemembedded-layer as layer dependency
Fix ima-inspect build failure:

$ bitbake ima-inspect
ERROR: Nothing PROVIDES 'tclap' (but
/build/poky/meta-secure-core/meta-integrity/recipes-support/ima-inspect/ima-inspect_0.11.bb
DEPENDS on or otherwise requires it).
ERROR: Required build target 'ima-inspect' has no buildable providers.
Missing or unbuildable dependency chain was: ['ima-inspect', 'tclap']

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-21 10:16:04 +08:00
Yi Zhao 6f94e34e05 shim: fix build failure with gcc9
Backport patch to fix build error with gcc9 for option
"-Werror=address-of-packed-member"

MokManager.c: In function 'write_back_mok_list':
MokManager.c:1125:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1125 |   if (CompareGuid(&(list[i].Type), &CertType) == 0)
      |                   ^~~~~~~~~~~~~~~
MokManager.c:1147:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1147 |   if (CompareGuid(&(list[i].Type), &CertType) == 0) {
      |                   ^~~~~~~~~~~~~~~
MokManager.c: In function 'delete_cert':
MokManager.c:1188:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1188 |   if (CompareGuid(&(mok[i].Type), &CertType) != 0)
      |                   ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_hash_in_list':
MokManager.c:1239:20: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1239 |   if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
      |                    ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_keys':
MokManager.c:1410:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1410 |   if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
      |                   ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
<builtin>: recipe for target 'MokManager.o' failed

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-05 11:33:01 +08:00
Hongxu Jia 8fc7d850d7 kernel-initramfs: depends on do_image_complete rather than do_rootfs
...
|install: cannot stat 'tmp-glibc/deploy/images/intel-x86-64/secure-core-image-init
ramfs-intel-x86-64.cpio.gz': No such file or directory
...

Depends do_image_complete after required image generated

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-05-24 09:18:59 +08:00
Yi Zhao 0fbe3c26c5 meta: create README symbolic link
Run yocto-check-layer to check layer compliance of Yocto will report the
following error:

$ yocto-check-layer ../meta-secure-core/meta
INFO: Detected layers:
[snip]
INFO: test_readme (common.CommonCheckLayer)
INFO:  ... FAIL
INFO: Traceback (most recent call last):
  File "/buildarea/poky/scripts/lib/checklayer/cases/common.py", line 15, in test_readme
    msg="Layer doesn't contains README file.")
AssertionError: False is not true : Layer doesn't contains README file.
[snip]

There is no need to create a new README for this layer. We just create a
symbolic link of README from the top-level.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-04-24 13:35:04 +08:00
Yi Zhao a2688eb342 conf/layer.conf: Add warrior to LAYERSERIES_COMPAT
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-04-23 15:43:10 +08:00
Luca Boccassi 45637891f7 Patch ima-evm-utils to fix build with musl
Third party programs including libimaevm fails to build with musl
due to a missing include in the public header. Add it.
The build with glibc is unaffected. Patch sent upstream.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
2019-02-28 22:58:37 +08:00
Luca Boccassi 8dc5057161 Bump tpm2-abrmd from 2.0.1 to 2.0.3 to fix build with musl
Several bug fixes were merged in 2.0.1 and 2.0.3, including the
following PRs that fix building tpm2-abrmd with the musl C library:

https://github.com/tpm2-software/tpm2-abrmd/pull/502
https://github.com/tpm2-software/tpm2-abrmd/pull/503

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
2019-02-26 22:00:05 +08:00
Wenzong Fan dba3038152 grub-efi: fix the potential uninitialized error for variable 'err'
Fix the build errors with DEBUG_BUILD enabled:
  grub-core/loader/linux.c: In function 'grub_initrd_load':
  grub-core/loader/linux.c:326:10: error: 'err' may be used \
  uninitialized in this function [-Werror=maybe-uninitialized]

In function grub_initrd_load:
grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
          char *argv[], void *target)
{
  [snip]
  grub_err_t err;
  [snip]

  #ifdef GRUB_MACHINE_EFI
      [snip]
      err = grub_verify_file (argv[i]);
      [snip]
  #endif

  [snip]
fail:
  [snip]
  return err;
}

If the GRUB_MACHINE_EFI is not defined, the function would return an
uninitialized value for 'err'. We should initialize it when this
variable is assigned.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-12-03 15:12:41 +08:00
Yi Zhao 22bd7aa878 base-files: only apply the bbappend if ima distro flag set
When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:

  qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
  qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.

Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-12-03 15:12:41 +08:00
Yi Zhao ca566bb615 kernel-initramfs: only apply the bbappend if efi-secure-boot distro flag set
When the meta-efi-secure-boot layer is included but feature
efi-secure-boot is not set. We got the following error with
kernel-initramfs building:

ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995
Log data follows:
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory
| WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs'
| ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1'

Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc
and add a new bbappend. Make sure this piece of code should be applied
only if the efi-secure-boot feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-11-30 13:46:35 +08:00