300 Commits

Author SHA1 Message Date
Jia Zhang 00324b6b3e README: update README
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-12-04 12:25:12 +08:00
Jia Zhang a22324542d linux-yocto: fix loading kernel module due to being stripped
The kernel module will be stripped during do_package, including the
modsign signature.

Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-26 13:09:01 +08:00
Jia Zhang 5758c189a3 README.md: update to claim the support of modsign
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:33:01 -05:00
Jia Zhang 59ca43808c meta-integrity: enable modsign support in kernel
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:32:12 -05:00
Jia Zhang bd0f4cbe40 meta-signing-key: support to build key-store with modsign and extra system trusted key support
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:30:51 -05:00
Jia Zhang a97b3363b6 scripts/create-user-key-store.sh: support to generate the user keys for modsign and extra system trusted key
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:29:33 -05:00
Jia Zhang 56033f310f meta-signing-key: add the sample keys for modsign and extra system trusted key
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:27:25 -05:00
Tom Rini 3ad05893e5 meta-signing-key, meta-efi-secure-boot: Rework for dependencies
The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot.  However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over.  Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother.  While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.

Signed-off-by: Tom Rini <trini@konsulko.com>
2017-11-16 22:03:28 +08:00
Tom Rini d3a05a62c1 README update
Include what's required to have rpms be signed in the example section.

Signed-off-by: Tom Rini <trini@konsulko.com>
2017-11-16 22:03:28 +08:00
Yunguo Wei 1259958f3c initrdscripts: rename expected ima certificate (#28)
evmctl is able to import DER format certificate only.

Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2017-11-12 09:43:48 +08:00
Jia Zhang 99f7472019 seloader: sync up with upstream
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 23:27:07 +08:00
Jia Zhang 0477a93cf9 rpm: always include rpm-integrity.inc for RPM signing
rpm-integrity is required for RPM signing which is enabled by default.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 23:25:55 +08:00
Jia Zhang c2b8134dc3 meta-integrity: fix build failure caused by 6aa83f98b
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 22:04:27 +08:00
Jia Zhang ffe79fe91e shim: drop fallback
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 21:57:43 +08:00
Kai 6aa83f98bc rpm: only apply bbappend file when ima in DISTRO_FEATURES (#27)
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:

| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2017-10-27 20:57:45 +08:00
Wenzong Fan a852a68227 shim: disable OVERRIDE_SECURITY_POLICY for 32bit target (#25)
Fix 32bit assembler errors:
  | /tmp/ccJyZFtJ.s: Assembler messages:
  | /tmp/ccJyZFtJ.s:268: Error: bad register name `%rsp)'
  | /tmp/ccJyZFtJ.s:269: Error: bad register name `%rdi'
  ...
  | make[1]: *** [<builtin>: security_policy.o] Error 1

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-30 03:50:25 -04:00
Wenzong Fan 5080ec0fac grub-efi: fix build error with qemux86 (#24)
Fix the error:
  mok2verify.c:169:53: error: \
  format '%lx' expects argument of type 'long unsigned int', \
  but argument 3 has type 'grub_efi_status_t {aka int}' \
  [-Werror=format=]

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-29 23:00:39 -04:00
Wenzong Fan 616263c4e6 keyutils: update to 1.5.10 (#22)
* rebase patches:
  - keyutils_fix_library_install.patch
  - keyutils-remove-m32-m64.patch

* append '-Wall' to CFLAGS for fixing:
  .../recipe-sysroot/usr/include/features.h:376:4: error: \
  #warning _FORTIFY_SOURCE requires compiling with \
  optimization (-O) [-Werror=cpp]

* cleanup alternative targets, the *keyring*.7 files have been
  removed from keyutils 1.5.10.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-27 05:36:58 -04:00
Wenzong Fan db7acb7d28 user-key-store.bbclass: add deploy_rpm_keys (#20)
Fix warning:
  WARNING: xxx do_sign: Function deploy_rpm_keys doesn't exist

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-25 03:27:07 -04:00
Wenzong Fan 6dff36ef09 Install packages if distro flag set (#21)
* install 'packagegroup-tpm2-initramfs' of distro flag 'tpm2' is set
* install 'initrdscripts-ima' if distro flag 'ima' is set
* install 'cryptfs-tpm2-initramfs' if distro flag 'luks' is set

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-25 03:25:27 -04:00
WarrickJiang afc39392a6 cryptsetup:add lvm2-udevrules into RDEPENDS (#19)
meta-oe layer split the udevrules for lvm2 into a new package.
Add lvm2-udevrules into cryptsetup RDEPENDS list.

Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
2017-09-25 03:24:24 -04:00
fli 8206812e75 kernel-initramfs: fix the issue rm kernel source codes (#18)
The "${S}" is not used for kernel-initramfs and it will
cleanup the kernel source codes if it is specified to
${STAGING_KERNEL_DIR}, thus remove this definition.

Signed-off-by: Fupan Li <fupan.li@windriver.com>
2017-09-25 03:24:03 -04:00
Jia Zhang 091e2cc6fa meta-tpm2: clean up bootstrap
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-09-20 01:48:45 -04:00
Jia Zhang 8e40927026 Change the email address of MAINTAINER
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-09-20 01:48:45 -04:00
Wenzong Fan c28e821fe6 packagegroup-tpm: include tpm-quote-tools (#17)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-12 22:02:25 +08:00
Jia Zhang b69537380c meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MIT
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-02 11:11:44 +08:00
limeng-linux 7f72300c23 tpm : openssl-tpm-engine: parse an encrypted TPM key password from env (#15)
when openssl-tpm-engine lib is used on an unattended device, there is no
way to input TPM key password. So add this feature to support parse an
encrypted(AES algorithm) TPM key password from env.
The default decrypting AES password and salt is set in bb file.
When we create a TPM key(TSS format), generate a 8 bytes random data
as its password, and then we need to encrypt the password with the same
AES password and salt in bb file.
At last, we set a env as below:
export TPM_KEY_ENC_PW=xxxxxxxx
"xxxxxxxx" is the encrypted TPM key password for libtpm.so.

Signed-off-by: Meng Li <Meng.Li@windriver.com>
2017-09-02 10:16:57 +08:00
Jia Zhang 49fadf7ef0 Update BB_HASHBASE_WHITELIST
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-01 20:28:38 +08:00
yunguowei a10fc38e3f create-user-key-store.sh: Add arguments to specify gpg's key name and email address (#14)
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2017-08-28 00:44:00 +08:00
Jia Zhang 0e6d3a3e1c meta-efi-secure-boot/README.md: document shim_cert as unused
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-26 17:11:50 +08:00
Jia Zhang aa14422754 meta-ids: install packagegroup-ids if the feature ids configured
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-24 21:01:32 +08:00
Guojian 5a24b8f94f key-store: Fix two key-store-rpm-pubkey user key issues (#13)
1. user key pub rpm package also could be created.
2. The latest bitbake could not support the d.getVar() function nest
call. Such as the following function call always return "None"
d.getVar(d.getVar('RPM_KEY_DIR', True) + '/RPM-GPG-KEY-*', True)
It caused the key-store-rpm-pubkey rpm package could not be created in
the latest oe-core project.

Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
2017-08-24 19:52:34 +08:00
Wenzong Fan 90fd1b523a meta-ids: initial commit for IDS support (#11)
* Add new layer for IDS support
* Add package mtree to provide basic IDS functions

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-08-24 17:21:52 +08:00
Wenzong Fan c41b36ea73 meta-integrity: add tpm2, tpm as LAYERRECOMMENDS (#9)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-08-24 13:34:03 +08:00
Jia Zhang c2962bba6d sign_rpm_ext: make sure all target recipes are signed
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-24 08:18:01 +08:00
Jia Zhang 6fd5d7be55 meta-integrity: remove INHERIT += "sign_rpm_ext"
This definition should be placed in local.conf.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 17:38:01 +08:00
Jia Zhang c1cdc3d466 secure-core-image: install dnf by default
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 17:37:33 +08:00
Jia Zhang 1106a2c325 secure-core-image-initramfs: enlarge the max size
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 11:43:18 +08:00
Jia Zhang 8637f3bd63 meta-signing-key: replace the sample RPM signing key
The previous cannot be handled by gpg v2 properly when importing it.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 07:17:46 +08:00
Jia Zhang bfd800fe02 shim: sync up with upstream
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 05:16:38 +08:00
Guojian 6ad9a338e6 Fix the user rpm sign key can not be found issue (#5)
When the SIGNING_MODEL is set to "user", the signing-keys recipes will
run failed on the get_public_keys task. uks_rpm_keys_dir() function
could not return the right rpm_keys directory when the
SIGNING_MODEL is set to "user".

Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
2017-08-22 15:14:21 +08:00
Jia Zhang ab05be3c9c signing-keys: fix the race condition when concurrent import operations occur
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 22:42:32 +08:00
Jia Zhang ddb0b8d6d2 meta-tpm: tss 1.x always depends on openssl 1.0.x
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 20:31:58 +08:00
Jia Zhang b1e14f4e88 encrypted-storage: use luks as the feature name for current implementation
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:31:11 +08:00
Jia Zhang cbdefad44c create-user-key-store.sh: support gpg 2.x used to generate rpm signing key
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:06:22 +08:00
Jia Zhang 038aa54bc2 signing-keys: fix gpg key import failure due to wrong option position
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:03:18 +08:00
Jia Zhang 373d7276bc signing-keys: clean up
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:02:15 +08:00
Jia Zhang 6b7e09b444 sign_rpm_ext: define the location of default gpg keyring to TMPDIR
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:00:05 +08:00
Jia Zhang 5c584cb628 sign_rpm_ext: fix permission warning
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 11:18:24 +08:00
Jia Zhang d5ca542dfb signing-keys: fix gpg key import failure
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 02:17:32 +08:00