Skip to content
This repository has been archived by the owner on Feb 7, 2023. It is now read-only.

Files

Latest commit

6838a54 · Dec 6, 2022

History

History

meta

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Nov 3, 2022
Dec 6, 2022
Jul 13, 2017
Apr 24, 2019
This README file contains information on the contents of the
meta-secure-core layer.

Please see the corresponding sections below for details.


Dependencies
============

This layer depends on:

  URI: git://git.openembedded.org/bitbake
  branch: master

  URI: git://git.openembedded.org/openembedded-core
  layers: meta
  branch: master

This layer also provides the support for the stable branches actively
maintained by Yocto Project. Please check [this page](https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance) for them.

Patches
=======

Please submit any patches against the meta-secure-core layer to the
maintainer:

Maintainer: Jia Zhang <zhang.jia@linux.alibaba.com>


Table of Contents
=================

  I. Adding the meta-secure-core layer to your build
 II. Configure meta-secure-core
III. Build meta-secure-core


I. Adding the meta-secure-core layer to your build
==================================================

In order to use this layer, you need to make the build system aware of
it.

Assuming the meta-secure-core layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the meta-secure-core layer to bblayers.conf, along with any
other layers needed. e.g.:

  BBLAYERS ?= "\
    /path/to/yocto/meta \
    /path/to/yocto/meta-poky \
    /path/to/yocto/meta-yocto-bsp \
    /path/to/yocto/meta-secure-core/meta \
    /path/to/yocto/meta-secure-core/meta-signing-key \
    /path/to/yocto/meta-secure-core/meta-tpm \
    /path/to/yocto/meta-secure-core/meta-tpm2 \
    /path/to/yocto/meta-secure-core/meta-efi-secure-boot \
    /path/to/yocto/meta-secure-core/meta-integrity \
    /path/to/yocto/meta-secure-core/meta-encrypted-storage \
    "

or run bitbake-layers to add the meta-secure-core and its sub-layers:

    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta
    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-signing-key
    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-tpm
    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-tpm2
    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-efi-secure-boot
    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-integrity
    $ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-encrypted-storage

II. Configure meta-secure-core
==============================

The full features in meta-secure-core can be configured with these definitions
in local.conf:

INITRAMFS_IMAGE = "secure-core-image-initramfs"
DISTRO_FEATURES_NATIVE:append = " systemd ima tpm tpm2 efi-secure-boot luks"
DISTRO_FEATURES:append = " systemd ima tpm tpm2 efi-secure-boot luks modsign"
MACHINE_FEATURES_NATIVE:append = " efi"
MACHINE_FEATURES:append = " efi"
PACKAGE_CLASSES = "package_rpm"
INHERIT += "sign_rpm_ext"
SECURE_CORE_IMAGE_EXTRA_INSTALL ?= "\
    packagegroup-efi-secure-boot \
    packagegroup-tpm \
    packagegroup-tpm2 \
    packagegroup-ima \
    packagegroup-luks \
"
DEBUG_FLAGS:forcevariable = ""
IMAGE_INSTALL:append = " kernel-image-bzimage"

# Uncomment this line to modify the root parameter in boot command line if the default one
# is not working for you. It is helpful when secure boot is enabled.
#BOOT_CMD_ROOT = "/dev/hda2"

III. Build meta-secure-core
===========================

The meta-secure-core provides an image called secure-core-image. Run the
following command to build it.

    $ bitbake secure-core-image

Reference
=========

[SecureCore - a reference implementation based on meta-secure-core](https://github.com/jiazhang0/SecureCore)