The default value of --with-systemdsystemunitdir with the prefix
"/usr" cannot be used to search tpm2-abrmd.service. In order to
fix this issue, explicitly set --with-systemdsystemunitdir as
before. In addition, place .perset to the dedicated system-preset
directory.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
In the latest git version of abrmd:
- the following option has been renamed:
--max-transient-objects -> --max-transients
- the following option has been removed:
--fail-on-loaded-trans
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Cleanup the tpm2-tools recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 3.0.3 to 3.0.4.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Cleanup the tpm2-abrmd recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 1.2.0 to 1.3.1.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Cleanup the tpm2-tss recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes in an include file.
Update release from 1.3.0 to 1.4.0.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
As the initial support, linux-sgx-driver is integrated into this
layer. SDK and PSW will be provided soon.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
In addition to the expected /dev/tpmX device nodes, newer Linux kernels now
also create /dev/tpmrmX nodes. This causes the daemon's startup script to
fail, meaning the abrmd daemon is not started automatically.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...
Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...
The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.
Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create. To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".
Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.
Signed-off-by: Tom Rini <trini@konsulko.com>
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Refresh the following patches:
0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch
0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
Grub-get-and-set-efi-variables.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.
Signed-off-by: Tom Rini <trini@konsulko.com>
- All valid initramfs types will be listed in INITRAMFS_FSTYPES so use
that variable rather than open-coding a list of possibilities.
- Since we're using the list of things that must exist now we don't need
to test if the files exist anymore. And when signing, we can sign all
of them now.
- Add some python to do_package to update all of the ALTERNATIVES
variables dynamically based on how we're configured. This introduces
an alternative for the initramfs portion as well so there is a stable
name.
Signed-off-by: Tom Rini <trini@konsulko.com>
- In all cases, when building Linux apps (and thus linking with gcc) we
need to pass in the normal set of LDFLAGS for both rpath and link hash
type.
- Rework Fix-for-the-cross-compilation.patch a bit. When linking EFI
apps (and thus linking with ld) we don't need to pass in other special
flags. When linking the "openssl" apps we do not need to spell out
the crtN files as gcc handles that for us, they are normal Linux apps.
Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.
With all of these changes we are now able to reuse sstate cache between
build directories.
Signed-off-by: Tom Rini <trini@konsulko.com>
Our "init" script requires additional directories to exist and since we
don't pull in something like base-files that gives us a full layout we
must make these additional directories on our own.
Signed-off-by: Tom Rini <trini@konsulko.com>
- You must ensure that RPM is used in PACKAGE_CLASSES.
- We need to remove image-prelink from USER_CLASSES. Prelinking the
image at creation time (as happens on x86/x86_64) will result in the
IMA hash of files changing from the recorded signature and
verification will fail.
Signed-off-by: Tom Rini <trini@konsulko.com>
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS
Signed-off-by: Tom Rini <trini@konsulko.com>
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.
Signed-off-by: Tom Rini <trini@konsulko.com>
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version. This includes all of the patches we had
been applying.
Signed-off-by: Tom Rini <trini@konsulko.com>
base_read_file has been removed from oe-core so use the
replacement function oe.utils.read_file.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
The kernel module will be stripped during do_package, including the
modsign signature.
Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
