The grub-efi-native build doesn't need to run do_sign task but there are
two prefuncs for do_sign still run in native build. This will cause a
build error when there is no gpg command on the host. Move the functions
to do_sign_prepend_class-target to make sure they only run in target
build.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If GRUB_SIGN_VERIFY is not enabled, do_sign will fail in which GPG_PATH
is not set (--homedir None)
...
|DEBUG: Executing python function do_sign
|NOTE: Running: echo "SecureCore" | tmp-glibc/hosttools/gpg --pinentry-mode
loopback --batch --homedir None -u "SecureBootCore" --detach-sign
--passphrase-fd 0 "tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi"
|ERROR: Failed to sign: tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
...
Since GPG_PATH is set in do_sign's prefunc check_boot_public_key if
GRUB_SIGN_VERIFY is enabled, add the same condition to do_sign
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Since commit [382ffa1 efitools: Fix compilation problem with
latest /usr/include/efi], we should apply the fix to native also.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
While refactoring the code to eliminate the overlap in the copy of the
.sig and .p7b files the UEFI_SELOADER test was not removed. This
results in the .sig files not getting copied to the deploy directory
when using the GRUB_SIGN_VERIFY = "1".
All that is needed is to remove the UEFI_SELOADER test statement.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.
It will be possible in a template or local.conf:
UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Allow SELoader to be an optional component for secure boot
verification. The GPG_SIGN_VERIFY variable was added to control the
ability to have grub perform all of the verification of the loaded
files using a public key which gets built into grub at the time that
mkimage is run.
It is not intended that GPG_SIGN_VERIFY and UEFI_SELOADER would both
be set to "1". While this configuration could work, it makes very
little sense to use the system that way.
Also enabled is the tftp feature for grub as a builtin. This allows
grub to start from the network when the UEFI is configured to boot off
the network with tftp.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install. It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data. There are several other minor bug fixes, with the short log
shown below.
====
James Bottomley (13):
cert-to-efi-hash-list: fix for openssl 1.1
Version: 1.8.0
Fix Fedora build
Version: 1.8.1
factor out variable signing code
support engine based keys
use SignedData instead of PKCS7 for variable updates
Version: 1.9.0
Makefile: Reverse the order of lib.a and -lcrypto
Version: 1.9.1
sign-efi-sig-list: add man page entry for engine option
sha256: do not align raw section sizes
Version: 1.9.2
pai-yi.huang (1):
efi-updatevar: remove all authenticated attributes from signature
Make.rules | 6 ++---
Makefile | 12 +++++-----
cert-to-efi-hash-list.c | 6 ++++-
efi-updatevar.c | 28 +++++++++++------------
include/openssl_sign.h | 10 ++++++++
include/version.h | 2 +-
lib/Makefile | 2 +-
lib/openssl_sign.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
lib/sha256.c | 8 ++++---
sign-efi-sig-list.c | 59 +++++++++++------------------------------------
10 files changed, 213 insertions(+), 76 deletions(-)
create mode 100644 include/openssl_sign.h
create mode 100644 lib/openssl_sign.c
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Currently the recovery menuentry is not available because we don't
provide bzImage_backup and initrd_backup. Remove this entry.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Rather than using pre-compiled EFI drivers, use freshly compiled drivers
from OVMF source tree.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Package Pkcs7VerifyDxe.efi and Hash2DxeCrypto.efi to be used by SELoader
bootloader.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Add support for verifying PKCS#7 signatures via MOK2 protocol to
multiboot2 command enabling one to load multiboot-capable kernels.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Fix the following QA issue:
WARNING: grub-efi-2.04-r0 do_package_qa: QA Issue: grub-efi: /boot/efi/EFI/BOOT/grub.cfg.p7b is owned by uid 19183
chown to root for p7b file to fix uid contamination by host.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Backport patch to fix build error with gcc9 for option
"-Werror=address-of-packed-member"
MokManager.c: In function 'write_back_mok_list':
MokManager.c:1125:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1125 | if (CompareGuid(&(list[i].Type), &CertType) == 0)
| ^~~~~~~~~~~~~~~
MokManager.c:1147:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1147 | if (CompareGuid(&(list[i].Type), &CertType) == 0) {
| ^~~~~~~~~~~~~~~
MokManager.c: In function 'delete_cert':
MokManager.c:1188:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1188 | if (CompareGuid(&(mok[i].Type), &CertType) != 0)
| ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_hash_in_list':
MokManager.c:1239:20: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1239 | if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
| ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_keys':
MokManager.c:1410:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
1410 | if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
<builtin>: recipe for target 'MokManager.o' failed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Fix the build errors with DEBUG_BUILD enabled:
grub-core/loader/linux.c: In function 'grub_initrd_load':
grub-core/loader/linux.c:326:10: error: 'err' may be used \
uninitialized in this function [-Werror=maybe-uninitialized]
In function grub_initrd_load:
grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
char *argv[], void *target)
{
[snip]
grub_err_t err;
[snip]
#ifdef GRUB_MACHINE_EFI
[snip]
err = grub_verify_file (argv[i]);
[snip]
#endif
[snip]
fail:
[snip]
return err;
}
If the GRUB_MACHINE_EFI is not defined, the function would return an
uninitialized value for 'err'. We should initialize it when this
variable is assigned.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When the meta-efi-secure-boot layer is included but feature
efi-secure-boot is not set. We got the following error with
kernel-initramfs building:
ERROR: kernel-initramfs-1.0-r0 do_deploy: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995
Log data follows:
| DEBUG: Executing python function sstate_task_prefunc
| DEBUG: Python function sstate_task_prefunc finished
| DEBUG: Executing shell function do_deploy
| install: cannot stat '/buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/image/boot/*.p7b': No such file or directory
| WARNING: /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/run.do_deploy.16995:1 exit 1 from 'install -m 0644 ${SIG} /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/deploy-kernel-initramfs'
| ERROR: Function failed: do_deploy (log file is located at /buildarea/build/tmp/work/genericx86_64-poky-linux/kernel-initramfs/1.0-r0/temp/log.do_deploy.16995)
ERROR: Task (/buildarea/poky/meta-secure-core/meta/recipes-core/images/kernel-initramfs.bb:do_deploy) failed with exit code '1'
Rename kernel-initramfs.bbappend to kernel-initramfs-efi-secure-boot.inc
and add a new bbappend. Make sure this piece of code should be applied
only if the efi-secure-boot feature is set.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
In order to deploy our secure boot keys in DER format we need to use
openssl. This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign. Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.
Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
The oe-core commit 8d454ea754c96561257b1cc011fa638ceaa771db renamed type
variable to imageType in kernel.bbclass to avoid confusion with "type"
command in shell. We also do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The *_BASE_NAME was renamed to *_NAME and *_SYMLINK_NAME was renamed to
*_LINK_NAME in oe-core commit f952c8e08b4798aa0f8bf764cfd70bda0eae9b8b.
So we also need to do the same thing here.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake efitools lib32-efitools
ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
(matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake seloader lib32-seloader
ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk. We also need gnu-efi
to support nativesdk so include that in a bbappend.
Signed-off-by: Tom Rini <trini@konsulko.com>
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi. Add in conditional logic to pass this only
for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
The kernel-initramfs.bbappend depends on kernel-initramfs.bb in
meta-secure-core/meta/recipes-core/images/
Fix parsing error:
ERROR: No recipes available for:
meta-secure-core/meta-efi-secure-boot/recipes-core/images/kernel-initramfs.bbappend
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.
Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
In commit 1c96c0d096, the kernel p7b file
is moved from ${B}/${KERNEL_OUTPUT_DIR}/ to ${D}/boot/. But in
do_deploy(), it still try to copy p7b file from ${B}/${KERNEL_OUTPUT_DIR}/
to ${DEPLOYDIR}/. Using shutil.copyfile instead of shutil.move to fix
this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
To match the usual user experience of having /boot/${KERNEL_IMAGETYPE}
exist as a symlink to the real kernrel, also have our signature file
exist for that as a symlink and include it in the package file.
Signed-off-by: Tom Rini <trini@konsulko.com>
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().
Signed-off-by: Kai Kang <kai.kang@windriver.com>
