-
Notifications
You must be signed in to change notification settings - Fork 26
/
Copy pathREADME
109 lines (81 loc) · 3.45 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
This README file contains information on the contents of the
meta-secure-core layer.
Please see the corresponding sections below for details.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/bitbake
branch: master
URI: git://git.openembedded.org/openembedded-core
layers: meta
branch: master
This layer also provides the support for the stable branches actively
maintained by Yocto Project. Please check [this page](https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance) for them.
Patches
=======
Please submit any patches against the meta-secure-core layer to the
maintainer:
Maintainer: Yi Zhao <[email protected]>
Table of Contents
=================
I. Adding the meta-secure-core layer to your build
II. Configure meta-secure-core
III. Build meta-secure-core
I. Adding the meta-secure-core layer to your build
==================================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the meta-secure-core layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the meta-secure-core layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= "\
/path/to/yocto/meta \
/path/to/yocto/meta-poky \
/path/to/yocto/meta-yocto-bsp \
/path/to/yocto/meta-secure-core/meta-secure-core-common \
/path/to/yocto/meta-secure-core/meta-signing-key \
/path/to/yocto/meta-secure-core/meta-tpm2 \
/path/to/yocto/meta-secure-core/meta-efi-secure-boot \
/path/to/yocto/meta-secure-core/meta-integrity \
/path/to/yocto/meta-secure-core/meta-encrypted-storage \
"
or run bitbake-layers to add the meta-secure-core and its sub-layers:
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-secure-core-common
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-signing-key
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-tpm2
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-efi-secure-boot
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-integrity
$ bitbake-layers add-layer /path/to/yocto/meta-secure-core/meta-encrypted-storage
II. Configure meta-secure-core
==============================
The full features in meta-secure-core can be configured with these definitions
in local.conf:
INIT_MANAGER = "systemd"
INITRAMFS_IMAGE = "secure-core-image-initramfs"
DISTRO_FEATURES_NATIVE:append = " ima tpm2 efi-secure-boot luks"
DISTRO_FEATURES:append = " ima tpm2 efi-secure-boot luks modsign"
MACHINE_FEATURES_NATIVE:append = " efi"
MACHINE_FEATURES:append = " efi"
PACKAGE_CLASSES = "package_rpm"
INHERIT += "ima-evm-rootfs"
SECURE_CORE_IMAGE_EXTRA_INSTALL ?= "\
packagegroup-efi-secure-boot \
packagegroup-tpm2 \
packagegroup-ima \
packagegroup-luks \
"
#DEBUG_FLAGS:forcevariable = ""
IMAGE_INSTALL:append = " kernel-image-bzimage"
# Uncomment the following lines to disable SELoader
# and use gpg key to protect and verify files used by grub.
#UEFI_SELOADER ?= "0"
#GRUB_SIGN_VERIFY ?= "1"
# Uncomment this line to modify the root parameter in boot command line if the default one
# is not working for you. It is helpful when secure boot is enabled.
#BOOT_CMD_ROOT = "/dev/sda3"
III. Build meta-secure-core
===========================
The meta-secure-core provides an image called secure-core-image. Run the
following command to build it.
$ bitbake secure-core-image