83 Commits

Author SHA1 Message Date
Wenzong Fan dba3038152 grub-efi: fix the potential uninitialized error for variable 'err'
Fix the build errors with DEBUG_BUILD enabled:
  grub-core/loader/linux.c: In function 'grub_initrd_load':
  grub-core/loader/linux.c:326:10: error: 'err' may be used \
  uninitialized in this function [-Werror=maybe-uninitialized]

In function grub_initrd_load:
grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
          char *argv[], void *target)
{
  [snip]
  grub_err_t err;
  [snip]

  #ifdef GRUB_MACHINE_EFI
      [snip]
      err = grub_verify_file (argv[i]);
      [snip]
  #endif

  [snip]
fail:
  [snip]
  return err;
}

If the GRUB_MACHINE_EFI is not defined, the function would return an
uninitialized value for 'err'. We should initialize it when this
variable is assigned.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-12-03 15:12:41 +08:00
Yi Zhao ca566bb615 kernel-initramfs: only apply the bbappend if efi-secure-boot distro flag set
When the meta-efi-secure-boot layer is included but feature
efi-secure-boot is not set. We got the following error with
kernel-initramfs building:

ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995
Log data follows:
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory
| WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs'
| ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1'

Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc
and add a new bbappend. Make sure this piece of code should be applied
only if the efi-secure-boot feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-11-30 13:46:35 +08:00
Tom Rini 6274757665 meta-efi-secure-boot: Ensure openssl-native exists when we need it
In order to deploy our secure boot keys in DER format we need to use
openssl.  This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign.  Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.

Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-11-07 23:40:20 +08:00
Hongxu Jia c1a543fc99 layer.conf: update LAYERSERIES_COMPAT sumo' -> thud'
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2018-10-08 14:47:47 +08:00
Jia Zhang 139a9b656d Clean up the stuffs for stable branches
The following commits are reverted by the way:

- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)

Because they are only applicable to rocko.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-09-20 21:21:37 -04:00
Jia Zhang 3a7a940160 mokutil: Fix build failure due to missing crypt.h
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-09-17 23:21:36 -04:00
Yi Zhao f998cc01a8 linux-yocto-efi-secure-boot: rename type variable to imageType
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-18 11:11:12 +08:00
Yi Zhao 32037a3aa7 linux-yocto-efi-secure-boot: rename KERNEL_IMAGE_BASE_NAME to KERNEL_IMAGE_NAME and KERNEL_IMAGE_SYMLINK_NAME to KERNEL_IMAGE_LINK_NAME
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-18 11:11:12 +08:00
Yi Zhao 41c93d4802 efitools: refresh patch to fix QA warning
Refresh patch Build-DBX-by-default.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:58:07 +08:00
Yi Zhao ec8e07c9fd efitools: add the deployed artifacts to SSTATE_DUPWHITELIST
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:

$ bitbake efitools lib32-efitools

ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
      (matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.

Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:57:21 +08:00
Yi Zhao e778286de8 seloader: add the deployed artifacts to SSTATE_DUPWHITELIST
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:

$ bitbake seloader lib32-seloader

ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
      (matched in manifest-qemux86_64-seloader.deploy)
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
      (matched in manifest-qemux86_64-seloader.deploy)
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
      (matched in manifest-qemux86_64-seloader.deploy)
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
      (matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.

Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:57:21 +08:00
Tom Rini e3f8b0e054 sbsigntool: Enable nativesdk support
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk.  We also need gnu-efi
to support nativesdk so include that in a bbappend.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-08-25 08:14:56 +08:00
Tom Rini bc6bbe2bde seloader: Fix building for rocko
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi.  Add in conditional logic to pass this only
for rocko.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-07-31 22:48:35 +08:00
Tom Rini cd40815e69 layer.conf: Mark as compatible with rocko
As we also work with the 'rocko' release list that in our
LAYERSERIES_COMPAT.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-07-25 20:41:35 +08:00
Mark Hatle e64e9c12f1 layer.conf: Include secure-core for kernel-initramfs.bb
The kernel-initramfs.bbappend depends on kernel-initramfs.bb in
meta-secure-core/meta/recipes-core/images/

Fix parsing error:
ERROR: No recipes available for:
  meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-07-18 09:06:13 +08:00
Jia Zhang b127b760c0 seloader: Update to 0.4.6
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-07-17 05:40:04 -04:00
Jinliang Li 1812c8755b Add root parameter configuration in boot command line.
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.

Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
2018-06-26 09:40:48 +08:00
Yi Zhao 33ec1d1f82 linux-yocto-efi-secure-boot: using shutil.copyfile instead of shutil.move to copy kernel p7b file
In commit 1c96c0d096, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Yi Zhao 231fc4906f linux-yocto-efi-secure-boot: fix typo
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Trevor Woerner 18d65f8933 layer.conf: add LAYERSERIES_COMPAT
see https://patchwork.openembedded.org/patch/140542/

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-05-26 08:08:58 +08:00
Jia Zhang b23950cf55 seloader: sync up with the latest
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-05-20 07:21:54 -04:00
Kai Kang f9f181fe5c grub-efi: remove aarch64 from COMPATIBLE_HOST
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2018-05-16 11:14:40 +08:00
Tom Rini 1c96c0d096 linux-yocto-efi-secure-boot: Package unversioned signature as symlink
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-13 14:16:05 +08:00
Kai Kang 485d2db235 grub-efi: fix compile errors for arm64
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2018-05-11 14:13:18 +08:00
Yi Zhao 67e52b9f40 grub-efi: refresh patches to fix QA warning
Refresh the following patches:
  0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch
  0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
  Grub-get-and-set-efi-variables.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-05-10 11:20:24 +08:00
Tom Rini 8ee475b6dc meta-efi-secure-core: Move kernel-initramfs.bbappend
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Tom Rini 4d27285e28 kernel-initramfs: Rework to use update-alternatives directly
- All valid initramfs types will be listed in INITRAMFS_FSTYPES so use
  that variable rather than open-coding a list of possibilities.
- Since we're using the list of things that must exist now we don't need
  to test if the files exist anymore.  And when signing, we can sign all
  of them now.
- Add some python to do_package to update all of the ALTERNATIVES
  variables dynamically based on how we're configured.  This introduces
  an alternative for the initramfs portion as well so there is a stable
  name.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Tom Rini e00aed3e08 efitools: Rework how we deal with rpath and linking of Linux apps
- In all cases, when building Linux apps (and thus linking with gcc) we
  need to pass in the normal set of LDFLAGS for both rpath and link hash
  type.
- Rework Fix-for-the-cross-compilation.patch a bit.  When linking EFI
  apps (and thus linking with ld) we don't need to pass in other special
  flags.  When linking the "openssl" apps we do not need to spell out
  the crtN files as gcc handles that for us, they are normal Linux apps.
  Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.

With all of these changes we are now able to reuse sstate cache between
build directories.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-02 14:29:20 +08:00
Jia Zhang b56c19c8af grub/boot-menu: Rename _bakup suffix to _backup
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:50:58 -04:00
Jia Zhang fb838242ad seloader: sync up with upstream
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-02-28 23:10:04 -05:00
Jackie Huang cfb63e60d7 efitools: use oe.utils.str_filter_out
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
2018-02-07 14:56:59 +08:00
Tom Rini 3ad05893e5 meta-signing-key, meta-efi-secure-boot: Rework for dependencies
The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot.  However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over.  Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother.  While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.

Signed-off-by: Tom Rini <trini@konsulko.com>
2017-11-16 22:03:28 +08:00
Jia Zhang 99f7472019 seloader: sync up with upstream
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 23:27:07 +08:00
Jia Zhang ffe79fe91e shim: drop fallback
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 21:57:43 +08:00
Wenzong Fan a852a68227 shim: disable OVERRIDE_SECURITY_POLICY for 32bit target (#25)
Fix 32bit assembler errors:
  | /tmp/ccJyZFtJ.s: Assembler messages:
  | /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)'
  | /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi'
  ...
  | make[1]: *** [<builtin>: security_policy.o] Error 1

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-30 03:50:25 -04:00
Wenzong Fan 5080ec0fac grub-efi: fix build error with qemux86 (#24)
Fix the error:
  mok2verify.c:169:53: error: \
  format '%lx' expects argument of type 'long unsigned int', \
  but argument 3 has type 'grub_efi_status_t {aka int}' \
  [-Werror=format=]

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-29 23:00:39 -04:00
Jia Zhang b69537380c meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MIT
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-02 11:11:44 +08:00
Jia Zhang 0e6d3a3e1c meta-efi-secure-boot/README.md: document shim_cert as unused
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-26 17:11:50 +08:00
Jia Zhang bfd800fe02 shim: sync up with upstream
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 05:16:38 +08:00
Jia Zhang b1e14f4e88 encrypted-storage: use luks as the feature name for current implementation
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:31:11 +08:00
Jia Zhang 60588ac929 grub-efi: remove the unused patch
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-18 13:24:21 +08:00
Jia Zhang e11a0bd8de efitools: fix searching openssl.cnf for target build
Currently, OPENSSL_LIB is only used for locating openssl.cnf in order
to work around openssl-1.1.x.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-17 20:39:48 +08:00
Lans Zhang d5a4de8f09 efitools: support to build with openssl-1.1.x
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 23:01:13 +08:00
Lans Zhang 4b41056970 sbsigntool: fix build failure with openssl-1.0.x
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 10:12:21 +08:00
Lans Zhang c912483e87 sbsigntool: update to support openssl-1.1.0
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-15 13:12:38 +08:00
Lans Zhang 104a01a25d shim: refresh fallback patchset
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-11 14:14:39 +08:00
Lans Zhang 03a5d21586 shim: sync up with upstream
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-09 10:25:25 +08:00
Lans Zhang 1078adea02 shim: sync up with upstream
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-03 09:56:12 +08:00
Lans Zhang a3e1038d71 shim: don't set CSV boot entry as the first boot option
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-01 13:13:06 +08:00
Lans Zhang 45748a09ef README.md: simplify the commits for boot flow
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-31 19:28:24 +08:00