23 Commits

Author SHA1 Message Date
Yi Zhao 56731a69db recipes: Update LICENSE variable to use SPDX license identifiers
Fix QA warnings:
WARNING: efitools-1.9.2+gitAUTOINC+392836a46c-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license]
WARNING: mokutil-0.3.0+gitAUTOINC+e19adc575c-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv3 [obsolete-license]

This is the result of automated script conversion:
poky/scripts/contrib/convert-spdx-licenses.py meta-secure-core

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2022-04-08 09:05:06 +08:00
Yi Zhao fea6a37625 recipes: update SRC_URI branch and protocols
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-11-15 09:56:02 +08:00
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Yi Zhao 8302e3c479 ima-inspect: upgrade 0.11 -> 0.13
Fixes:
* Use glibc header instead of libattr header because the attr/xattr.h
  has been removed from attr package.
* fix configure check for newer libimaevm versions.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-01-19 11:52:46 +08:00
Yunguo Wei 701cbaf3c3 lib-evm-utils: using the correct algo for v2 signature (#120)
When using rpmsign (with --signfiles --fskpath) to sign RPM package,
the IMA signature is not correct, see:

$ getfattr -d -m - rootfs/usr/sbin/grpconv

file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQP3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

And the expected signature is like this:
$ getfattr -d -m - rootfs/usr/sbin/grpconv

file: rootfs/usr/sbin/grpconv
security.ima=0sAwIEDy1SEQEAA6s8DwmRCVutcrE8NvHWWYXlg8L1AwH5teu44prkKRwmhZQ52Oa4UQoZZlxER/SJ9tijbve8ZAv++KW8EqgP4iZjEGh8ke76rpiRU5glnG/U+HUjnilJBpzpMJHxyNbAiFoHMESeCOtrhY0zZIUXK3DnIuIJSwpfl2HaNFxRrE38EaqgV9IQ8QiWFCvgDYXoJDwc3KdhjKjs214tCfZpKO1w4QJl2n4llZHw2RTHIuUOsMhRDEXs6onLHmdmhvqgxIHt7IvsT9v7H8GnoaiX0xgzxk2o/mE5EtPrnMtUoGSQwdY8CAfUbCwAp0c5QlsrHk5RBmewjJ/jxd/K1uKp7w==

The root cause is libimaevm doesn't retrieve correct signing algo, so this patch
is making things right.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2019-10-10 18:10:52 +08:00
Dmitry Eremin-Solenikov 6d1bd0da1f ima-inspect: add patch to fix compilation with newer ima-evm-utils
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Dmitry Eremin-Solenikov d139491c9a ima-evm-utils: update to release 1.2.1
Bump ima-evm-utils to latest release (1.2.1).

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Changqing Li 73bc9f68f9 keyutils: remove it
keyutils under meta-security have been moved to meta-openembeded by this commit
https://git.openembedded.org/meta-openembedded/commit/?id=415e213ad75ec9a93171c963395a1c4b92c6233b
and is higher version than keyutils, so remove this one

Signed-off-by: Changqing Li <changqing.li@windriver.com>
2019-08-02 12:57:36 +08:00
Luca Boccassi 45637891f7 Patch ima-evm-utils to fix build with musl
Third party programs including libimaevm fails to build with musl
due to a missing include in the public header. Add it.
The build with glibc is unaffected. Patch sent upstream.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
2019-02-28 22:58:37 +08:00
Yi Zhao 4a6de14094 keyutils: refresh patches to fix QA warning
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-04-11 14:45:15 +08:00
Tom Rini cf8ae9e69b meta-integrity: Fix build problem on ima-inspect
The sources require that we have pkgconfig support as well, add missing
inherit.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-17 08:36:24 +08:00
Tom Rini d0c0bedbbe meta-integrity: Add ima-inspect utility
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-16 16:31:52 +08:00
Wenzong Fan 616263c4e6 keyutils: update to 1.5.10 (#22)
* rebase patches:
  - keyutils_fix_library_install.patch
  - keyutils-remove-m32-m64.patch

* append '-Wall' to CFLAGS for fixing:
  .../recipe-sysroot/usr/include/features.h:376:4: error: \
  #warning _FORTIFY_SOURCE requires compiling with \
  optimization (-O) [-Werror=cpp]

* cleanup alternative targets, the *keyring*.7 files have been
  removed from keyutils 1.5.10.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-27 05:36:58 -04:00
Jia Zhang b69537380c meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MIT
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-02 11:11:44 +08:00
Guojian b8fd1f0fef keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)
The keyutils-doc package supply some same name man7 files with
man-pages, it will cause the rpm package installation or upgrade failed.

The keyutils-doc and man-pages rpm packages' transction check error
information is as following:
--------------------------------------------------------------------
Running transaction test
Error: Transaction check error:
  file /usr/share/man/man7/keyrings.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/persistent-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/process-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/thread-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/user-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/user-session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64

Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
2017-08-19 15:17:38 +08:00
Lans Zhang 8ff4d25a90 ima-evm-utils: support to build with openssl-1.1.x
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 14:56:23 +08:00
Lans Zhang 656706373f ima_policy: update the comment
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-15 16:14:31 +08:00
Lans Zhang f77e53d627 meta-secure-core: code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-28 10:09:02 +08:00
Lans Zhang 77640af54c IMA: move the default policy file to /etc/ima directory
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-25 09:37:59 +08:00
Lans Zhang 0f3911c740 keyutils: fix build failure with ppc
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-11 14:06:56 +08:00
Lans Zhang 5d1376b6a0 IMA: clean up IMA signing
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-11 12:47:35 +08:00
Lans Zhang a9e266c481 ima-policy: enable policy check
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:21:48 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00