Add ld option '-z noexecstack' for cryptfs-tpm2 to fix link warnings:
ld: warning: secret_area.o: missing .note.GNU-stack section implies executable stack
ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
Signed-off-by: Kai Kang <kai.kang@windriver.com>
If tpm/tpm2 is enabled in DISTRO features, add the grub 'tpm' module to
GRUB_BUILDIN.
This is now required for secureboot to work w/ TPM is also enabled in a
BIOS.
This is the result of automated script conversion:
poky/scripts/contrib/convert-variable-renames.py meta-secure-core
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Use variable GRUB_SECURE_BUILDIN to split grub secure
builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will
not contain secure option for others grub-mkimage to
create no secure grub even though secure boot is enabled
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Operations like XXX:append += "YYY" are almost always wrong and this
is a common mistake made in the metadata. Improve them to use the
standard format.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
enable this plugin will cause undeterministic build. whether to build
audit plugin depends on whether libaudit exists on the host
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Backport a patch to disable '-Werror' to fix build error until upstream
addresses openssl 3.0 compatibility issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
Openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it`
to `const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
available. This change should have been transparent to the application,
but only if the `ASN1_ITEM_rptr()` macro is used.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fixes:
encrypt_secret.py -i "H31i05" > "primary_key.secret" || exit 1
ERROR: Unable to encrypt the secret
Suggested-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When LDFLAGS expands, The -fmacro-prefix-map and -fdebug-prefix-map will
be prefixed with -Wl, which will cause compilation error:
ld: -f may not be used without -shared
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add back the append override, as the '+=' operator will make the
default value of BB_HASHBASE_WHITELIST in oe-core not have any
effect.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
The image-prelink feature has been disabled by default in oe-core commit
f9719cc1c3fe9d380336e7af418daf27473b2e8b. We don't need to remove it
explicitly in local.conf.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
In oe-core commit 759df7395908f18b3b68f28d043ac9ebd42dd0c8, the
plaintext password setting function was dropped because of the security
issue. So the plaintext password setting method "usermod -P 'password'
user" is not available. Now we should pass the encrypted password to
usermod via -p option.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fixes the following errors when set DEBUG_BUILD = "1":
fileio.c: In function ‘__fileio_read_file’:
fileio.c:179:12: error: ‘len’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
179 | *out_len = len;
| ~~~~~~~~~^~~~~
fileio.c:178:12: error: ‘buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
178 | *out_buf = buf;
| ~~~~~~~~~^~~~~
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Remove unnecessary inherit native
This is a target recipe, the "inherit native" is not needed, the
sbsigntool-native is extended by BBCLASSEXTEND which is already present.
Fixed when multilib is enabled:
$ bitbake lib32-sbsigntool
ERROR: Nothing PROVIDES 'lib32-sbsigntool'.
* Add util-linux-libuuid to DEPENDS since it is required by target build
* Add read_write_all.c to common_SOURCES to fix build errors.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
CVE-2021-3565:
A flaw was found in tpm2-tools in versions before 5.1.1 and before
4.3.2. tpm2_import used a fixed AES key for the inner wrapper,
potentially allowing a MITM attacker to unwrap the inner portion and
reveal the key being imported. The highest threat from this
vulnerability is to data confidentiality.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-3565
Patch from:
c069e4f179
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
On RHEL/CentOS/Fedora, there is no grub-mkpasswd-pbkdf2 command but
grub2-mkpasswd-pbkdf2. Update the script to locate the appropriate
command.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
