60588ac929
grub-efi: remove the unused patch
...
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com >
2017-08-18 13:24:21 +08:00
52bf3b6636
meta-integrity: move gpg keyring initialization to signing-keys
...
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com >
2017-08-17 23:29:26 +08:00
e11a0bd8de
efitools: fix searching openssl.cnf for target build
...
Currently, OPENSSL_LIB is only used for locating openssl.cnf in order
to work around openssl-1.1.x.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com >
2017-08-17 20:39:48 +08:00
464433a169
sign_rpm_ext: support RPM signing
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-17 11:22:49 +08:00
d5a4de8f09
efitools: support to build with openssl-1.1.x
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-16 23:01:13 +08:00
8ff4d25a90
ima-evm-utils: support to build with openssl-1.1.x
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-16 14:56:23 +08:00
ead58497c8
cryptfs-tpm2: sync up with upstream
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-16 11:20:18 +08:00
b7705a7587
README.md: update reference links
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-16 10:57:24 +08:00
9fc35f2627
meta-integrity/README.md: update
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-16 10:47:33 +08:00
4b41056970
sbsigntool: fix build failure with openssl-1.0.x
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-16 10:12:21 +08:00
eb08a619d8
init.ima: clean up and allow to load extra IMA policies from the real rootfs
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-15 16:15:38 +08:00
656706373f
ima_policy: update the comment
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-15 16:14:31 +08:00
c8fff6a0ff
meta-integrity/README.md: update
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-15 14:13:23 +08:00
c912483e87
sbsigntool: update to support openssl-1.1.0
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-15 13:12:38 +08:00
2c265a6fc3
meta-integrity/README.md: update
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-15 10:16:41 +08:00
09f1239567
meta-signing-key: clean up the default values of sample RPM signing key
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-15 09:23:09 +08:00
b2c2716c20
meta-signing-key: renew the sample keys for UEFI Secure Boot
...
The DB and KEK now are self-signed.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-14 15:07:57 +08:00
4a676cd301
create-user-key-store.sh: gpg key creation updates
...
- code style fixup
- remove gen_rpm_keyring script
- check gpg version
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-11 16:39:22 +08:00
104a01a25d
shim: refresh fallback patchset
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-11 14:14:39 +08:00
0951a620b5
init: don't explicitly set the LUKS partition name
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-09 10:54:48 +08:00
aa9b435b55
cryptfs-tpm2: sync up with upstream
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-09 10:53:47 +08:00
03a5d21586
shim: sync up with upstream
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-09 10:25:25 +08:00
1098d813ed
systemd: work around circular dependency chains found if systemd is configured to enable cryptsetup
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-09 09:52:17 +08:00
e8d6e006e7
systemd: fix the conditions of PACKAGECONFIG for ima and cryptsetup
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-04 22:03:45 +08:00
dd9a695df8
systemd: enable ima and cryptsetup
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-04 17:01:00 +08:00
8dd6733e31
cryptsetup: depend on lvm2 to include dmsetup
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-04 16:36:41 +08:00
7610abb4c8
cryptfs-tpm2: fix RDEPENDS
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-04 14:43:09 +08:00
909c571a60
meta-encrypted-storage: depend on meta-oe
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-04 14:42:36 +08:00
59c66fed7a
kernel-initramfs: set the default priority to -1
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-03 14:38:11 +08:00
1078adea02
shim: sync up with upstream
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-03 09:56:12 +08:00
a3e1038d71
shim: don't set CSV boot entry as the first boot option
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-01 13:13:06 +08:00
7f3143523d
create-user-key-store.sh: self-sign KEK and DB
...
UEFI spec never ask for the fact that KEK must be signed by PK and
DB must be signed by KEK.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-08-01 10:40:59 +08:00
45748a09ef
README.md: simplify the commits for boot flow
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-31 19:28:24 +08:00
50bd7859af
rpm: remove PACKAGECONFIG[imaevm]
...
This setting is already merged to oe-core.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-28 10:14:25 +08:00
f77e53d627
meta-secure-core: code style fixup
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-28 10:09:02 +08:00
afea92abb3
grub-efi: remove the depreciated replacement for initrd= parameter
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-28 10:01:20 +08:00
afdac6c3ca
grub/boot-menu.inc: use linux and initrd commands instead of chainloader to boot kernel
...
Since bzImage is not signed during the build.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-27 16:19:40 +08:00
71fc35c506
tpm2.0-tss: remove systemd from inherit command
...
The resource manager provided by this package is not used any more.
Thus its systemd-related settings should be removed.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-27 13:26:42 +08:00
14cbd4685f
packagegroup-encrypted-storage.inc: add cryptfs-tpm2
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-27 11:28:32 +08:00
c82c3c56e8
initrdscripts-secure-core: install udevd and udevadm provided by either eudev or udev
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-26 22:51:08 +08:00
4eaaa557ff
initrdscripts-secure-core: don't install sysvinit
...
/sbin/init should be covered by rootfs not here.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-26 22:40:48 +08:00
c28ebfb984
user-key-store.bbclass: set SYSTEM_TRUSTED only if ima is configured
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-25 21:17:23 +08:00
1546eb8538
user-key-store.bbclass: don't run check_deploy_keys in parallel
...
Set lockfile for task check_deploy_keys() to avoid the race error from
'cp -af':
cp: cannot create regular file '.../tmp/deploy/images/intel-x86-64/
sample-keys/uefi_sb_keys/DBX/DBX.key': File exists
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com >
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-25 21:15:25 +08:00
77640af54c
IMA: move the default policy file to /etc/ima directory
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-25 09:37:59 +08:00
567e817691
meta-efi-secure-boot/README: update to reflect using fallback to chainloader SELoader
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-25 09:33:16 +08:00
008b18270f
shim: use fallback loading SELoader
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-24 17:14:51 +08:00
9b96939178
sbsigntool: code style fixup
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-24 12:21:44 +08:00
c929a3e3fc
efivar: clean up
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-24 12:21:29 +08:00
2531d04180
meta-efi-secure-boot: depend on meta-perl
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-24 11:51:31 +08:00
189b6e56ab
shim: update to the latest
...
Signed-off-by: Lans Zhang <jia.zhang@windriver.com >
2017-07-24 09:32:55 +08:00
Jia Zhang
Lans Zhang