[meta-security,4/7] meta-tpm: add layer sanity check

Submitted by Armin Kuster on June 5, 2021, 10:02 p.m. | Patch ID: 179860

Details

Message ID 20210605220258.414233-5-akuster808@gmail.com
State New
Headers show

Commit Message

Armin Kuster June 5, 2021, 10:02 p.m.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-tpm/README                          | 19 +++++++++++++++++++
 meta-tpm/classes/sanity-meta-tpm.bbclass | 10 ++++++++++
 meta-tpm/conf/layer.conf                 |  4 ++++
 3 files changed, 33 insertions(+)
 create mode 100644 meta-tpm/classes/sanity-meta-tpm.bbclass

Patch hide | download patch | download mbox

diff --git a/meta-tpm/README b/meta-tpm/README
index dd662b3..59d2ee3 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README
@@ -1,6 +1,25 @@ 
 meta-tpm layer
 ==============
 
+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'tpm' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+  DISTRO_FEATURES_append = " tmp"
+
+If meta-tpm is included, but tpm is not enabled as a
+distro feature a warning is printed at parse time:
+
+    You have included the meta-tpm layer, but
+    'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+    and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+  SKIP_META_TPM_SANITY_CHECK = 1
+
+
 This layer contains base TPM recipes.
 
 Dependencies
diff --git a/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-tpm/classes/sanity-meta-tpm.bbclass
new file mode 100644
index 0000000..2f8b52d
--- /dev/null
+++ b/meta-tpm/classes/sanity-meta-tpm.bbclass
@@ -0,0 +1,10 @@ 
+addhandler tpm_machinecheck
+tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
+python tpm_machinecheck() {
+    skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
+    if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+        bb.warn("You have included the meta-tpm layer, but \
+'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-tpm README \
+for details on enabling tpm support.")
+}
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 1b766cb..0b102c5 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -17,6 +17,10 @@  LAYERDEPENDS_tpm-layer = " \
 "
 BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
 
+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-tpm"
+
 BBFILES_DYNAMIC += " \
 networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
 "