mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-01-12 01:00:15 +00:00
0e475df858
In oe-core commit 759df7395908f18b3b68f28d043ac9ebd42dd0c8, the plaintext password setting function was dropped because of the security issue. So the plaintext password setting method "usermod -P 'password' user" is not available. Now we should pass the encrypted password to usermod via -p option. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This README file contains information on the contents of the
meta-secure-core layer.
Please see the corresponding sections below for details.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/bitbake
branch: master
URI: git://git.openembedded.org/openembedded-core
layers: meta
branch: master
This layer also provides the support for the stable branches actively
maintained by Yocto Project. Please check [this page](https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance) for them.
Patches
=======
Please submit any patches against the meta-secure-core layer to the
maintainer:
Maintainer: Jia Zhang <zhang.jia@linux.alibaba.com>
Table of Contents
=================
I. Adding the meta-secure-core layer to your build
II. Configure meta-secure-core
III. Build meta-secure-core
I. Adding the meta-secure-core layer to your build
==================================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the meta-secure-core layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the meta-secure-core layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= "\
/path/to/yocto/meta \
/path/to/yocto/meta-poky \
/path/to/yocto/meta-yocto-bsp \
/path/to/yocto/meta-secure-core/meta \
/path/to/yocto/meta-secure-core/meta-signing-key \
/path/to/yocto/meta-secure-core/meta-tpm \
/path/to/yocto/meta-secure-core/meta-tpm2 \
/path/to/yocto/meta-secure-core/meta-efi-secure-boot \
/path/to/yocto/meta-secure-core/meta-integrity \
/path/to/yocto/meta-secure-core/meta-encrypted-storage \
"
or run bitbake-layers to add the meta-secure-core and its sub-layers:
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-signing-key
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-tpm
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-tpm2
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-efi-secure-boot
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-integrity
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-encrypted-storage
II. Configure meta-secure-core
==============================
The full features in meta-secure-core can be configured with these definitions
in local.conf:
INITRAMFS_IMAGE = "secure-core-image-initramfs"
DISTRO_FEATURES_NATIVE:append = " systemd ima tpm tpm2 efi-secure-boot luks"
DISTRO_FEATURES:append = " systemd ima tpm tpm2 efi-secure-boot luks modsign"
MACHINE_FEATURES_NATIVE:append = " efi"
MACHINE_FEATURES:append = " efi"
PACKAGE_CLASSES = "package_rpm"
INHERIT += "sign_rpm_ext"
SECURE_CORE_IMAGE_EXTRA_INSTALL ?= "\
packagegroup-efi-secure-boot \
packagegroup-tpm \
packagegroup-tpm2 \
packagegroup-ima \
packagegroup-luks \
"
DEBUG_FLAGS:forcevariable = ""
IMAGE_INSTALL:append = " kernel-image-bzimage"
# Uncomment this line to modify the root parameter in boot command line if the default one
# is not working for you. It is helpful when secure boot is enabled.
#BOOT_CMD_ROOT = "/dev/hda2"
III. Build meta-secure-core
===========================
The meta-secure-core provides an image called secure-core-image. Run the
following command to build it.
$ bitbake secure-core-image
Reference
=========
[SecureCore - a reference implementation based on meta-secure-core](https://github.com/jiazhang0/SecureCore)