Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
In 59a9f43b89 ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream. However, rocko ships with an older version
of RPM and still needs these patches. Add conditional logic to apply
these patches only for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...
Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...
The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.
Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Currently we provide a secondary trusted key that is signed by the
primary key. We do not however DER encode this certificate. Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.
Signed-off-by: Tom Rini <trini@konsulko.com>
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us. In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.
Signed-off-by: Tom Rini <trini@konsulko.com>
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS
Signed-off-by: Tom Rini <trini@konsulko.com>
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.
Signed-off-by: Tom Rini <trini@konsulko.com>
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version. This includes all of the patches we had
been applying.
Signed-off-by: Tom Rini <trini@konsulko.com>
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.
Signed-off-by: Holger Dengler <dengler@linutronix.de>
The kernel module will be stripped during do_package, including the
modsign signature.
Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
evmctl is able to import DER format certificate only.
Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:
| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long
Signed-off-by: Kai Kang <kai.kang@windriver.com>
* rebase patches:
- keyutils_fix_library_install.patch
- keyutils-remove-m32-m64.patch
* append '-Wall' to CFLAGS for fixing:
.../recipe-sysroot/usr/include/features.h:376:4: error: \
#warning _FORTIFY_SOURCE requires compiling with \
optimization (-O) [-Werror=cpp]
* cleanup alternative targets, the *keyring*.7 files have been
removed from keyutils 1.5.10.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
If "GPG_PATH" is set in the init script, then "signing-keys"
get_public_keys task will execute failed.
So the "GPG_PATH" directory would be created when "GPG_PATH" is set.
The do_get_public_keys failed to import gpg key error information is as following:
----------------------------------------------------------------------------------------
ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key
(layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore):
gpg: fatal: can't create directory
`tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
The keyutils-doc package supply some same name man7 files with
man-pages, it will cause the rpm package installation or upgrade failed.
The keyutils-doc and man-pages rpm packages' transction check error
information is as following:
--------------------------------------------------------------------
Running transaction test
Error: Transaction check error:
file /usr/share/man/man7/keyrings.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/persistent-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/process-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/thread-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
file /usr/share/man/man7/user-session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization
to signing-keys) tried to initialize keyring in the task check_public_keys
of the recipe signing-keys. However, it does work with the recipe
signing-keys only, and GPG_PATH can't be passed to other recipes.
We bring the python anonymous function back, and it makes sure GPG_PATH
is set before signing the packages for every recipe.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
