meta-secure-env =============== This layer provides the following common and platform-specific security features: - UEFI Secure Boot For x86 platform, UEFI secure boot is the industry standard defined in the UEFI spec, allowing images loaded by UEFI BIOS to be verified with the trusted key. Whenever this feature is enabled, the bootloader and kernel will be signed automatically during the build, implying the signed binaries are contained by the resulting RPM and rootfs image. Refer to feature/uefi-secure-boot/README for more details. - Mok Secure Boot For x86 platform, Mok secure boot is based on the UEFI secure boot, adding the shim loader to chainloader the second-stage bootloader. Meanwhile, the shim will also install a protocol which permits the second-stage bootloader to perform similar binary validation, e.g, for linux kernel. Refer to feature/mok-secure-boot/README for more details. - User key store By default, the signing key used by UEFI/Mok secure boot is the sample key for the purposes of development and demonstration. It is not recommended that this sample key be used for a production device and should be replaced by a secret key owned by the user. Refer to feature/user-key-store-test/README for more details about how to construct an user key store. - User key store test This feature automatically constructs an user key store during the build. In a similar manner to the case of using sample key, all related binaries are signed and contained in RPM and rootfs image. In addition, the resulting user key store is located at $build/tmp/deploy/images/<machine>/user-keys/. - TPM 2.0 This feature enables Trusted Platform Module (TPM 2.0) support, including kernel option changes to enable tpm drivers, and picking up TPM 2.0 packages. Trusted Platform Module (TPM 2.0) is a microcontroller that stores keys, passwords, and digital certificates. A discrete TPM 2.0 offers the capabilities as part of the overall platform security requirements. Note: TPM 1.2 feature is added, though we don't provide the official support for it. Maintenance ----------- This layer is maintained in Wind River Open Source Labs at github. * source https://github.com/WindRiver-OpenSourceLabs/meta-secure-env Building the meta-secure-env layer ---------------------------------- This layer should be added to the bblayers.conf file. To enable certain feature provided by this layer, add the feature to the local.conf file. For pulsar binary release, this layer is included by default, and UEFI/Mok secure boot feature is enabled by default for x86 machine. These are done in the init-intel-x86-env file.