300 Commits

Author SHA1 Message Date
Yi Zhao 231fc4906f linux-yocto-efi-secure-boot: fix typo
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-06-20 13:11:47 +08:00
Jia Zhang a4fda23803 cryptfs-tpm2: update to 0.6.3
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-16 22:16:02 -04:00
Jia Zhang 5497078ef4 tpm2-tools: refresh the dlopen patch for 3.0.4
The latest git version has updated to use dl interface to load
the library of tpm2-abrmd, instead of linking it on compilation.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-16 05:33:13 -04:00
Jia Zhang 0bb383b60a tpm2-abrmd: move tpm2-abrmd.default to tpm2-abrmd.inc
Use separate directories to store tpm2-abrmd.default for stable
and git version.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-16 05:12:46 -04:00
Jia Zhang 60be51b4ee tpm2-abrmd: code style cleanup
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-16 04:41:05 -04:00
Jia Zhang 62638c5a24 tpm2-abrmd: Fix missing tpm2-abrmd.service
The default value of --with-systemdsystemunitdir with the prefix
"/usr" cannot be used to search tpm2-abrmd.service. In order to
fix this issue, explicitly set --with-systemdsystemunitdir as
before. In addition, place .perset to the dedicated system-preset
directory.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-16 04:35:55 -04:00
Jia Zhang 23d074cba7 tpm2-tss: code style cleanup
Replace tab with four spaces.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-16 04:09:39 -04:00
Trevor Woerner de08228a0d tpm2-abrmd: update daemon cmdline options
In the latest git version of abrmd:
	- the following option has been renamed:
		--max-transient-objects -> --max-transients

	- the following option has been removed:
		--fail-on-loaded-trans

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-06-15 13:01:25 +08:00
Trevor Woerner ec19d0a8ec tpm2-tools: cleanup and update
Cleanup the tpm2-tools recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.

Update release from 3.0.3 to 3.0.4.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-06-15 13:01:25 +08:00
Trevor Woerner a504af5587 tpm2-abrmd: cleanup and update
Cleanup the tpm2-abrmd recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.

Update release from 1.2.0 to 1.3.1.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-06-15 13:01:25 +08:00
Trevor Woerner 156cf92528 tpm2-tss: cleanup and update
Cleanup the tpm2-tss recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes in an include file.

Update release from 1.3.0 to 1.4.0.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-06-15 13:01:25 +08:00
Jia Zhang 7d4f711413 meta-intel-sgx: Initial support of linux-sgx-driver
As the initial support, linux-sgx-driver is integrated into this
layer. SDK and PSW will be provided soon.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-06-06 10:03:28 -04:00
Trevor Woerner b50b53dad2 tpm2-abrmd-init: fix for /dev/tpmrmX
In addition to the expected /dev/tpmX device nodes, newer Linux kernels now
also create /dev/tpmrmX nodes. This causes the daemon's startup script to
fail, meaning the abrmd daemon is not started automatically.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-06-06 21:59:18 +08:00
Jia Zhang e8df96cf47 Update MAINTAINERS info
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-05-30 23:29:42 -04:00
Hongxu Jia 38ba593841 sign_rpm_ext.bbclass: fix check_rpm_public_key racing at recipe parsing time
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...

Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2018-05-31 11:26:13 +08:00
Trevor Woerner 6ca33b325d tpm2.0-tss: rename -> tpm2-tss
Unify how the TPM2 recipes are named.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-05-30 09:38:05 +08:00
Trevor Woerner 4b2c94fb64 tpm2.0-tools: rename -> tpm2-tools
Unify how the TPM2 recipes are named.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-05-30 09:38:05 +08:00
Trevor Woerner 18d65f8933 layer.conf: add LAYERSERIES_COMPAT
see https://patchwork.openembedded.org/patch/140542/

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-05-26 08:08:58 +08:00
Hongxu Jia 7824fbdea8 sign_rpm_ext.bbclass: check rpm public key at image recipe parsing time
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...

The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.

Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2018-05-23 19:32:55 +08:00
Jia Zhang b23950cf55 seloader: sync up with the latest
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-05-20 07:21:54 -04:00
Tom Rini a8419d577a meta-integrity, meta-signing-key: Populate the secondary keyring
Currently we provide a secondary trusted key that is signed by the
primary key.  We do not however DER encode this certificate.  Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Tom Rini c804f25914 meta-signing-key: Rename "extra trusted" to "secondary"
The way that the create-user-key-store.sh script creates what it has
been calling "extra_system_trusted_key" is really what would be
considered a "secondary" trusted key as it is signed by the primary key
that we create.  To make this clearer, as there are other cases for an
"extra trusted system key" that are not this key, update the variables,
package names, etc, to reflect "secondary" not "extra system".

Requested-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Tom Rini b7b42cdec7 meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us.  In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Kai Kang f9f181fe5c grub-efi: remove aarch64 from COMPATIBLE_HOST
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2018-05-16 11:14:40 +08:00
Tom Rini 1c96c0d096 linux-yocto-efi-secure-boot: Package unversioned signature as symlink
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-13 14:16:05 +08:00
Tom Rini 7bbeefe9bd key-store: Fix typo in key-store-ima-privkey name
We're missing a leading '-' when we combine pn and ima-privkey here,
add.

Signed-off-by: Michael Grigorov <michael.grigorov@konsulko.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-12 08:32:18 +08:00
Kai Kang 485d2db235 grub-efi: fix compile errors for arm64
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2018-05-11 14:13:18 +08:00
Yi Zhao 67e52b9f40 grub-efi: refresh patches to fix QA warning
Refresh the following patches:
  0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch
  0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
  Grub-get-and-set-efi-variables.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-05-10 11:20:24 +08:00
Tom Rini 8ee475b6dc meta-efi-secure-core: Move kernel-initramfs.bbappend
As the main recipe resides in meta/recipes-core/images/ move the append
to recipes-core/images/ as well for consistency.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Tom Rini 4d27285e28 kernel-initramfs: Rework to use update-alternatives directly
- All valid initramfs types will be listed in INITRAMFS_FSTYPES so use
  that variable rather than open-coding a list of possibilities.
- Since we're using the list of things that must exist now we don't need
  to test if the files exist anymore.  And when signing, we can sign all
  of them now.
- Add some python to do_package to update all of the ALTERNATIVES
  variables dynamically based on how we're configured.  This introduces
  an alternative for the initramfs portion as well so there is a stable
  name.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-06 18:59:55 +08:00
Tom Rini e00aed3e08 efitools: Rework how we deal with rpath and linking of Linux apps
- In all cases, when building Linux apps (and thus linking with gcc) we
  need to pass in the normal set of LDFLAGS for both rpath and link hash
  type.
- Rework Fix-for-the-cross-compilation.patch a bit.  When linking EFI
  apps (and thus linking with ld) we don't need to pass in other special
  flags.  When linking the "openssl" apps we do not need to spell out
  the crtN files as gcc handles that for us, they are normal Linux apps.
  Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.

With all of these changes we are now able to reuse sstate cache between
build directories.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-02 14:29:20 +08:00
Tom Rini 15a25c9a4a initrdscripts-secure-core: Provide all directories init requires
Our "init" script requires additional directories to exist and since we
don't pull in something like base-files that gives us a full layout we
must make these additional directories on our own.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-04-27 10:37:13 +08:00
Tom Rini bd31f81f78 README: Clarify local.conf required changes for IMA
- You must ensure that RPM is used in PACKAGE_CLASSES.
- We need to remove image-prelink from USER_CLASSES.  Prelinking the
  image at creation time (as happens on x86/x86_64) will result in the
  IMA hash of files changing from the recorded signature and
  verification will fail.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-04-20 09:27:01 +08:00
Yi Zhao 4a6de14094 keyutils: refresh patches to fix QA warning
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-04-11 14:45:15 +08:00
Jia Zhang 04c1072d8f init.ima: Fix up the syntax error
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 22:46:19 -04:00
Jia Zhang b56c19c8af grub/boot-menu: Rename _bakup suffix to _backup
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:50:58 -04:00
Jia Zhang f1ac8a4553 ima/linux-yocto: Enable CONFIG_IMA_READ_POLICY and CONFIG_IMA_APPRAISE_BOOTPARAM
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:25:15 -04:00
Jia Zhang 73cae2678d integrity/linux-yocto: Enable CONFIG_SYSTEM_BLACKLIST_KEYRING
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:24:13 -04:00
Jia Zhang f13d2e0ef8 init.ima: Fix the failure when importing the external policy from real rootfs
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 17:04:03 -04:00
Jia Zhang e9bfbabd51 README: Document the instruction to install kernel image
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 15:22:44 -04:00
Jia Zhang 387a9bf500 cryptfs-tpm2: Update the upstream URL
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-13 08:43:45 -04:00
Jia Zhang fb838242ad seloader: sync up with upstream
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-02-28 23:10:04 -05:00
Tom Rini 184dc8bb25 meta-integrity: Ensure that we have CONFIG_SECURITY enabled in the kernel
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-22 09:12:30 +08:00
Jia Zhang 365a400ed9 meta-secure-core: update TSS 2.0 to the latest stable version
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-02-19 04:39:19 -05:00
Tom Rini cf8ae9e69b meta-integrity: Fix build problem on ima-inspect
The sources require that we have pkgconfig support as well, add missing
inherit.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-17 08:36:24 +08:00
Tom Rini d0c0bedbbe meta-integrity: Add ima-inspect utility
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-16 16:31:52 +08:00
Tom Rini 59a9f43b89 meta-integrity: Drop RPM patches that are upstream now
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version.  This includes all of the patches we had
been applying.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-14 09:13:47 +08:00
Jackie Huang af05e4860f kernel-initramfs: use oe.utils.read_file
base_read_file has been removed from oe-core so use the
replacement function oe.utils.read_file.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
2018-02-07 14:56:59 +08:00
Jackie Huang cfb63e60d7 efitools: use oe.utils.str_filter_out
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
2018-02-07 14:56:59 +08:00
Holger Dengler 0c4d9a8268 util-linux: Fix package name extension
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.

Signed-off-by: Holger Dengler <dengler@linutronix.de>
2017-12-09 11:28:27 +08:00