Adapt to recent psuedo changes.
Fixes:
ERROR: grub-efi-2.04-r0 do_sign: Failed to import gpg key
gpg: key 9E3086F96EEECC34/9E3086F96EEECC34: error sending to agent: End of file
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Since rpm 4.15, the users can control over the installation of
signatures on config files through a variable named
%_ima_sign_config_files. But this is disabled by default. Add a macro
configuration file to enable it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If GPG_PATH is already created by signing-keys do_get_public_keys task,
subsequent executions of do_package_write_rpm will not create the
gpg-agent.conf file anymore.
Therefore, the spawned gpg-agent will miss important features such as
auto-expand-secmem, leading to the following intermittent build errors:
....
Subprocess output:
gpg: signing failed: Cannot allocate memory
gpg: signing failed: Cannot allocate memory
error: gpg exec failed (2)
gpg: signing failed: Cannot allocate memory
gpg: signing failed: Cannot allocate memory
error: gpg exec failed (2)
...
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
If we do adopt path filtering for pseudo, we may filter out ${DEPLOY_DIR}
as not needing to be tracked for "root" permissions. but we do track
the data in ${D} though, when we copy file from ${D} to ${DEPLOY_DIR},
pseudo report a failure
...
|cp: failed to preserve ownership for 'tmp-glibc/work/corei7-64-wrs-linux/
grub-efi/2.04-r0/deploy-grub-efi/efi-unsigned/x86_64-efi/fdt.lst'
: Operation not permitted
...
Disable pseudo for the copy operation
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Fix the following warning:
[INFO]: the following symbols were not found in the active configuration:
- CONFIG_IMA_NG_TEMPLATE=y
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
gcc-10 uses '-fno-common' by default, causing build error of
multiple definition. Use '-fcommon' to fix this problem.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Replace weak des3 encryption with more secure algorithm aes256 to
generate ima key in script create-user-key-store.sh.
Signed-off-by: David Dunlap <david.dunlap@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Security fixes:
CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks
CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed
CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The current soname of libcryptfs-tpm2 is libcryptfs-tpm2.so:
$ readelf -d libcryptfs-tpm2.so.0.7.0 | grep SONAME
0x000000000000000e (SONAME) Library soname: [libcryptfs-tpm2.so]
The libcryptfs-tpm2.so is a symbolic link of libcryptfs-tmp2.so.0.7.0
and it is not installed by default because it is packaged to dev
package. Then we will encounter an error when run command cryptfs-tpm2:
$ cryptfs-tpm2
cryptfs-tpm2: error while loading shared libraries: libcryptfs-tpm2.so:
cannot open shared object file: No such file or directory
$ ldd cryptfs-tpm2 | grep libcryptfs-tpm2
libcryptfs-tpm2.so => not found
Set the soname to libcryptfs-tpm2.so.$(MAJOR_VERSION) to fix the issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The tpm2-abrmd daemon needs TCTI library for TPM2 device or simulator.
But the libtss2-tcti-device and libtss2-tcti-mssim packages are not
installed by default which causes the tpm2-abrmd daemon startup failure:
systemd[1]: Starting TPM2 Access Broker and Resource Management Daemon...
tpm2-abrmd[459]: tcti_conf before: "device:/dev/tpm0"
tpm2-abrmd[459]: tcti_conf after: "device:/dev/tpm0"
tpm2-abrmd[459]: ERROR:tcti:../tpm2-tss-2.3.2/src/tss2-tcti/tctildr.c:418:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI
tpm2-abrmd[459]: init_thread_func: failed to create TCTI with conf "device:/dev/tpm0"
tpm2-abrmd[459]: g_bus_unown_name: assertion 'owner_id > 0' failed
Add libtss2-tcti-device and libtss2-tcti-mssim to runtime dependencies.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
fix do_package_qa error:
ERROR: QA Issue: tpm2-tss package is not obeying usrmerge distro feature. /lib should be relocated to /usr. [usrmerge]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
It shows qa issue when multilib is enabled:
| ERROR: lib32-key-store-0.1-r0 do_package: QA Issue:
lib32-key-store package lib32-key-store-rpm-pubkey - suspicious values 'rpm' in RDEPENDS [multilib]
Prepend MLPREFIX to runtime dependency 'rpm' to fix the issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
The gpg-agent daemon will be triggered to run in function boot_sign,
This daemon will not exit even after building project.
So kill the gpg-agent daemon after gpg signing process
at the end of function boot_sign.
Signed-off-by: De Huo <De.Huo@windriver.com>
The option --pinentry-mode is not supported in gpg 2.0.22 code.
so when the host gpg version is 2.0.22 the option will be removed.
Start gpg-agent daemon when gpg-connect-agent reload agent failed.
Otherwise there will be below failure message reported.
gpg: can't connect to the agent - trying fall back
gpg: can't connect to the agent: IPC connect call failed
gpg: problem with the agent: No agent running
Signed-off-by: De Huo <De.Huo@windriver.com>
The patch to fix compilation error in efi-tool's console.c is required
This reverts commit a6c3d9fcd2.
In <=gnu-efi-3.0.9 variable is named EFI_WARN_UNKOWN_GLYPH, and
in gnu-efi-3.0.11 is renamed in EFI_WARN_UNKNOWN_GLYPH. The patch is
only for users with installed >=gnu-efi-3.0.11 because is in this
version that variable has changed name from EFI_WARN_UNKOWN_GLYPH
to EFI_WARN_UNKNOWN_GLYPH. [1]
In oe-core master branch, the gnu-efi is 3.0.11, we need to add
the fix back
[1] https://bugs.gentoo.org/701152
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
If ovmf's do_deploy is run before do_sign, there is a failure
...
|install: cannot stat 'tmp-glibc/work/corei7-64-wrs-linux/ovmf/
edk2-stable201911-r0/ovmf/Pkcs7VerifyDxe.efi.signed': No such file or directory
...
Add do_sign before do_deploy
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Convert the script to python3 to fix the do_compile failure.
Fixes:
/buildarea/poky/build/tmp/work/core2-64-poky-linux/cryptfs-tpm2/0.7.0+gitAUTOINC+888c46c827-r0/git/scripts/encrypt_secret.py -i "H31i05" > "primary_key.secret" || exit 1
/usr/bin/env: ‘python’: No such file or directory
Makefile:64: recipe for target 'primary_key.secret' failed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fixes:
ERROR: ParseError at
/buildarea/poky/meta-secure-core/meta-tpm2/recipes-devtools/python/python-beautifulsoup4_4.4.1.bb:19:
Could not inherit file classes/setuptools.bbclass
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The python2 is removed from oe-core and there is no python symblic link
by default which will cause an error when running test scripts:
$ ./test_tpm2_activecredential.sh: line 66: python: command not found
So drop python2 support and only keep python3.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If GPG_PATH is already created by signing-keys do_get_public_keys task,
subsequent executions of do_package_write_rpm will fail with "Filename too
long" errors (this only affects builds using GPG paths larger than 80
characters).
Fix this race condition by making sure that the redirection files are always
present in the gpg homedir even if the directory already exists when the first
package_write_rpm task executes.
Also, make sure this new approach does not affect GPG_PATHs smaller than 80
chars.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Currently, an error will be thrown when trying to use a GPG homedir whose path
length exceeds 80 characters. This limitation can be worked around by providing
libassuan socket redirection files for "S.gpg-agent.yocto-native",
"S.gpg-agent.ssh", "S.gpg-agent.browser" and "S.gpg-agent.extra"
sockets. The redirection files will point to the real sockets in /tmp
directory. The sockets will be automatically cleaned up by gpg agent.
References:
[1] https://dev.gnupg.org/T1752
[2] https://gnupg.org/documentation/manuals/assuan.pdf
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
tpm-tools calls pod2man to produce manual files. But pod2man has been
removed from hosttools in oe-core. So it fails occasionally when in some
certain condition .pod file is newer than corresponding man page files
that man files need to be reproduced:
| make[3]: Entering directory 'TOPDIR/tmp-glibc/work/ppc7400-wrs-linux/tpm-tools/1.3.9.1+gitAUTOINC+bdf9f1bc8f-r0/git/man/man8'
| /bin/bash: pod2man: command not found
| make[3]: *** [Makefile:575: tpm_nvwrite.8] Error 127
Inherit perlnative to fix such issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Fixes:
* Use glibc header instead of libattr header because the attr/xattr.h
has been removed from attr package.
* fix configure check for newer libimaevm versions.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If efi-secure-boot distro feature is enabled, let the possibility to
enable only the UEFI SecureBoot (through UEFI_SB Bitbake variable)
without MOK_SB variable.
Allow explicitly overriding the MOK_SB Bitbake variable.
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
The grub-efi-native build doesn't need to run do_sign task but there are
two prefuncs for do_sign still run in native build. This will cause a
build error when there is no gpg command on the host. Move the functions
to do_sign_prepend_class-target to make sure they only run in target
build.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
On some host configuration such as ubuntu 16.04 the gnupg in /usr/bin
is the 1.x version. This can cause problems between the import and
signing process if the gpg version is different. The commands in the
user-key-store class assume gnupg is at least version 2.2 or newer.
To avoid the signing phase failing for the efitools and the kernel,
the user-key-store class should depend on the gnupg-native binaries.
It avoids this specific error:
ERROR: efitools-1.9.2+gitAUTOINC+392836a46c-r0 do_sign: Failed to sign: /opt/tmp-glibc/work/corei7-64-wrs-linux/efitools/1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
ERROR: Logfile of failure stored in: /opt/tmp-glibc/work/corei7-64-wrs-linux/efitools/1.9.2+gitAUTOINC+392836a46c-r0/temp/log.do_sign.22969
NOTE: recipe efitools-1.9.2+gitAUTOINC+392836a46c-r0: task do_sign: Failed
[ Issue: LIN1019-3757 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Currently, the PACKAGECONFIG assignment in rpm-integrity might overwrite
the previous contents of the variable.
Similar to systemd_%.bbappend and ovmf_%.bbappend, use _append to add
"imaevm" to PACKAGECONFIG when distro feature ima is enabled.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
