This patch adds two image recipes and several keys for use in secureboot
selftests. One image is an unsigned comboapp with a startup.nsh file
calling bootx64.efi. The other is a comboapp image signed with the
refkit keys by default. These are the same keys enrolled in the ovmf
firmware. Also included is another set of keys to sign the image with
that do not match the ovmf firmware's enrolled keys.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This patch adds a couple secureboot elements to ovmf that originated
from refkit. It includes a patch that adds a certificate to the ovmf's
enrolled keys, and an image recipe which calls the enrollkeys app.
Original work by Mikko Ylinen and Patrick Ohly.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This allows for setting a different kernel config URI without having
to completely reset the main SRC_URI for the kernel also.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
A recent update to OE-core revealed the missing runtime dependency:
ERROR: lms8-8.0.0-7-r0 do_package_qa: QA Issue: /usr/bin/notifyDesktop.sh
contained in package lms8 requires /bin/bash, but no providers found in
RDEPENDS_lms8? [file-rdeps]
But it turns out that notifyDesktop doesn't actually require bash:
$ checkbashisms.pl notifyDesktop.sh
could not find any possible bashisms in bash script notifyDesktop.sh
So just change the shebang line to /bin/sh.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
CC: mikko.ylinen@linux.intel.com
CC: anand.vastrad@intel.com
Signed-off-by: Saul Wold <sgw@linux.intel.com>
A machine configuration file wasn't the correct place to put this in the
first place. It should be in a bbappend, which we now have.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Modify core-image-minimal-initramfs to use the initramfs-framework init
scripts instead of the old ones when using an Intel MACHINE type.
The initramfs-framework scripts are preferred, as they allow for booting
on both live and real images and are more modular, allowing additions
via new modules.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
sbsigntool does not currently work with openssl version 1.1 which was
just added to OE-core, so depend on version 1.0.* instead.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
From Mikko:
gitsm fetcher does not work well with download cache
(submodules never get to the local source mirror) and each
builds ends up cloning ccan.
Move to use git fetcher (with https protocol) for both sbsigntool
and ccan independently to speed up fetching and to get the
mirroring benefits.
The gitsm fetcher limitations are reported in YOCTO #11594.
Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com>
This syncs us up with the sbsigntool recipe in meta-refkit.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Enable muslx32 build for efilinux. Using -m64 instead of -mx32 in
TUNE_CCARGS as efi needed to be built for 64 bits.
Signed-off-by: sweeaun <swee.aun.khor@intel.com>
[Fixed whitespace error]
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
meta-intel maintains a recipe that installs iwlwifi's LinuxCore wifi
driver releases. For some iwfwifi LinuxCore supported wireless chips, the
best/latest firmware blobs are found in the iwlwifi's linux-firmware.git fork.
See: https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi/core_release
This bbappend fetches the -31.ucode (currently, for Intel Wireless 8260
only!) that is the best match for the iwlwifi LinuxCore release built. The
bbappend can later be extended to pull in firmware blobs for other chips too.
Fixes: [YOCTO #11925]
Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Upgrade xf86-video-mga version to 1.6.5. Adapt block/wakeupHandler
signature for ABI 23 patch has been removed as the change already
available from Upstream 1.6.5.
Signed-off-by: sweeaun <swee.aun.khor@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Clang detects more warnings as errors and these fixes address it
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
These patches are interesting from upstreaming point of view as well
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The scripts run in install target are relevant (and working)
only if the driver installation is run on the build host.
To fix build errors on some setups we add a patch that
skips the scripts completely when cross-compiling.
Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com>
[sgw - Added missing Upstream-Status]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Use the "m64" to parse the flag of x86-64 toolchains.
Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Since everything is installed into /usr when usrmerge is enabled,
don't rm /usr! Also the is not needed for anything do
don't create it in the first place.
[YOCTO #11882]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Since both linux-intel and linux-intel-rt need config fragments let's
share the same linux-intel patch directory via FILESEXTRAPATH
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The kernel updates includes more camera changes
Includes meta update with the following changes:
e8095d4 Alejandro Hernandez common-pc: Adds usb-net configs to genericx86 builds
37cff3d Alejandro Hernandez common-pc-64: Adds usb-net configs to genericx86-64 builds
24325ac Alejandro Hernandez intel-common-drivers: Adds usb-net configs to intel builds
5ea1dcf Syed Johan Arif Bin Syed Mohamad Fauzi features/qat: additional configurations, CONFIG_CRYPTO_RSA and CONFIG_CRYPTO_DH
b3fadcf Syed Johan Arif Bin Syed Mohamad Fauzi features/netfilter: additional configurations
7a4f036 Syed Mohamad Fauzi, Syed Johan Arif features/x2apic: add X2APIC feature
e71bcaa Syed Johan Arif Bin Syed Mohamad Fauzi features/vfio: add VFIO feature
d1b7785 Syed Johan Arif Bin Syed Mohamad Fauzi features/numa: Add NUMA feature
62c9858 Syed Johan Arif Bin Syed Mohamad Fauzi features/mtd: add MTD feature
9a6c643 Syed Johan Arif Bin Syed Mohamad Fauzi features/iommu: add IOMMU feature
1e004c5 Syed Johan Arif Bin Syed Mohamad Fauzi features/intel-txt: add intel-txt feature
63c1229 Saul Wold common-pc-wifi: Enable SDIO for BroadCom BRCMFMAC
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Create a linux-intel.inc that is shared between standard and rt kernel
for the common bits.
By removing these modules here, we can then build and install the
out of tree modules from the backport-iwlwifi tree.
Move the Autoloading to the kernel module also
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Since we want to support the out of tree modules for wifi and ethernet
we need to also have them as common for all machines in the common arch.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This out-of-tree module requires we create scripts before configuration
but module.bbclass runs make scripts sometime before do_compile. In
some builds this results in a failure, as it might not be soon enough.
Run make scripts again but earlier. Ideally we change module.bbclass
instead, but its currently frozen for M2 testing, so we need this
temporary local fix.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Use the MODULES_INSTALL_TARGET to correctly set the make target for install,
also use AUTOLOAD for ensuring the modules get loaded correctly.
Let the module class to the correct packaging and install.
Install all the linux-firmware-iwlwifi blobs
Signed-off-by: Saul Wold <sgw@linux.intel.com>
iwlwifi driver is built as OOT driver and replaces driver
built in kernel.
Signed-off-by: Kushwaha, Priyalee <priyalee.kushwaha@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
My script set it to v4.1.41, when its actually v4.1.42.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
In the future more secure boot implementations will be offered, with
each one needing the signing method. Instead of repeating a forty line
block of code across several recipes, just use a configurable bbclass.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The original code in intel-iot-refkit allows to create more than one
UEFI combo app and uses that to create one for removable media and one
for fixed media (after installation), with different boot=PARTUUID=xxx
parameters. This way, an installed image never ended up booting from
the install media.
uefi-comboapp.bbclass now supports the same feature, with
create_uefiapp() as the API function that can be used to create
additional UEFI apps and create_uefiapps as the method where the call
can be added.
In addition, several shortcomings are getting addressed:
- A UEFI combo app must be stored under a name that is specific
to the image for which it gets created, otherwise different
image recipes end up overwriting (or using) files from other
images.
- Signing must be done after creating the apps and before deploying
them, otherwise the unsigned apps get copied to the image when
using do_uefiapp_deploy.
- The common code for deployment is now in uefiapp_deploy_at.
- $dest is used instead of ${DEST} because the latter might get
expanded by bitbake.
- Because do_uefiapp always had to run anew to produce the
clean, unsigned input for do_uefiapp_sign, having two different
tasks just added unnecessary complexity. Now all code is in
do_uefiapp.
- Old files matching the output pattern get removed explicitly,
because they might not get overwritten when the optional
app suffix changes between builds, or when the task fails
in the middle.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
LMS will now capture and notify Intel AMT ME notifications to user in realtime.
For example if AMT tool establishes a KVM session, the user sees a notification for the same.
Intel ME provides event details in WsMan XML format which is parsed by LMS.
LMS extracts the AlertID-Arguments from WxMan XML and its relevant desription from preinitialized AlertId-Arguments:Description map.
The verbose description is then notfied to the user.
Along with the lms binary the package ships AMTAlerts.xml and notifyDesktop.sh script with it.
Signed-off-by: Anand Vastrad <anand.vastrad@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This lets the uefi-comboapp and new kickstart template work well
together out of the box.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
This is based off the template in meta-refkit.
It uses the image's boot directory to create a vfat boot partition,
which works with EFI. This works as a WKS_FILE target for the
uefi-comboapp, and will likely be useful in the future as well.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
