Use variable GRUB_SECURE_BUILDIN to split grub secure
builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will
not contain secure option for others grub-mkimage to
create no secure grub even though secure boot is enabled
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Operations like XXX:append += "YYY" are almost always wrong and this
is a common mistake made in the metadata. Improve them to use the
standard format.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
enable this plugin will cause undeterministic build. whether to build
audit plugin depends on whether libaudit exists on the host
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Backport a patch to disable '-Werror' to fix build error until upstream
addresses openssl 3.0 compatibility issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
Openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it`
to `const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
available. This change should have been transparent to the application,
but only if the `ASN1_ITEM_rptr()` macro is used.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fixes:
encrypt_secret.py -i "H31i05" > "primary_key.secret" || exit 1
ERROR: Unable to encrypt the secret
Suggested-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add back the append override, as the '+=' operator will make the
default value of BB_HASHBASE_WHITELIST in oe-core not have any
effect.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
The image-prelink feature has been disabled by default in oe-core commit
f9719cc1c3fe9d380336e7af418daf27473b2e8b. We don't need to remove it
explicitly in local.conf.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
In oe-core commit 759df7395908f18b3b68f28d043ac9ebd42dd0c8, the
plaintext password setting function was dropped because of the security
issue. So the plaintext password setting method "usermod -P 'password'
user" is not available. Now we should pass the encrypted password to
usermod via -p option.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fixes the following errors when set DEBUG_BUILD = "1":
fileio.c: In function ‘__fileio_read_file’:
fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
179 | *out_len = len;
| ~~~~~~~~~^~~~~
fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
178 | *out_buf = buf;
| ~~~~~~~~~^~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Remove unnecessary inherit native
This is a target recipe, the "inherit native" is not needed, the
sbsigntool-native is extended by BBCLASSEXTEND which is already present.
Fixed when multilib is enabled:
$ bitbake lib32-sbsigntool
ERROR: Nothing PROVIDES 'lib32-sbsigntool'.
* Add util-linux-libuuid to DEPENDS since it is required by target build
* Add read_write_all.c to common_SOURCES to fix build errors.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
CVE-2021-3565:
A flaw was found in tpm2-tools in versions before 5.1.1 and before
4.3.2. tpm2_import used a fixed AES key for the inner wrapper,
potentially allowing a MITM attacker to unwrap the inner portion and
reveal the key being imported. The highest threat from this
vulnerability is to data confidentiality.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3565
Patch from:
c069e4f179
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
On RHEL/CentOS/Fedora, there is no grub-mkpasswd-pbkdf2 command but
grub2-mkpasswd-pbkdf2. Update the script to locate the appropriate
command.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This reverts commit fc8969af8a.
In parallel build this will led sign error because the gpg-agent
in using maybe killed in another task.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Task do_sign of linux-yocto depends on variable GPG_PATH. When GPG_PATH
changes, it fails to rerun the task:
| Exception: FileExistsError: [Errno 17] File exists:
| 'bzImage-5.2.24-yocto-standard.p7b' -> '/path/to/tmp-glibc/work/intel_x86_64-wrs-linux/linux-yocto/5.2.x+gitAUTOINC+bbe834c1d2_370ab92a1e-r0/image/boot/bzImage.p7b'
Remove the link file before create it if exists already.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
If efi-secure-boot distro flag has not been set, then do not require the
sbsigntool, libsign and efitools.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
grub-efi-native does not benefit from the extra code/modules that get built for
secure-boot support, it just increases the build time of the package.
Therefore, mark all secure-boot related procedures in the recipe for
class-target only.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
- the 'verify' grub module has been renamed to 'pgp' in grub 2.04;
- the 'pgp' grub module is already built-in if GRUB_SIGN_VERIFY is set,
so there's no need to call insmod;
While at it, remove some unnecessary code duplication.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
p7b was replaced by the ${SB_FILE_EXT} variable, but one reference
was omitted during the rework.
Fixes: 31d2105b
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
oe-core now uses the git version for grub-efi, so we'd better to
use the '%' wildcard for the bbappend file name.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Fixes the following error when set DEBUG_BUILD = "1":
fileio.c: In function ‘__fileio_read_file’:
fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
179 | *out_len = len;
| ~~~~~~~~~^~~~~
fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
178 | *out_buf = buf;
| ~~~~~~~~~^~~~~
cc1: all warnings being treated as errors
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
There is a build error if the /tmp directory is mounted with noexec
option:
lib/ccan.git/tools/create-ccan-tree: line 130: /tmp/tmp.MSe2mg2hM5/ccan_depends: Permission denied
Specify a local TMPDIR to fix it.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
