103 lines
3.2 KiB
Plaintext
103 lines
3.2 KiB
Plaintext
#@TYPE: Distribution
|
||
#@NAME: Cyber-secureboot
|
||
#@DESCRIPTION: Distribution configuration for SecureBoot Proof of Concept
|
||
|
||
DISTRO_VERSION = "1.0.0"
|
||
DISTRO_NAME = "SCLE Cyber SecureBoot Distro - Kernel FitImage Signed"
|
||
|
||
SDK_VENDOR = "-cyber"
|
||
SDK_VERSION = "${DISTRO_VERSION}"
|
||
MAINTENER = "vincent.benoit@scle.fr"
|
||
|
||
# Image Rootfs type and size
|
||
WKS_FILE = "pengwyn-yocto.wks.in"
|
||
|
||
# Define a multiplier that the build system applies
|
||
IMAGE_OVERHEAD_FACTOR = "3"
|
||
# 3 Go
|
||
#IMAGE_ROOTFS_EXTRA_SPACE = "3145728"
|
||
|
||
# mask systemd-serialgetty parsed attribute SERIAL_CONSOLES
|
||
#SERIAL_CONSOLES = ""
|
||
|
||
##########################################################
|
||
#
|
||
# Bootloader & SPL
|
||
#
|
||
##########################################################
|
||
|
||
## The file type for the Secondary Program Loader (SPL)
|
||
SPL_BINARY = "MLO"
|
||
|
||
#*********************************************************
|
||
# U-Boot Signature
|
||
#*********************************************************
|
||
|
||
# Localtion of the directory containing the RSA key and certificate used for signing image
|
||
UBOOT_SIGN_KEYDIR = "${PWD}/scle_keys"
|
||
# keys name in keydir (eg. "dev.crt", "dev.key")
|
||
UBOOT_SIGN_KEYNAME = "scle_conf"
|
||
# keys to sign image nodes => FIT_SIGN_INDIVIDUAL = 1
|
||
# keys used to sign images and conf nodes must be differents
|
||
UBOOT_SIGN_IMG_KEYNAME = "scle_kernel"
|
||
UBOOT_SIGN_ENABLE = "1"
|
||
|
||
##########################################################
|
||
#
|
||
# Linux
|
||
#
|
||
##########################################################
|
||
|
||
KERNEL_CLASSES ?= " kernel-fitimage "
|
||
KERNEL_IMAGETYPE = "fitImage"
|
||
|
||
#*********************************************************
|
||
# Kernel FIT Image
|
||
#*********************************************************
|
||
|
||
# Decides whether to generate the keys for signing fitImage if they don’t already exist
|
||
FIT_GENERATE_KEYS = "1"
|
||
# Specifies the hash algorithm used in creating the FIT Image
|
||
FIT_HASH_ALG = "sha256"
|
||
# Specifies the signature algorithm used in creating the FIT Image
|
||
FIT_SIGN_ALG = "rsa4096"
|
||
# Size of private key in number of bits used in fitImage
|
||
FIT_SIGN_NUMBITS = "4096"
|
||
# sign the kernel, dtb and ramdisk images individually in addition to signing the fitImage itself
|
||
FIT_SIGN_INDIVIDUAL = "1"
|
||
|
||
IMAGE_BOOT_FILES = " \
|
||
MLO \
|
||
u-boot.${UBOOT_SUFFIX} \
|
||
uEnv.txt \
|
||
fitImage \
|
||
devicetree/am335x-pengwyn.dtb \
|
||
"
|
||
|
||
##########################################################
|
||
#
|
||
# Misc
|
||
#
|
||
##########################################################
|
||
|
||
# Use systemd
|
||
DISTRO_FEATURES = "acl argp systemd usbhost ipv4 largefile usbgadget pam vfat xattr ldconfig security"
|
||
|
||
VIRTUAL-RUNTIME_init_manager = "systemd"
|
||
VIRTUAL-RUNTIME_login_manager = "shadow-base"
|
||
VIRTUAL-RUNTIME_syslog = "rsyslog"
|
||
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
|
||
DISTRO_FEATURES_BACKFILL_CONSIDERED = "sysvinit"
|
||
|
||
IMAGE_FEATURES += " package-management ssh-server-openssh read-only-rootfs"
|
||
|
||
# set /var/log persistent
|
||
VOLATILE_LOG_DIR = "no"
|
||
|
||
# Use extrausers
|
||
INHERIT += "extrausers"
|
||
# mkpasswd -m sha-512 root -s sclecyber
|
||
EXTRA_USERS_PARAMS += "usermod -p '\$6\$sclecyber\$n9LKVtEnhPIDEbFdRFVPWbuRoYabzprcF0W2XuR4Tg/au6xrII8/4qBDc8vPn0z7qthIL.UMp4TlZWi9uOsFQ.' root;"
|
||
|
||
RM_WORK_EXCLUDE += "cyber-secureboot-image"
|