meta-quanta: meta-common: enable TLS with static CA and specific user
Add Security Feature:
1. default-users: Add static User "Megapede"
2. enable-tls: Enable TLS authentication with static CA
3. phosphor-monitor-hostname: Generate a self-signed certificate once
the hostname is assigned
Note:
1. CA PATH:
meta-quanta\meta-common\recipes-phosphor\certificate\phosphor-certificate-manager\certs\authority
All CAs under the folder will be encapsulated into the firmware image
(From meta-quanta rev: a310726a27974a471386d4e5f6d4b79f3bc6906e)
Signed-off-by: AlanKuo <Alan_Kuo@quantatw.com>
Change-Id: If033222b72c59a86c1f818a3350d6eb55bba10b5
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb b/meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb
new file mode 100755
index 0000000..0bb9be8
--- /dev/null
+++ b/meta-quanta/meta-common/recipes-quanta/default-users/default-users.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Add default Users"
+DESCRIPTION = "Add Users"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+EXCLUDE_FROM_WORLD = "1"
+
+DEPENDS = "bmcweb"
+DEPENDS += "phosphor-ipmi-host"
+DEPENDS += "phosphor-user-manager"
+RDEPENDS_${PN} = "bmcweb"
+RDEPENDS_${PN} += "phosphor-ipmi-host"
+RDEPENDS_${PN} += "phosphor-user-manager"
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+
+USERADD_PARAM_${PN} = "-m -N -u 1000 -g 100 -s /bin/nologin \
+ -p '\$1\$UGMqyqdG\$FZiylVFmRRfl9Z0Ue8G7e/' \
+ -G 'web,redfish,priv-admin' Megapede; "
+GROUPMEMS_PARAM_${PN} = "-g priv-admin -a root; "
+GROUPMEMS_PARAM_${PN} += "-g ipmi -a root; "
+
+ALLOW_EMPTY_${PN} = "1"
diff --git a/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb
new file mode 100644
index 0000000..fca483e
--- /dev/null
+++ b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Enable TLS with static CA"
+DESCRIPTION = "Add static CA and only enable TLS authentication"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://certs/authority/ \
+ file://bmcweb_persistent_data.json \
+ "
+do_install(){
+ install -d ${D}${sysconfdir}/ssl/certs/authority
+ install -m 0644 -D ${WORKDIR}/certs/authority/* \
+ ${D}${sysconfdir}/ssl/certs/authority
+
+ install -d ${D}${ROOT_HOME}
+ install -m 0640 ${WORKDIR}/bmcweb_persistent_data.json ${D}${ROOT_HOME}
+}
+
+FILES_${PN} = "${ROOT_HOME}/bmcweb_persistent_data.json \
+ ${sysconfdir}/ssl/certs/authority/* \
+ "
diff --git a/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json
new file mode 100644
index 0000000..aa50152
--- /dev/null
+++ b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/bmcweb_persistent_data.json
@@ -0,0 +1 @@
+{"auth_config":{"BasicAuth":false,"Cookie":false,"SessionToken":false,"TLS":true,"XToken":false}}
diff --git a/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt
new file mode 100755
index 0000000..77e5b2c
--- /dev/null
+++ b/meta-quanta/meta-common/recipes-quanta/enable-tls/enable-tls/certs/authority/Quanta_CA.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkDCCAnigAwIBAgIIRnUufKw0mL8wDQYJKoZIhvcNAQELBQAwPTELMAkGA1UE
+BhMCVFcxDzANBgNVBAoTBlF1YW50YTELMAkGA1UECxMCQ0ExEDAOBgNVBAMTB09w
+ZW5CTUMwHhcNMjAwMTAxMDAwMDAwWhcNMzYxMjMxMjM1OTU5WjA9MQswCQYDVQQG
+EwJUVzEPMA0GA1UEChMGUXVhbnRhMQswCQYDVQQLEwJDQTEQMA4GA1UEAxMHT3Bl
+bkJNQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANyBHOcnaVt4K1lt
+msTmFzIBf1sI/HV7XW6VMICOOESUv/vrMxCNOzhil4J+CWpFjwkk8zGK6tiLXmMe
+3/oa6qqHN0GXd7XoyBn3XRrr/L2gKipUsWlYk43Wq0TX2ugEcCWqOr0Ol4TcuD4Z
++pswkgHxqJtbfiWd1sTKpbCvjbnlN9EKir52DRZie0m8ANIbTp/KPVmY+UAU7Vz/
+QpYemolsrwupzWJbz34jC2rnNw8HFBHIMyNLJVocUkCVYy5ka0dRk+APC3VWX4C6
+1GmUd4ZQZs4LayyfQcK3Tb+PkNCf9AxBE8eId0lHpufq2Uhml1Lwrfh/1TObCwkW
+ufgv6HsCAwEAAaOBkzCBkDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTpEhTE
+nCIZo7dCDFtqUjMRcOI9SDAfBgNVHSMEGDAWgBTpEhTEnCIZo7dCDFtqUjMRcOI9
+SDALBgNVHQ8EBAMCAb4wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBEG
+CWCGSAGG+EIBAQQEAwIAxzANBgkqhkiG9w0BAQsFAAOCAQEAaw2to4hiADeZO/WF
+UMxrKjB4mbpHOb8cn3HIBIkrE6XxpH6T9MaZh7xi7kyyiuVNGh70lh+qxBUmVf5B
+OF2NSF6ffDrW86dMNV+tKlByHElUqWFcWgU1XFipcN7u0aeFkfPsqG4BwcZlBUEN
+rr9GDFNNadmjnoVA3deVTu4kHTVz6vg0vJExDfBHhNBWsLzLizRIebv9jumJlHPl
+I99czz3NQKVjm8z/BlWaMxpWU/bLxL2Aq/6rQ0iCoeIPJqHubG1CmGwI7k9ZQTUh
+VAMKR4W7JAul+CK8oEC7TAVU2L2fk6g+eSwU12HgO+IUOXmdp3bPtGkk73wG4iOj
+hN2Bow==
+-----END CERTIFICATE-----
diff --git a/meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb b/meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb
new file mode 100755
index 0000000..99d11d1
--- /dev/null
+++ b/meta-quanta/meta-common/recipes-quanta/monitor-hostname/phosphor-monitor-hostname_git.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Quanta Monitor HostName Service"
+DESCRIPTION = "Quanta Monitor HostName Service"
+PR = "r1"
+PV = "1.0+git${SRCPV}"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
+
+inherit cmake systemd
+
+DEPENDS += " \
+ boost \
+ sdbusplus \
+ "
+
+SRC_URI += "git://github.com/quanta-bmc/phosphor-monitor-hostname"
+SRCREV := "1172ec20f8dd41d18519c2cb3ae59bbde5acd634"
+S = "${WORKDIR}/git"
+
+SYSTEMD_SERVICE_${PN} += "xyz.openbmc_project.MonitorHostname.service"
+
+
+