starlingx/integ
Code Issues Proposed changes
efd96cd34c
integ/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch
Scott Little bab9bb6b69 Internal restructuring of stx-integ 
Create new directories:
   ceph
   config
   config-files
   filesystem
   kernel
   kernel/kernel-modules
   ldap
   logging
   strorage-drivers
   tools
   utilities
   virt

Retire directories:
   connectivity
   core
   devtools
   support
   extended

Delete two packages:
   tgt
   irqbalance

Relocated packages:
   base/
      dhcp
      initscripts
      libevent
      lighttpd
      linuxptp
      memcached
      net-snmp
      novnc
      ntp
      openssh
      pam
      procps
      sanlock
      shadow
      sudo
      systemd
      util-linux
      vim
      watchdog

   ceph/
      python-cephclient

   config/
      facter
      puppet-4.8.2
      puppet-modules

   filesystem/
      e2fsprogs
      nfs-utils
      nfscheck

   kernel/
      kernel-std
      kernel-rt

   kernel/kernel-modules/
      mlnx-ofa_kernel

   ldap/
      nss-pam-ldapd
      openldap

   logging/
      syslog-ng
      logrotate

   networking/
      lldpd
      iproute
      mellanox
      python-ryu
      mlx4-config

   python/
      python-2.7.5
      python-django
      python-gunicorn
      python-setuptools
      python-smartpm
      python-voluptuous

   security/
      shim-signed
      shim-unsigned
      tboot

   strorage-drivers/
      python-3parclient
      python-lefthandclient

   virt/
      cloud-init
      libvirt
      libvirt-python
      qemu

   tools/
      storage-topology
      vm-topology

   utilities/
      tis-extensions
      namespace-utils
      nova-utils
      update-motd

Change-Id: I37ade764d873c701b35eac5881eb40412ba64a86
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 10:06:31 -04:00

75 lines
2.9 KiB
Diff
Raw Blame History

From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001
From: root <root@yow-cgts4-lx.wrs.com>
Date: Mon, 15 Jan 2018 13:25:04 -0500
Subject: [PATCH] Use Titanium certificate
---
Makefile | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
index 6ece282..bb4f7f9 100644
--- a/Makefile
+++ b/Makefile
@@ -36,6 +36,12 @@ FBNAME = fallback
COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
+# We compile a certificate into shim. Usually this is a one-time generated
+# certificate (make-certs script) however we want to include a custom
+# certificate for which we have the key. We use the key to sign the kernel and
+# grub down the road
+INTERNAL_CERT = tis-shim
+
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
CFLAGS += -DOVERRIDE_SECURITY_POLICY
endif
@@ -90,7 +96,7 @@ LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
@@ -104,13 +110,17 @@ endif
all: $(TARGET)
-shim.crt:
- ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+# certificate is now provided in source. To generate a random certificate,
+# uncomment this rule
+#$(INTERNAL_CERT).crt:
+# ./make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
-shim.cer: shim.crt
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
openssl x509 -outform der -in $< -out $@
-shim_cert.h: shim.cer
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
+# use a fixed name for #include
+shim_cert.h: $(INTERNAL_CERT).cer
echo "static UINT8 shim_cert[] = {" > $@
hexdump -v -e '1/1 "0x%02x, "' $< >> $@
echo "};" >> $@
@@ -121,10 +131,10 @@ version.c : version.c.in
-e "s,@@COMMIT@@,$(COMMITID)," \
< version.c.in > version.c
-certdb/secmod.db: shim.crt
+certdb/secmod.db: $(INTERNAL_CERT).crt
-mkdir certdb
- pk12util -d certdb/ -i shim.p12 -W "" -K ""
- certutil -d certdb/ -A -i shim.crt -n shim -t u
+ pk12util -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
+ certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
shim.o: $(SOURCES) shim_cert.h
shim.o: $(wildcard *.h)
--
1.8.3.1
View Git Blame Copy Permalink