Re: [meta-intel] [PATCH RFC 0/4] Super simple secure boot implementation not requiring combo app

2017-07-14 Thread Cal Sullivan
+ Patrick (mistyped email address). --- Cal On 07/14/2017 07:11 PM, California Sullivan wrote: I'm not sure why I never tried just signing the kernel and systemd-boot, but it works. If either one is not signed, it causes gives a security violation error. A con of this implementation is that

[meta-intel] [PATCH RFC 1/4] classes: Add uefi-sign.bbclass

2017-07-14 Thread California Sullivan
This configurable class uses sbsign to sign arbitrary EFI binaries. Signed-off-by: California Sullivan --- classes/uefi-sign.bbclass | 52 +++ 1 file changed, 52 insertions(+) create mode 100644

[meta-intel] [PATCH RFC 3/4] linux-intel: Add uefi-sign bbclass to sign kernel

2017-07-14 Thread California Sullivan
This should be added via a linux-*.bbappend, this one is just for testing. Signed-off-by: California Sullivan --- common/recipes-kernel/linux/linux-intel_4.9.bb | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git

[meta-intel] [PATCH RFC 4/4] meta-intel.inc: Add secureboot to valid IMAGE_FEATURES

2017-07-14 Thread California Sullivan
Signed-off-by: California Sullivan --- conf/machine/include/meta-intel.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/conf/machine/include/meta-intel.inc b/conf/machine/include/meta-intel.inc index ff98a2a..40f3b4c 100644 ---

[meta-intel] [PATCH RFC 0/4] Super simple secure boot implementation not requiring combo app

2017-07-14 Thread California Sullivan
I'm not sure why I never tried just signing the kernel and systemd-boot, but it works. If either one is not signed, it causes gives a security violation error. A con of this implementation is that unlike the combo app, we don't inherently validate the initrd. In the future we could require that

[meta-intel] [PATCH RFC 2/4] systemd-boot: Add uefi-sign bbclass to sign bootloader

2017-07-14 Thread California Sullivan
Signed-off-by: California Sullivan --- common/recipes-bsp/systemd-boot/systemd-boot_%.bbappend | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/recipes-bsp/systemd-boot/systemd-boot_%.bbappend

Re: [meta-intel] [EXT] Re: How to build module iasImage from bzImage outside yocto

2017-07-14 Thread Francesco Camarda (fcamarda)
> -Original Message- > From: Tim Orling [mailto:timothy.t.orl...@linux.intel.com] > Sent: Friday, July 14, 2017 8:45 AM > To: Francesco Camarda (fcamarda) > Cc: yo...@yoctoproject.org; meta-intel@yoctoproject.org > Subject: [EXT] Re: [meta-intel] How to build module

Re: [meta-intel] How to build module iasImage from bzImage outside yocto

2017-07-14 Thread Tim Orling
> On Jul 13, 2017, at 5:59 AM, Francesco Camarda (fcamarda) > wrote: > > Hello, > Starting from a yocto build (details below): > > $ bitbake ias-kc-pf-image > Loading cache: 100% >