From 20f7943773dc0f028f33e0b7bc8cb5c87fa5e0f2 Mon Sep 17 00:00:00 2001 From: AlanKuo Date: Mon, 2 Nov 2020 09:35:28 +0800 Subject: meta-quanta: meta-common: enable TLS with static CA and specific user Add Security Feature: 1. default-users: Add static User "Megapede" 2. enable-tls: Enable TLS authentication with static CA 3. phosphor-monitor-hostname: Generate a self-signed certificate once the hostname is assigned Note: 1. CA PATH: meta-quanta\meta-common\recipes-phosphor\certificate\phosphor-certificate-manager\certs\authority All CAs under the folder will be encapsulated into the firmware image (From meta-quanta rev: a310726a27974a471386d4e5f6d4b79f3bc6906e) Signed-off-by: AlanKuo Change-Id: If033222b72c59a86c1f818a3350d6eb55bba10b5 Signed-off-by: Andrew Geissler --- .../recipes-quanta/default-users/default-users.bb | 24 ++++++++++++++++++++++ .../recipes-quanta/enable-tls/enable-tls.bb | 22 ++++++++++++++++++++ .../enable-tls/bmcweb_persistent_data.json | 1 + .../enable-tls/certs/authority/Quanta_CA.crt | 22 ++++++++++++++++++++ .../phosphor-monitor-hostname_git.bb | 22 ++++++++++++++++++++ 5 files changed, 91 insertions(+) create mode 100755 meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb create mode 100644 meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb create mode 100644 meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json create mode 100755 meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt create mode 100755 meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb (limited to 'meta-quanta/meta-common') diff --git a/meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb b/meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb new file mode 100755 index 0000000000..0bb9be8215 --- /dev/null +++ b/meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb @@ -0,0 +1,24 @@ +SUMMARY = "Add default Users" +DESCRIPTION = "Add Users" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +EXCLUDE_FROM_WORLD = "1" + +DEPENDS = "bmcweb" +DEPENDS += "phosphor-ipmi-host" +DEPENDS += "phosphor-user-manager" +RDEPENDS_${PN} = "bmcweb" +RDEPENDS_${PN} += "phosphor-ipmi-host" +RDEPENDS_${PN} += "phosphor-user-manager" + +inherit useradd +USERADD_PACKAGES = "${PN}" + +USERADD_PARAM_${PN} = "-m -N -u 1000 -g 100 -s /bin/nologin \ + -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' \ + -G 'web,redfish,priv-admin' Megapede; " +GROUPMEMS_PARAM_${PN} = "-g priv-admin -a root; " +GROUPMEMS_PARAM_${PN} += "-g ipmi -a root; " + +ALLOW_EMPTY_${PN} = "1" diff --git a/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb new file mode 100644 index 0000000000..fca483e11b --- /dev/null +++ b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb @@ -0,0 +1,22 @@ +SUMMARY = "Enable TLS with static CA" +DESCRIPTION = "Add static CA and only enable TLS authentication" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" + +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://certs/authority/ \ + file://bmcweb_persistent_data.json \ + " +do_install(){ + install -d ${D}${sysconfdir}/ssl/certs/authority + install -m 0644 -D ${WORKDIR}/certs/authority/* \ + ${D}${sysconfdir}/ssl/certs/authority + + install -d ${D}${ROOT_HOME} + install -m 0640 ${WORKDIR}/bmcweb_persistent_data.json ${D}${ROOT_HOME} +} + +FILES_${PN} = "${ROOT_HOME}/bmcweb_persistent_data.json \ + ${sysconfdir}/ssl/certs/authority/* \ + " diff --git a/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json new file mode 100644 index 0000000000..aa50152687 --- /dev/null +++ b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json @@ -0,0 +1 @@ +{"auth_config":{"BasicAuth":false,"Cookie":false,"SessionToken":false,"TLS":true,"XToken":false}} diff --git a/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt new file mode 100755 index 0000000000..77e5b2c9b5 --- /dev/null +++ b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkDCCAnigAwIBAgIIRnUufKw0mL8wDQYJKoZIhvcNAQELBQAwPTELMAkGA1UE +BhMCVFcxDzANBgNVBAoTBlF1YW50YTELMAkGA1UECxMCQ0ExEDAOBgNVBAMTB09w +ZW5CTUMwHhcNMjAwMTAxMDAwMDAwWhcNMzYxMjMxMjM1OTU5WjA9MQswCQYDVQQG +EwJUVzEPMA0GA1UEChMGUXVhbnRhMQswCQYDVQQLEwJDQTEQMA4GA1UEAxMHT3Bl +bkJNQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANyBHOcnaVt4K1lt +msTmFzIBf1sI/HV7XW6VMICOOESUv/vrMxCNOzhil4J+CWpFjwkk8zGK6tiLXmMe +3/oa6qqHN0GXd7XoyBn3XRrr/L2gKipUsWlYk43Wq0TX2ugEcCWqOr0Ol4TcuD4Z ++pswkgHxqJtbfiWd1sTKpbCvjbnlN9EKir52DRZie0m8ANIbTp/KPVmY+UAU7Vz/ +QpYemolsrwupzWJbz34jC2rnNw8HFBHIMyNLJVocUkCVYy5ka0dRk+APC3VWX4C6 +1GmUd4ZQZs4LayyfQcK3Tb+PkNCf9AxBE8eId0lHpufq2Uhml1Lwrfh/1TObCwkW +ufgv6HsCAwEAAaOBkzCBkDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTpEhTE +nCIZo7dCDFtqUjMRcOI9SDAfBgNVHSMEGDAWgBTpEhTEnCIZo7dCDFtqUjMRcOI9 +SDALBgNVHQ8EBAMCAb4wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEG +CWCGSAGG+EIBAQQEAwIAxzANBgkqhkiG9w0BAQsFAAOCAQEAaw2to4hiADeZO/WF +UMxrKjB4mbpHOb8cn3HIBIkrE6XxpH6T9MaZh7xi7kyyiuVNGh70lh+qxBUmVf5B +OF2NSF6ffDrW86dMNV+tKlByHElUqWFcWgU1XFipcN7u0aeFkfPsqG4BwcZlBUEN +rr9GDFNNadmjnoVA3deVTu4kHTVz6vg0vJExDfBHhNBWsLzLizRIebv9jumJlHPl +I99czz3NQKVjm8z/BlWaMxpWU/bLxL2Aq/6rQ0iCoeIPJqHubG1CmGwI7k9ZQTUh +VAMKR4W7JAul+CK8oEC7TAVU2L2fk6g+eSwU12HgO+IUOXmdp3bPtGkk73wG4iOj +hN2Bow== +-----END CERTIFICATE----- diff --git a/meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb b/meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb new file mode 100755 index 0000000000..99d11d1734 --- /dev/null +++ b/meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb @@ -0,0 +1,22 @@ +SUMMARY = "Quanta Monitor HostName Service" +DESCRIPTION = "Quanta Monitor HostName Service" +PR = "r1" +PV = "1.0+git${SRCPV}" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" + +inherit cmake systemd + +DEPENDS += " \ + boost \ + sdbusplus \ + " + +SRC_URI += "git://github.com/quanta-bmc/phosphor-monitor-hostname" +SRCREV := "1172ec20f8dd41d18519c2cb3ae59bbde5acd634" +S = "${WORKDIR}/git" + +SYSTEMD_SERVICE_${PN} += "xyz.openbmc_project.MonitorHostname.service" + + + -- cgit v1.2.3