22 Commits

Author SHA1 Message Date
He Zhe 37874f8a19 meta-integrity: Fix failure to find linux-yocto-integrity.inc
linux-yocto-integrity.inc is shared among linux-yocto linux-yocto-rt and
linux-yocto-dev and cannot be found with ${BPN} in the latter two.

ERROR: ParseError at layers/meta-secure-core/meta-integrity/recipes-kernel/linux/linux-yocto-dev.bbappend:1:
Could not include required file linux-yocto-dev-integrity.inc
ERROR: ParseError at layers/meta-secure-core/meta-integrity/recipes-kernel/linux/linux-yocto-rt_5.%.bbappend:1:
Could not include required file linux-yocto-rt-integrity.inc

Signed-off-by: He Zhe <zhe.he@windriver.com>
2023-01-19 11:16:16 +08:00
Mingli Yu 70441485bc meta-integrity: check ima DISTRO_FEATURES
Fix the below yocto compliance issue:
  INFO: FAIL: test_signatures (common.CommonCheckLayer)
  INFO: ----------------------------------------------------------------------
  INFO: Traceback (most recent call last):
    File "/build/layers/oe-core/scripts/lib/checklayer/cases/common.py", line 81, in test_signatures
    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
AssertionError: Adding layer meta-integrity changed signatures.
153 signatures changed, initial differences (first hash before, second after):
    linux-yocto:do_fetch: c57d21fe3def6c9959bbfd487420c6845d4c720d7e72aa5cf1e11af324ba5d45 -> fb0ce7b4d54bea3c53c86b2633de923c70d63a5e10d9a2d283c5bf88ea788c37

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
2022-12-06 09:16:14 +08:00
He Zhe def57bd5e0 ima: Remove disabling CONFIG_IMA_TEMPLATE
CONFIG_IMA_TEMPLATE has been removed from kernel since v5.15.46
http://lxgit.wrs.com/cgit/linux-yocto.git/commit/?h=v5.15/standard/base&id=3892794a18136452101fc86cebc5c6d69ac93683

Remove it here to avoid
[INFO]: the following symbols were not found in the active configuration:
	- CONFIG_IMA_TEMPLATE

Signed-off-by: He Zhe <zhe.he@windriver.com>
2022-08-14 17:15:37 +08:00
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Yongxin Liu 0233437224 ima: Fix badly formatted CONFIG_IMA_NG_TEMPLATE
Fix the following warning:

[INFO]: the following symbols were not found in the active configuration:

     - CONFIG_IMA_NG_TEMPLATE=y

Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
2020-10-12 09:41:33 +08:00
Hongxu Jia 69117bef3a linux-yocto-integrity.inc: fix 'uks_modsign_keys_dir' is not defined (#119)
Since commit [b41010c linux-yocto-integrity: fix modsign key path] applied,
if MODSIGN_ENABLED is "0", bbclass user-key-store will not be inherited
which causing 'uks_modsign_keys_dir' is not defined

Unconditionally inherit user-key-store, but conditionally invoke
uks_modsign_keys_dir

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-10-07 11:51:32 +08:00
Dmitry Eremin-Solenikov b41010c80c linux-yocto-integrity: fix modsign key path
Use modsign key directly from uks_modsign_keys_path(d), rather than from
installed package.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-16 16:00:09 +03:00
Yi Zhao 8d1b7c2a29 meta-secure-core: add linux-yocto-dev bbappend
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Yi Zhao b0a4ae0fe3 linux-yocto: upgrade bbappend from 4.% to 5.%
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Yunguo Wei 37a59625e5 key-store: rename ima private key and certificate on target
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2018-11-07 14:22:47 +08:00
Jia Zhang f1ac8a4553 ima/linux-yocto: Enable CONFIG_IMA_READ_POLICY and CONFIG_IMA_APPRAISE_BOOTPARAM
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:25:15 -04:00
Jia Zhang 73cae2678d integrity/linux-yocto: Enable CONFIG_SYSTEM_BLACKLIST_KEYRING
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:24:13 -04:00
Tom Rini 184dc8bb25 meta-integrity: Ensure that we have CONFIG_SECURITY enabled in the kernel
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-22 09:12:30 +08:00
Jia Zhang a22324542d linux-yocto: fix loading kernel module due to being stripped
The kernel module will be stripped during do_package, including the
modsign signature.

Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-26 13:09:01 +08:00
Jia Zhang 59ca43808c meta-integrity: enable modsign support in kernel
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:32:12 -05:00
Lans Zhang c84c5efb45 IMA: allow to write policy but deny to read policy
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-20 16:14:15 +08:00
Lans Zhang 407c56068d Code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:19:42 +08:00
Lans Zhang 572b7999c3 meta-integrity: implement the system trusted cert and IMA trusted cert
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 10:39:00 +08:00
Lans Zhang 353a003f1b Use the DER-formatted system trusted key
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-03 15:50:59 +08:00
Lans Zhang e664a331d5 code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-29 10:52:06 +08:00
Lans Zhang 8e01c0a442 IMA: refresh kernel cfg
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-26 11:33:39 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00