Re: [yocto] [meta-security][PATCH] tpm2-tss: support native builds
Mikko Rapeli escreveu no dia quinta, 23/11/2023 à(s) 11:07: > Hi, > > On Thu, Nov 23, 2023 at 11:01:12AM +, Jose Quaresma wrote: > > Hi Mikko, > > > > Mikko Rapeli escreveu no dia quinta, > 23/11/2023 > > à(s) 10:53: > > > > > systemd tool ukify > > > https://www.freedesktop.org/software/systemd/man/latest/ukify.html > > > depends on systemd-measure > > > > > > > https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html > > > which depends on tpm2-tss. So to support creating UKI > > > images containing both kernel and initramfs with systemd-native, > > > > > > > Is systemd-native supported in any public layer? > > I saw some proposals on the oe-core mailing list but they were not > > integrated. > > Not yet. But for uki and systemd style secure boot that will be needed. > Current public systemd-native proposal is in > > https://lore.kernel.org/all/20230901233231.1109712-1-michelle.lint...@gmail.com/T/ > and on Linaro side we're checking that among other things. There will > likely > be a need to move some recipes to oe-core so that singing etc tooling can > be > compiled from there without additional layers. But all this depends on how > maintainers > see the situation. > We at Foundries.io are also very interested in the uki and friends. Thanks for all the details and clarifications. Jose > Cheers, > > -Mikko > -- Best regards, José Quaresma -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61737): https://lists.yoctoproject.org/g/yocto/message/61737 Mute This Topic: https://lists.yoctoproject.org/mt/102764925/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH] tpm2-tss: support native builds
Hi, On Thu, Nov 23, 2023 at 11:01:12AM +, Jose Quaresma wrote: > Hi Mikko, > > Mikko Rapeli escreveu no dia quinta, 23/11/2023 > à(s) 10:53: > > > systemd tool ukify > > https://www.freedesktop.org/software/systemd/man/latest/ukify.html > > depends on systemd-measure > > > > https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html > > which depends on tpm2-tss. So to support creating UKI > > images containing both kernel and initramfs with systemd-native, > > > > Is systemd-native supported in any public layer? > I saw some proposals on the oe-core mailing list but they were not > integrated. Not yet. But for uki and systemd style secure boot that will be needed. Current public systemd-native proposal is in https://lore.kernel.org/all/20230901233231.1109712-1-michelle.lint...@gmail.com/T/ and on Linaro side we're checking that among other things. There will likely be a need to move some recipes to oe-core so that singing etc tooling can be compiled from there without additional layers. But all this depends on how maintainers see the situation. Cheers, -Mikko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61736): https://lists.yoctoproject.org/g/yocto/message/61736 Mute This Topic: https://lists.yoctoproject.org/mt/102764925/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [yocto] [meta-security][PATCH] tpm2-tss: support native builds
Hi Mikko,
Mikko Rapeli escreveu no dia quinta, 23/11/2023
à(s) 10:53:
> systemd tool ukify
> https://www.freedesktop.org/software/systemd/man/latest/ukify.html
> depends on systemd-measure
>
> https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html
> which depends on tpm2-tss. So to support creating UKI
> images containing both kernel and initramfs with systemd-native,
>
Is systemd-native supported in any public layer?
I saw some proposals on the oe-core mailing list but they were not
integrated.
Jose
> tpm2-tss support is needed for native too.
>
> Signed-off-by: Mikko Rapeli
> ---
> meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> index 6386105..dceebc2 100644
> --- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> +++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
> @@ -93,3 +93,5 @@ FILES:${PN} = "\
> ${sysconfdir}/sysusers.d"
>
> RDEPENDS:libtss2 = "libgcrypt"
> +
> +BBCLASSEXTEND = "native"
> --
> 2.34.1
>
>
>
>
>
--
Best regards,
José Quaresma
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#61735): https://lists.yoctoproject.org/g/yocto/message/61735
Mute This Topic: https://lists.yoctoproject.org/mt/102764925/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[yocto] [meta-security][PATCH] tpm2-tss: support native builds
systemd tool ukify
https://www.freedesktop.org/software/systemd/man/latest/ukify.html
depends on systemd-measure
https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html
which depends on tpm2-tss. So to support creating UKI
images containing both kernel and initramfs with systemd-native,
tpm2-tss support is needed for native too.
Signed-off-by: Mikko Rapeli
---
meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
index 6386105..dceebc2 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
@@ -93,3 +93,5 @@ FILES:${PN} = "\
${sysconfdir}/sysusers.d"
RDEPENDS:libtss2 = "libgcrypt"
+
+BBCLASSEXTEND = "native"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#61734): https://lists.yoctoproject.org/g/yocto/message/61734
Mute This Topic: https://lists.yoctoproject.org/mt/102764925/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
