mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-12 03:10:13 +00:00
bd7a25c4dd
This file was forked from the generic (non verity) version in meta-yocto, but it would seem that due to limited use, an update in the parent never made it here, even after two years: [commit 0c679ac53b52e631a7c961872ce58f5cf74b8629 in meta-yocto] From: Kevin Hao <kexin.hao@windriver.com> Date: Tue, 23 Mar 2021 17:35:29 +0800 Subject: [PATCH] meta-yocto-bsp: beaglebone: Set a fixed size for boot partition in WIC image After the dosfstools has been updated to v4.2 by commit b522f24723e1 ("dosfstools: update 4.1 -> 4.2"), the commit b29eb5be67e9 ("mkfs.fat: Align total number of sectors to be multiple of sectors per track") in v4.2 has caused a regression in beagebone black board. The reason is that the real total sectors of the fat filesystem created by the mkdosfs may not be the same size as what we requested due to align with the sectors per track, this change seem no side effect to linux kernel, but it breaks the beaglebone black boot ROM and make it can't load the MLO. In order to fix this issue, we choose to set a fixed size for the boot partition to make sure that the total sectors always are aligned with the sectors per track. [Yocto #14306] Bring the same change across, so dm-verity doesn't face the same frustrating silent boot failure with zero console output. With this change in place, and allowing for read-only rootfs, we see: device-mapper: verity: sha256 using implementation "sha256-generic" EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null). Quota mode: disabled. INIT: version 3.01 booting Note that the above is from booting on real hardware on Kirkstone. Cc: Kevin Hao <kexin.hao@windriver.com> Cc: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Meta-security
=============
The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'security' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
DISTRO_FEATURES:append = " security"
If meta-security is included, but security is not enabled as a
distro feature a warning is printed at parse time:
You have included the meta-security layer, but
'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
and preferred version setting may not take effect.
If you know what you are doing, this warning can be disabled by setting the following
variable in your configuration:
SKIP_META_SECURITY_SANITY_CHECK = 1
This layer provides security tools, hardening tools for Linux kernels
and libraries for implementing security mechanisms.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
branch: [same one as checked out for this layer]
URI: git://git.openembedded.org/meta-openembedded/meta-oe
branch: [same one as checked out for this layer]
Adding the security layer to your build
========================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the security layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the security layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/meta-openembedded/meta-oe \
/path/to/layer/meta-security "
Optional Dynamic layer dependancy
======================================
URI: git://git.openembedded.org/meta-openembedded/meta-oe
URI: git://git.openembedded.org/meta-openembedded/meta-perl
URI: git://git.openembedded.org/meta-openembedded/meta-python
BBLAYERS += "/path/to/layer/meta-openembedded/meta-oe"
BBLAYERS += "/path/to/layer/meta-openembedded/meta-perl"
BBLAYERS += "/path/to/layer/meta-openembedded/meta-python"
This will activate the dynamic-layer mechanism.
Maintenance
======================================
Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
For pull requests, please use create-pull-request and send-pull-request.
Maintainers: Armin Kuster <akuster808@gmail.com>
License
=======
All metadata is MIT licensed unless otherwise stated. Source code included
in tree for individual recipes is under the LICENSE stated in each recipe
(.bb file) unless otherwise stated.