The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot. However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother. While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.
Signed-off-by: Tom Rini <trini@konsulko.com>
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:
| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Fix the error:
mok2verify.c:169:53: error: \
format '%lx' expects argument of type 'long unsigned int', \
but argument 3 has type 'grub_efi_status_t {aka int}' \
[-Werror=format=]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* rebase patches:
- keyutils_fix_library_install.patch
- keyutils-remove-m32-m64.patch
* append '-Wall' to CFLAGS for fixing:
.../recipe-sysroot/usr/include/features.h:376:4: error: \
#warning _FORTIFY_SOURCE requires compiling with \
optimization (-O) [-Werror=cpp]
* cleanup alternative targets, the *keyring*.7 files have been
removed from keyutils 1.5.10.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* install 'packagegroup-tpm2-initramfs' of distro flag 'tpm2' is set
* install 'initrdscripts-ima' if distro flag 'ima' is set
* install 'cryptfs-tpm2-initramfs' if distro flag 'luks' is set
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
meta-oe layer split the udevrules for lvm2 into a new package.
Add lvm2-udevrules into cryptsetup RDEPENDS list.
Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
The "${S}" is not used for kernel-initramfs and it will
cleanup the kernel source codes if it is specified to
${STAGING_KERNEL_DIR}, thus remove this definition.
Signed-off-by: Fupan Li <fupan.li@windriver.com>
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
when openssl-tpm-engine lib is used on an unattended device, there is no
way to input TPM key password. So add this feature to support parse an
encrypted(AES algorithm) TPM key password from env.
The default decrypting AES password and salt is set in bb file.
When we create a TPM key(TSS format), generate a 8 bytes random data
as its password, and then we need to encrypt the password with the same
AES password and salt in bb file.
At last, we set a env as below:
export TPM_KEY_ENC_PW=xxxxxxxx
"xxxxxxxx" is the encrypted TPM key password for libtpm.so.
Signed-off-by: Meng Li <Meng.Li@windriver.com>
1. user key pub rpm package also could be created.
2. The latest bitbake could not support the d.getVar() function nest
call. Such as the following function call always return "None"
d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True)
It caused the key-store-rpm-pubkey rpm package could not be created in
the latest oe-core project.
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
When the SIGNING_MODEL is set to "user", the signing-keys recipes will
run failed on the get_public_keys task. uks_rpm_keys_dir() function
could not return the right rpm_keys directory when the
SIGNING_MODEL is set to "user".
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
If "GPG_PATH" is set in the init script, then "signing-keys"
get_public_keys task will execute failed.
So the "GPG_PATH" directory would be created when "GPG_PATH" is set.
The do_get_public_keys failed to import gpg key error information is as following:
----------------------------------------------------------------------------------------
ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key
(layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore):
gpg: fatal: can't create directory
`tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
The keyutils-doc package supply some same name man7 files with
man-pages, it will cause the rpm package installation or upgrade failed.
The keyutils-doc and man-pages rpm packages' transction check error
information is as following:
--------------------------------------------------------------------
Running transaction test
Error: Transaction check error:
file /usr/share/man/man7/keyrings.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/persistent-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/process-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/thread-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization
to signing-keys) tried to initialize keyring in the task check_public_keys
of the recipe signing-keys. However, it does work with the recipe
signing-keys only, and GPG_PATH can't be passed to other recipes.
We bring the python anonymous function back, and it makes sure GPG_PATH
is set before signing the packages for every recipe.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
