Jeremy Kerr's sbsigntools are no longer hosted on git://kernel.ubuntu.com/jk/sbsigntool. A copy exists at git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools. This change is required to build meta-secure-core under sumo.
The following failure is shown during secure-core-image-initramfs:do_rootfs():
Error: Transaction check error: file /proc conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64 file /sys conflicts between attempted installs of initrdscripts-secure-core-1.0-r0.corei7_64 and base-files-3.0.14-r89.intel_x86_64
So remove /sys and /proc as base-files has already provided them.
Signed-off-by: tomita <tomita@cyberdefense.jp>
When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:
qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.
Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When the meta-efi-secure-boot layer is included but feature
efi-secure-boot is not set. We got the following error with
kernel-initramfs building:
ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995
Log data follows:
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory
| WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs'
| ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1'
Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc
and add a new bbappend. Make sure this piece of code should be applied
only if the efi-secure-boot feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
In order to deploy our secure boot keys in DER format we need to use
openssl. This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign. Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.
Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
Generally speaking, for firmware to import PK/KEK/DB keys they need to
be in the binary "DER" format and typically have the "cer" file
extension. When deploying our keys, convert what we have to that format
and deploy as well for ease of use.
Signed-off-by: Tom Rini <trini@konsulko.com>
The following commits are reverted by the way:
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
- meta-intel-sgx: Initial support of linux-sgx-driver (7d4f711)
The former is applicable to rocko only, and the latter is still experimental.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
SECURITY_LDFLAGS includes -fstack-protector-strong which cannot work
with CCLD. To work around this issue, filter out it from LDFLAGS.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
Now cryptfs-tpm2 supports both TSS 1.x and 2.x API.
Please specify "TSS2_VER=1" in EXTRA_OEMAKE to support 1.x API.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake efitools lib32-efitools
ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
(matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake seloader lib32-seloader
ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
After postinst was executed at do_rootfs successfully,
there will be no first boot to redo.
Since `229f4e9 package.bbclass: add support for
pkg_postinst_ontarget()' applied in oe-core, use
pkg_postinst_ontarget to instead.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
when configuring lvm2 without udev, lvm2-udevrules package is empty,
causing do_rootfs failure.
Error:
ERROR: wrlinux-image-glibc-std-1.0-r5 do_rootfs: Function failed: do_rootfs
Problem: conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-1.7.4-r0.corei7_64
Move lvm2-udevrules from RDEPEND to RRECOMMENDS could workaround the issue.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Bump up to the current top of libsign so that we can easily get a copy
of selsign that can be put into an SDK.
Signed-off-by: Tom Rini <trini@konsulko.com>
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk. We also need gnu-efi
to support nativesdk so include that in a bbappend.
Signed-off-by: Tom Rini <trini@konsulko.com>
The --with-udevrulesdir configure option has been moved from tpm2-abrmd to
tpm2-tss in the code, therefore move its associated EXTRA_OECONF to suit.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
In 59a9f43b89 ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream. However, rocko ships with an older version
of RPM and still needs these patches. Add conditional logic to apply
these patches only for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi. Add in conditional logic to pass this only
for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
The kernel-initramfs.bbappend depends on kernel-initramfs.bb in
meta-secure-core/meta/recipes-core/images/
Fix parsing error:
ERROR: No recipes available for:
meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Bitbake will try an ls-remote for any recipe whose SRCREV is AUTOREV,
even if that recipe will not ultimately be used for a particular build.
Therefore if the user specifies 'BB_NO_NETWORK = "1"', the _git versions of
the tpm2 recipes will cause the build to fail even if the _git versions are
not going to be built (which they won't be by default on account of their
DEFAULT_PREFERENCE being set to "-1").
This fix follows the same pattern as
721fcc89c5
With this fix, the user can disable networking and successfully build the
non-_git versions of the tpm2 recipes. If the user wants to build the _git
versions, networking must be enabled. The build is expected to fail if the
user asks for the _git versions, but disables networking.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.
Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
In commit 1c96c0d096, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The latest git version has updated to use dl interface to load
the library of tpm2-abrmd, instead of linking it on compilation.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
The default value of --with-systemdsystemunitdir with the prefix
"/usr" cannot be used to search tpm2-abrmd.service. In order to
fix this issue, explicitly set --with-systemdsystemunitdir as
before. In addition, place .perset to the dedicated system-preset
directory.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
In the latest git version of abrmd:
- the following option has been renamed:
--max-transient-objects -> --max-transients
- the following option has been removed:
--fail-on-loaded-trans
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Cleanup the tpm2-tools recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 3.0.3 to 3.0.4.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Cleanup the tpm2-abrmd recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes into an include file.
Update release from 1.2.0 to 1.3.1.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Cleanup the tpm2-tss recipe such that there is a recipe for
building the latest release (the default) and one for building
the latest, auto-incrementing version from git master placing
all pieces common to the two recipes in an include file.
Update release from 1.3.0 to 1.4.0.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
As the initial support, linux-sgx-driver is integrated into this
layer. SDK and PSW will be provided soon.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
In addition to the expected /dev/tpmX device nodes, newer Linux kernels now
also create /dev/tpmrmX nodes. This causes the daemon's startup script to
fail, meaning the abrmd daemon is not started automatically.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...
Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
