The python2 is removed from oe-core and there is no python symblic link
by default which will cause an error when running test scripts:
$ ./test_tpm2_activecredential.sh: line 66: python: command not found
So drop python2 support and only keep python3.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If GPG_PATH is already created by signing-keys do_get_public_keys task,
subsequent executions of do_package_write_rpm will fail with "Filename too
long" errors (this only affects builds using GPG paths larger than 80
characters).
Fix this race condition by making sure that the redirection files are always
present in the gpg homedir even if the directory already exists when the first
package_write_rpm task executes.
Also, make sure this new approach does not affect GPG_PATHs smaller than 80
chars.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Currently, an error will be thrown when trying to use a GPG homedir whose path
length exceeds 80 characters. This limitation can be worked around by providing
libassuan socket redirection files for "S.gpg-agent.yocto-native",
"S.gpg-agent.ssh", "S.gpg-agent.browser" and "S.gpg-agent.extra"
sockets. The redirection files will point to the real sockets in /tmp
directory. The sockets will be automatically cleaned up by gpg agent.
References:
[1] https://dev.gnupg.org/T1752
[2] https://gnupg.org/documentation/manuals/assuan.pdf
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
tpm-tools calls pod2man to produce manual files. But pod2man has been
removed from hosttools in oe-core. So it fails occasionally when in some
certain condition .pod file is newer than corresponding man page files
that man files need to be reproduced:
| make[3]: Entering directory 'TOPDIR/tmp-glibc/work/ppc7400-wrs-linux/tpm-tools/1.3.9.1+gitAUTOINC+bdf9f1bc8f-r0/git/man/man8'
| /bin/bash: pod2man: command not found
| make[3]: *** [Makefile:575: tpm_nvwrite.8] Error 127
Inherit perlnative to fix such issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Fixes:
* Use glibc header instead of libattr header because the attr/xattr.h
has been removed from attr package.
* fix configure check for newer libimaevm versions.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
If efi-secure-boot distro feature is enabled, let the possibility to
enable only the UEFI SecureBoot (through UEFI_SB Bitbake variable)
without MOK_SB variable.
Allow explicitly overriding the MOK_SB Bitbake variable.
Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
The grub-efi-native build doesn't need to run do_sign task but there are
two prefuncs for do_sign still run in native build. This will cause a
build error when there is no gpg command on the host. Move the functions
to do_sign_prepend_class-target to make sure they only run in target
build.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
On some host configuration such as ubuntu 16.04 the gnupg in /usr/bin
is the 1.x version. This can cause problems between the import and
signing process if the gpg version is different. The commands in the
user-key-store class assume gnupg is at least version 2.2 or newer.
To avoid the signing phase failing for the efitools and the kernel,
the user-key-store class should depend on the gnupg-native binaries.
It avoids this specific error:
ERROR: efitools-1.9.2+gitAUTOINC+392836a46c-r0 do_sign: Failed to sign: /opt/tmp-glibc/work/corei7-64-wrs-linux/efitools/1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
ERROR: Logfile of failure stored in: /opt/tmp-glibc/work/corei7-64-wrs-linux/efitools/1.9.2+gitAUTOINC+392836a46c-r0/temp/log.do_sign.22969
NOTE: recipe efitools-1.9.2+gitAUTOINC+392836a46c-r0: task do_sign: Failed
[ Issue: LIN1019-3757 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Currently, the PACKAGECONFIG assignment in rpm-integrity might overwrite
the previous contents of the variable.
Similar to systemd_%.bbappend and ovmf_%.bbappend, use _append to add
"imaevm" to PACKAGECONFIG when distro feature ima is enabled.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
connect to gpg agent may failed due to the GPG_PATH is too long,
check and raise an error if the length is greater than 80.
Signed-off-by: Liwei Song <liwei.song@windriver.com>
do_rootfs
in commit 393b80fa, prefuncs of do_package_write_rpm/do_rootfs
have been replace by (task)_prepend in this bbclass, so remove it.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
If GRUB_SIGN_VERIFY is not enabled, do_sign will fail in which GPG_PATH
is not set (--homedir None)
...
|DEBUG: Executing python function do_sign
|NOTE: Running: echo "SecureCore" | tmp-glibc/hosttools/gpg --pinentry-mode
loopback --batch --homedir None -u "SecureBootCore" --detach-sign
--passphrase-fd 0 "tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi"
|ERROR: Failed to sign: tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
...
Since GPG_PATH is set in do_sign's prefunc check_boot_public_key if
GRUB_SIGN_VERIFY is enabled, add the same condition to do_sign
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Since commit [382ffa1 efitools: Fix compilation problem with
latest /usr/include/efi], we should apply the fix to native also.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Issue: LIN1018-450
Under extremely rare circumstances, access can be denied to /tmp,
so we specify a local TMPDIR.
This is a cherry-pick of 886c44b from WRL 10.17.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
While refactoring the code to eliminate the overlap in the copy of the
.sig and .p7b files the UEFI_SELOADER test was not removed. This
results in the .sig files not getting copied to the deploy directory
when using the GRUB_SIGN_VERIFY = "1".
All that is needed is to remove the UEFI_SELOADER test statement.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
The initrd takes care of starting the luks volumes and activing the
dmcrypt udev rules. The udev rule required a modification to deal
with volumes that had already been started, else the cold plug event
that runs at user space startup puts the dmcrypt device into a state
that systemd cannot manage it.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Sample keys are required in order for the signing to succeed when
using grub boot verification. The keys are only used when
GRUB_SIGN_VERIFY = "1", and it is intended that and user would
generate new keys with the create-user-key-store.sh.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.
It will be possible in a template or local.conf:
UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
The lvm2-udevrules is required else udev will never perform the device
notification when an encrypted volume is initially created.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
The create-user-key-store.sh was changed in a number ways to improve
the usability with other layers that will consume the key services
provided by meta-secure-core.
New features:
* A safety check was added that keys can only be written to a fresh
empty directory.
* The script can be run non-iteractively or interactively for the ease of use.
* gpg 1.x support and gpg 2.x support work with the passphrases
* A keys.conf is generated to allow a single line to be written into the
local.conf with all the keys.
An interactive session looks like:
==================================
./create-user-key-store.sh -d /tmp/test
KEYS_DIR: /tmp/test
Enter RPM/OSTree GPG keyname (use dashes instead of spaces) [default: PKG-SecureCore]: PKG-Sample-Man
Enter RPM/OSTree GPG e-mail address [default: SecureCore@foo.com]: sample.man@sample.com
Enter RPM/OSTREE GPG comment [default: Signing Key]: Sample Signing Key
Using boot loader gpg name: BOOT-Sample-Man
Using boot loader gpg email: sample.man@sample.com
Using boot loader gpg comment: Sample Signing Key
Press control-c now if and use -bn -bm -bc arguments if you want
different values other than listed above
Enter RPM/OSTREE passphrase: abc1234
Enter IMA passphrase: 1234pass
Enter boot loader GPG passphrase: bootup
Enter boot loader locked configuration password(e.g. grub pw): root
MASTER_KEYS_DIR = "/tmp/test"
IMA_KEYS_DIR = "${MASTER_KEYS_DIR}/ima_keys"
IMA_EVM_KEY_DIR = "${MASTER_KEYS_DIR}/ima_keys"
RPM_KEYS_DIR = "${MASTER_KEYS_DIR}/rpm_keys"
BOOT_KEYS_DIR = "${MASTER_KEYS_DIR}/boot_keys"
MOK_SB_KEYS_DIR = "${MASTER_KEYS_DIR}/mok_sb_keys"
SYSTEM_TRUSTED_KEYS_DIR = "${MASTER_KEYS_DIR}/system_trusted_keys"
UEFI_SB_KEYS_DIR = "${MASTER_KEYS_DIR}/uefi_sb_keys"
GRUB_PUB_KEY = "${MASTER_KEYS_DIR}/boot_keys/boot_pub_key"
GRUB_PW_FILE = "${MASTER_KEYS_DIR}/boot_keys/boot_cfg_pw"
OSTREE_GPGDIR = "${MASTER_KEYS_DIR}/rpm_keys"
RPM_GPG_NAME = "PKG-Sample-Man"
RPM_GPG_PASSPHRASE = "abc1234"
RPM_FSK_PASSWORD = "1234pass"
BOOT_GPG_NAME = "BOOT-Sample-Man"
BOOT_GPG_PASSPHRASE = "bootup"
OSTREE_GPGID = "PKG-Sample-Man"
OSTREE_GPG_PASSPHRASE = "abc1234"
OSTREE_GRUB_PW_FILE = "${GRUB_PW_FILE}"
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Allow SELoader to be an optional component for secure boot
verification. The GPG_SIGN_VERIFY variable was added to control the
ability to have grub perform all of the verification of the loaded
files using a public key which gets built into grub at the time that
mkimage is run.
It is not intended that GPG_SIGN_VERIFY and UEFI_SELOADER would both
be set to "1". While this configuration could work, it makes very
little sense to use the system that way.
Also enabled is the tftp feature for grub as a builtin. This allows
grub to start from the network when the UEFI is configured to boot off
the network with tftp.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
The device nodes are in a different place when using the swtpm + ovfm
+ qemu. The luks-setup.sh needs to look in an additional location to
properly support qemu.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
This changes the rpm signing setup to use a generic routine
check_gpg_key(), in order that the boot loader gpg signing can use the
same infrastructure.
For now the boot loader gpg signing will only support grub and
introduces the variable:
GRUB_SIGN_VERIFY = "1"
This variable is a control point to activate the code in grub-efi to
perform file verification of any file it loads against a gpg key which
is linked into the boot loader with grub-mkimage. It will also cause
all the other files such as the kernel, initramfs and LockDown.efi to
be signed such that grub will verify the files.
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
oe-core commit fb064356af615d67d85b65942103bf943d84d290 removed the
packagegroup-core-lsb, so it must be removed from any other image
recipes which refernce the packagegroup-core-lsb.
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install. It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data. There are several other minor bug fixes, with the short log
shown below.
====
James Bottomley (13):
cert-to-efi-hash-list: fix for openssl 1.1
Version: 1.8.0
Fix Fedora build
Version: 1.8.1
factor out variable signing code
support engine based keys
use SignedData instead of PKCS7 for variable updates
Version: 1.9.0
Makefile: Reverse the order of lib.a and -lcrypto
Version: 1.9.1
sign-efi-sig-list: add man page entry for engine option
sha256: do not align raw section sizes
Version: 1.9.2
pai-yi.huang (1):
efi-updatevar: remove all authenticated attributes from signature
Make.rules | 6 ++---
Makefile | 12 +++++-----
cert-to-efi-hash-list.c | 6 ++++-
efi-updatevar.c | 28 +++++++++++------------
include/openssl_sign.h | 10 ++++++++
include/version.h | 2 +-
lib/Makefile | 2 +-
lib/openssl_sign.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
lib/sha256.c | 8 ++++---
sign-efi-sig-list.c | 59 +++++++++++------------------------------------
10 files changed, 213 insertions(+), 76 deletions(-)
create mode 100644 include/openssl_sign.h
create mode 100644 lib/openssl_sign.c
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Due to the following reasons, need to add the dependency to
task who needs to run check_rpm_public_key:
* packagegroup recipe don't have task prepare_recipe_sysroot
* varflags depends don't work for prefuncs
Signed-off-by: Changqing Li <changqing.li@windriver.com>
there is a scenario that this bbclass is enabled globally,
all targets will inherit sign_rpm_ext. but this bbclass
need gpg to work, on some new distro like
ubuntun 19.04, gpg is not installed, so compile will failed.
fail cmd:
cmd = '%s --batch --homedir %s --passphrase %s --import %s' % \
(gpg_bin, gpg_path, d.getVar('RPM_GPG_PASSPHRASE', True), gpg_key)
error:
base-files-3.0.14-r89 do_package_write_rpm: Failed to import gpg key (): /bin/sh: 1: --batch: not found
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Currently the recovery menuentry is not available because we don't
provide bzImage_backup and initrd_backup. Remove this entry.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
When using rpmsign (with --signfiles --fskpath) to sign RPM package,
the IMA signature is not correct, see:
$ getfattr -d -m - rootfs/usr/sbin/grpconv
file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQP3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
And the expected signature is like this:
$ getfattr -d -m - rootfs/usr/sbin/grpconv
file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQEAA6s8DwmRCVutcrE8NvHWWYXlg8L1AwH5teu44prkKRwmhZQ52Oa4UQoZZlxER/SJ9tijbve8ZAv++KW8EqgP4iZjEGh8ke76rpiRU5glnG/U+HUjnilJBpzpMJHxyNbAiFoHMESeCOtrhY0zZIUXK3DnIuIJSwpfl2HaNFxRrE38EaqgV9IQ8QiWFCvgDYXoJDwc3KdhjKjs214tCfZpKO1w4QJl2n4llZHw2RTHIuUOsMhRDEXs6onLHmdmhvqgxIHt7IvsT9v7H8GnoaiX0xgzxk2o/mE5EtPrnMtUoGSQwdY8CAfUbCwAp0c5QlsrHk5RBmewjJ/jxd/K1uKp7w==
The root cause is libimaevm doesn't retrieve correct signing algo, so this patch
is making things right.
Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
Since commit [b41010c linux-yocto-integrity: fix modsign key path] applied,
if MODSIGN_ENABLED is "0", bbclass user-key-store will not be inherited
which causing 'uks_modsign_keys_dir' is not defined
Unconditionally inherit user-key-store, but conditionally invoke
uks_modsign_keys_dir
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Use modsign key directly from uks_modsign_keys_path(d), rather than from
installed package.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Having a private key package might allow one to pull it into rootfs
which is really, really bad. So drop all private key packages.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
