143 lines
4.3 KiB
Plaintext
143 lines
4.3 KiB
Plaintext
#@TYPE: Distribution
|
||
#@NAME: Cyber-secureboot
|
||
#@DESCRIPTION: Distribution configuration for SecureBoot Proof of Concept
|
||
|
||
DISTRO_VERSION = "1.0.0"
|
||
DISTRO_NAME = "SCLE Cyber SecureBoot Distro"
|
||
|
||
SDK_VENDOR = "-cyber"
|
||
SDK_VERSION = "${DISTRO_VERSION}"
|
||
MAINTENER = "vincent.benoit@scle.fr"
|
||
|
||
# Image Rootfs type and size
|
||
WKS_FILE = "pengwyn-yocto-verity.wks.in"
|
||
|
||
# Define a multiplier that the build system applies
|
||
IMAGE_OVERHEAD_FACTOR = "3"
|
||
# 3 Go
|
||
#IMAGE_ROOTFS_EXTRA_SPACE = "3145728"
|
||
|
||
# mask systemd-serialgetty parsed attribute SERIAL_CONSOLES
|
||
#SERIAL_CONSOLES = ""
|
||
|
||
##########################################################
|
||
#
|
||
# Bootloader & SPL
|
||
#
|
||
##########################################################
|
||
|
||
# The file type for the Secondary Program Loader (SPL)
|
||
SPL_BINARY = "spl/u-boot-spl.bin"
|
||
SPL_SUFFIX = "bin"
|
||
|
||
#*********************************************************
|
||
# U-Boot FIT Image
|
||
#*********************************************************
|
||
|
||
# Enable use of a U-Boot fitImage
|
||
UBOOT_FITIMAGE_ENABLE = "1"
|
||
# U-Boot fitImage Hash Algo
|
||
UBOOT_FIT_HASH_ALG = "sha256"
|
||
# U-Boot fitImage Signature Algo
|
||
UBOOT_FIT_SIGN_ALG = "rsa2048"
|
||
# Generate keys for signing U-Boot fitImage
|
||
UBOOT_FIT_GENERATE_KEYS = "1"
|
||
# Size of private keys in number of bits
|
||
UBOOT_FIT_SIGN_NUMBITS = "2048"
|
||
|
||
#*********************************************************
|
||
# U-Boot & SPL Signature
|
||
#*********************************************************
|
||
|
||
# Localtion of the directory containing the RSA key and certificate used for signing image
|
||
UBOOT_SIGN_KEYDIR = "${PWD}/scle_keys"
|
||
# keys name in keydir (eg. "dev.crt", "dev.key")
|
||
UBOOT_SIGN_KEYNAME = "scle_kernel"
|
||
UBOOT_SIGN_ENABLE = "1"
|
||
|
||
# Localtion of the directory containing the RSA key and certificate used for signing bootloader
|
||
SPL_SIGN_KEYDIR = "${PWD}/scle_keys"
|
||
SPL_SIGN_KEYNAME = "scle_uboot"
|
||
SPL_SIGN_ENABLE = "1"
|
||
|
||
##########################################################
|
||
#
|
||
# Linux
|
||
#
|
||
##########################################################
|
||
|
||
KERNEL_CLASSES ?= " kernel-fitimage "
|
||
KERNEL_IMAGETYPE = "fitImage"
|
||
|
||
#*********************************************************
|
||
# Kernel FIT Image
|
||
#*********************************************************
|
||
|
||
# Decides whether to generate the keys for signing fitImage if they don’t already exist
|
||
FIT_GENERATE_KEYS = "1"
|
||
# Specifies the hash algorithm used in creating the FIT Image
|
||
FIT_HASH_ALG = "sha256"
|
||
# Specifies the signature algorithm used in creating the FIT Image
|
||
FIT_SIGN_ALG = "rsa4096"
|
||
# Size of private key in number of bits used in fitImage
|
||
FIT_SIGN_NUMBITS = "4096"
|
||
# sign the kernel, dtb and ramdisk images individually in addition to signing the fitImage itself
|
||
FIT_SIGN_INDIVIDUAL = "1"
|
||
|
||
IMAGE_BOOT_FILES = " \
|
||
MLO \
|
||
u-boot.${UBOOT_SUFFIX} \
|
||
uEnv.txt \
|
||
fitImage \
|
||
devicetree/am335x-pengwyn.dtb \
|
||
"
|
||
|
||
##########################################################
|
||
#
|
||
# Device Mapper - Verity
|
||
#
|
||
##########################################################
|
||
|
||
SCLE_DM_VERITY = "1"
|
||
IMAGE_CLASSES += " dm-verity-img"
|
||
DM_VERITY_IMAGE = "cyber-secureboot-image"
|
||
DM_VERITY_IMAGE_TYPE = "ext4"
|
||
#DM_VERITY_IMAGE_DATA_BLOCK_SIZE = "4096"
|
||
|
||
#INITRAMFS_IMAGE = "core-image-minimal-initramfs"
|
||
INITRAMFS_IMAGE = "dm-verity-image-initramfs"
|
||
INITRAMFS_FSTYPES = "cpio.gz"
|
||
INITRAMFS_IMAGE_BUNDLE = "1"
|
||
|
||
SDIMG_ROOTFS_TYPE = "ext4.verity"
|
||
|
||
##########################################################
|
||
#
|
||
# Misc
|
||
#
|
||
##########################################################
|
||
|
||
# Preferred providers for Packages
|
||
PREFERRED_RPROVIDER_libdevmapper-native = "libdevmapper-native"
|
||
|
||
# Use systemd
|
||
DISTRO_FEATURES = "acl argp systemd usbhost ipv4 largefile usbgadget pam vfat xattr ldconfig tpm tpm2 security"
|
||
|
||
VIRTUAL-RUNTIME_init_manager = "systemd"
|
||
VIRTUAL-RUNTIME_login_manager = "shadow-base"
|
||
VIRTUAL-RUNTIME_syslog = "rsyslog"
|
||
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
|
||
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
|
||
|
||
IMAGE_FEATURES += " package-management ssh-server-openssh read-only-rootfs"
|
||
|
||
# set /var/log persistent
|
||
VOLATILE_LOG_DIR = "no"
|
||
|
||
# Use extrausers
|
||
INHERIT += "extrausers"
|
||
# mkpasswd -m sha-512 root -s sclecyber
|
||
EXTRA_USERS_PARAMS += "usermod -p '\$6\$sclecyber\$n9LKVtEnhPIDEbFdRFVPWbuRoYabzprcF0W2XuR4Tg/au6xrII8/4qBDc8vPn0z7qthIL.UMp4TlZWi9uOsFQ.' root;"
|
||
|
||
RM_WORK_EXCLUDE += "dm-verity-image-initramfs cyber-secureboot-image"
|