In order to deploy our secure boot keys in DER format we need to use
openssl. This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign. Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.
Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
It shows warning when apply configure.ac-automake-error.patch:
| WARNING: mtree-1.0.3+gitAUTOINC+4f3e901aea-r0 do_patch:
| ...
| Details:
| Applying patch configure.ac-automake-error.patch
| patching file configure.ac
| Hunk #1 succeeded at 4 with fuzz 2 (offset -2 lines).
Update context of configure.ac-automake-error.patch to sync with current
mtree source codes.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Generally speaking, for firmware to import PK/KEK/DB keys they need to
be in the binary "DER" format and typically have the "cer" file
extension. When deploying our keys, convert what we have to that format
and deploy as well for ease of use.
Signed-off-by: Tom Rini <trini@konsulko.com>
The following failure is shown during secure-core-image-initramfs:do_rootfs():
Error: Transaction check error:
file /proc conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64
file /sys conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64
So remove /sys and /proc as base-files has already provided them.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
We have a bbappend file which enables plugins for rpm. We need to
ensure to also disable the inhibit plugin for rpm-native. Otherwise,
we get the following warning at rootfs time.
Unable to get systemd shutdown inhibition lock: Socket name too long
The inhibit plugin tries to inhibit shutdown during rpm operation. It
obviously makes no sense for rpm-native, as 1) we may not build on a
systemd based host and 2) the build process does not affect the package
management on host.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
The *_BASE_NAME was renamed to *_NAME in oe-core commit
f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b. So we also need to do the same
thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Now cryptfs-tpm2 supports both TSS 1.x and 2.x API.
Please specify "TSS2_VER=1" in EXTRA_OEMAKE to support 1.x API.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake efitools lib32-efitools
ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
(matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake seloader lib32-seloader
ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
After postinst was executed at do_rootfs successfully,
there will be no first boot to redo.
Since `229f4e9 package.bbclass: add support for
pkg_postinst_ontarget()' applied in oe-core, use
pkg_postinst_ontarget to instead.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
when configuring lvm2 without udev, lvm2-udevrules package is empty,
causing do_rootfs failure.
Error:
ERROR: wrlinux-image-glibc-std-1.0-r5 do_rootfs: Function failed: do_rootfs
Problem: conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-1.7.4-r0.corei7_64
Move lvm2-udevrules from RDEPEND to RRECOMMENDS could workaround the issue.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Bump up to the current top of libsign so that we can easily get a copy
of selsign that can be put into an SDK.
Signed-off-by: Tom Rini <trini@konsulko.com>
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk. We also need gnu-efi
to support nativesdk so include that in a bbappend.
Signed-off-by: Tom Rini <trini@konsulko.com>
The --with-udevrulesdir configure option has been moved from tpm2-abrmd to
tpm2-tss in the code, therefore move its associated EXTRA_OECONF to suit.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
In 59a9f43b89 ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream. However, rocko ships with an older version
of RPM and still needs these patches. Add conditional logic to apply
these patches only for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi. Add in conditional logic to pass this only
for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
The kernel-initramfs.bbappend depends on kernel-initramfs.bb in
meta-secure-core/meta/recipes-core/images/
Fix parsing error:
ERROR: No recipes available for:
meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Bitbake will try an ls-remote for any recipe whose SRCREV is AUTOREV,
even if that recipe will not ultimately be used for a particular build.
Therefore if the user specifies 'BB_NO_NETWORK = "1"', the _git versions of
the tpm2 recipes will cause the build to fail even if the _git versions are
not going to be built (which they won't be by default on account of their
DEFAULT_PREFERENCE being set to "-1").
This fix follows the same pattern as
721fcc89c5
With this fix, the user can disable networking and successfully build the
non-_git versions of the tpm2 recipes. If the user wants to build the _git
versions, networking must be enabled. The build is expected to fail if the
user asks for the _git versions, but disables networking.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.
Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
In commit 1c96c0d096, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The latest git version has updated to use dl interface to load
the library of tpm2-abrmd, instead of linking it on compilation.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
