do_rootfs
in commit 393b80fa, prefuncs of do_package_write_rpm/do_rootfs
have been replace by (task)_prepend in this bbclass, so remove it.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
This changes the rpm signing setup to use a generic routine
check_gpg_key(), in order that the boot loader gpg signing can use the
same infrastructure.
For now the boot loader gpg signing will only support grub and
introduces the variable:
GRUB_SIGN_VERIFY = "1"
This variable is a control point to activate the code in grub-efi to
perform file verification of any file it loads against a gpg key which
is linked into the boot loader with grub-mkimage. It will also cause
all the other files such as the kernel, initramfs and LockDown.efi to
be signed such that grub will verify the files.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Due to the following reasons, need to add the dependency to
task who needs to run check_rpm_public_key:
* packagegroup recipe don't have task prepare_recipe_sysroot
* varflags depends don't work for prefuncs
Signed-off-by: Changqing Li <changqing.li@windriver.com>
there is a scenario that this bbclass is enabled globally,
all targets will inherit sign_rpm_ext. but this bbclass
need gpg to work, on some new distro like
ubuntun 19.04, gpg is not installed, so compile will failed.
fail cmd:
cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
(gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
error:
base-files-3.0.14-r89 do_package_write_rpm: Failed to import gpg key (): /bin/sh: 1: --batch: not found
Signed-off-by: Changqing Li <changqing.li@windriver.com>
When using rpmsign (with --signfiles --fskpath) to sign RPM package,
the IMA signature is not correct, see:
$ getfattr -d -m - rootfs/usr/sbin/grpconv
file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQP3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
And the expected signature is like this:
$ getfattr -d -m - rootfs/usr/sbin/grpconv
file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQEAA6s8DwmRCVutcrE8NvHWWYXlg8L1AwH5teu44prkKRwmhZQ52Oa4UQoZZlxER/SJ9tijbve8ZAv++KW8EqgP4iZjEGh8ke76rpiRU5glnG/U+HUjnilJBpzpMJHxyNbAiFoHMESeCOtrhY0zZIUXK3DnIuIJSwpfl2HaNFxRrE38EaqgV9IQ8QiWFCvgDYXoJDwc3KdhjKjs214tCfZpKO1w4QJl2n4llZHw2RTHIuUOsMhRDEXs6onLHmdmhvqgxIHt7IvsT9v7H8GnoaiX0xgzxk2o/mE5EtPrnMtUoGSQwdY8CAfUbCwAp0c5QlsrHk5RBmewjJ/jxd/K1uKp7w==
The root cause is libimaevm doesn't retrieve correct signing algo, so this patch
is making things right.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Since commit [b41010c linux-yocto-integrity: fix modsign key path] applied,
if MODSIGN_ENABLED is "0", bbclass user-key-store will not be inherited
which causing 'uks_modsign_keys_dir' is not defined
Unconditionally inherit user-key-store, but conditionally invoke
uks_modsign_keys_dir
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Use modsign key directly from uks_modsign_keys_path(d), rather than from
installed package.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
The bb.build.FuncFailed had been removed in bitbake with commit
cfeffb602dd5319f071cd6bcf84139ec77f2d170. Use bb.fatal instead of it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error:
util-linux:do_compile: 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 ->
53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99
bitbake-diffsigs --task util-linux do_compile --signature
9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374
53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99
Rename util-linux_%.bbappend to util-linux-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This reverts commit 0477a93cf9.
Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error:
rpm-native:do_configure: c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b ->
d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca
bitbake-diffsigs --task rpm-native do_configure --signature
c2221ee127ea61f99a6062ffadb1fe05ca44b9200e38a91521a5a28d4f13140b
d955da8ce20c8dbc0c5bc9b7569dd459484b0e24ba1e4c66828a84e919025eca
Revert the patch to fix it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Third party programs including libimaevm fails to build with musl
due to a missing include in the public header. Add it.
The build with glibc is unaffected. Patch sent upstream.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:
qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.
Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
We have a bbappend file which enables plugins for rpm. We need to
ensure to also disable the inhibit plugin for rpm-native. Otherwise,
we get the following warning at rootfs time.
Unable to get systemd shutdown inhibition lock: Socket name too long
The inhibit plugin tries to inhibit shutdown during rpm operation. It
obviously makes no sense for rpm-native, as 1) we may not build on a
systemd based host and 2) the build process does not affect the package
management on host.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
In 59a9f43b89 ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream. However, rocko ships with an older version
of RPM and still needs these patches. Add conditional logic to apply
these patches only for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...
Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...
The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.
Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS
Signed-off-by: Tom Rini <trini@konsulko.com>
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.
Signed-off-by: Tom Rini <trini@konsulko.com>
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version. This includes all of the patches we had
been applying.
Signed-off-by: Tom Rini <trini@konsulko.com>
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
The kernel module will be stripped during do_package, including the
modsign signature.
Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:
| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long
Signed-off-by: Kai Kang <kai.kang@windriver.com>
