mufeng / meta-secure-env Goto Github PK

meta-secure-env
===============

This layer provides the following common and platform-specific security
features:

- UEFI Secure Boot
For x86 platform, UEFI secure boot is the industry standard defined in the UEFI
spec, allowing images loaded by UEFI BIOS to be verified with the trusted
key. Whenever this feature is enabled, the bootloader and kernel will be
signed automatically during the build, implying the signed binaries are
contained by the resulting RPM and rootfs image.

Refer to feature/uefi-secure-boot/README for more details.

- Mok Secure Boot
For x86 platform, Mok secure boot is based on the UEFI secure boot, adding
the shim loader to chainloader the second-stage bootloader. Meanwhile,
the shim will also install a protocol which permits the second-stage bootloader
to perform similar binary validation, e.g, for linux kernel.

Refer to feature/mok-secure-boot/README for more details.

- User key store
By default, the signing key used by UEFI/Mok secure boot is the sample key for
the purposes of development and demonstration. It is not recommended that
this sample key be used for a production device and should be replaced by
a secret key owned by the user. 

Refer to feature/user-key-store-test/README for more details about how to
construct an user key store.

- User key store test
This feature automatically constructs an user key store during the build.
In a similar manner to the case of using sample key, all related binaries
are signed and contained in RPM and rootfs image. In addition, the resulting
user key store is located at $build/tmp/deploy/images/<machine>/user-keys/.

- TPM 2.0
This feature enables Trusted Platform Module (TPM 2.0) support, including
kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages.

Trusted Platform Module (TPM 2.0) is a microcontroller that stores keys,
passwords, and digital certificates. A discrete TPM 2.0 offers the
capabilities as part of the overall platform security requirements.

Note: TPM 1.2 feature is added, though we don't provide the official support
for it.

Maintenance
-----------
This layer is maintained in Wind River Open Source Labs at github.
* source	https://github.com/WindRiver-OpenSourceLabs/meta-secure-env


Building the meta-secure-env layer
----------------------------------
This layer should be added to the bblayers.conf file. To enable certain
feature provided by this layer, add the feature to the local.conf file. 

For pulsar binary release, this layer is included by default, and UEFI/Mok
secure boot feature is enabled by default for x86 machine. These are done
in the init-intel-x86-env file.