80 Commits

Author SHA1 Message Date
Yi Zhao 1b35fd45a5 base-files: only apply the bbappend if ima distro flag set
When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:

  qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
  qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.

Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-12-08 09:42:55 +08:00
Jia Zhang ba72aa48fb Maintain the stable branch sumo
The following commits are reverted by the way:

- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
- meta-intel-sgx: Initial support of linux-sgx-driver (7d4f711)

The former is applicable to rocko only, and the latter is still experimental.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-09-21 02:26:49 -04:00
Tom Rini 5fa9c850bd meta-integrity: rpm: Add back in required patches for rocko
In 59a9f43b89 ("meta-integrity: Drop RPM patches that are upstream
now") we removed patches to RPM that were not required with a move up to
4.14.0 as they are upstream.  However, rocko ships with an older version
of RPM and still needs these patches.  Add conditional logic to apply
these patches only for rocko.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-07-31 22:48:35 +08:00
Tom Rini cd40815e69 layer.conf: Mark as compatible with rocko
As we also work with the 'rocko' release list that in our
LAYERSERIES_COMPAT.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-07-25 20:41:35 +08:00
Joe Slater 4a357121bf util-linux: allow -static linking for switch_root.static
Specify -no-pie to override possible -pie default.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-07-06 14:50:47 +08:00
Hongxu Jia 38ba593841 sign_rpm_ext.bbclass: fix check_rpm_public_key racing at recipe parsing time
All recipe will be parsed which caused lockfile of
check_rpm_public_key racing issue.
...
|WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb:
oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file
<_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'>
...

Refer do_package_write_rpm, add check_rpm_public_key to
prefunc of do_rootfs, only the running image recipe will
invoke check_rpm_public_key.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2018-05-31 11:26:13 +08:00
Trevor Woerner 18d65f8933 layer.conf: add LAYERSERIES_COMPAT
see https://patchwork.openembedded.org/patch/140542/

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
2018-05-26 08:08:58 +08:00
Hongxu Jia 7824fbdea8 sign_rpm_ext.bbclass: check rpm public key at image recipe parsing time
While multiple builds share a common sstate, the latter
build failed to build image which the public key not found.
...
|ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed.
Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1:
...

The latter build will not regenerate rpm packages and
check_rpm_public_key will not be invoked.

Explicitly invoke check_rpm_public_key at image recipe parsing time,
which make sure gpg public key be imported.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2018-05-23 19:32:55 +08:00
Tom Rini a8419d577a meta-integrity, meta-signing-key: Populate the secondary keyring
Currently we provide a secondary trusted key that is signed by the
primary key.  We do not however DER encode this certificate.  Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Tom Rini b7b42cdec7 meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us.  In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Yi Zhao 4a6de14094 keyutils: refresh patches to fix QA warning
Refresh the following patches:
keyutils-fix-the-cflags-for-all-of-targets.patch
keyutils_fix_x86-64_cflags.patch
keyutils_fix_x86_cflags.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-04-11 14:45:15 +08:00
Jia Zhang 04c1072d8f init.ima: Fix up the syntax error
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 22:46:19 -04:00
Jia Zhang f1ac8a4553 ima/linux-yocto: Enable CONFIG_IMA_READ_POLICY and CONFIG_IMA_APPRAISE_BOOTPARAM
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:25:15 -04:00
Jia Zhang 73cae2678d integrity/linux-yocto: Enable CONFIG_SYSTEM_BLACKLIST_KEYRING
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 21:24:13 -04:00
Jia Zhang f13d2e0ef8 init.ima: Fix the failure when importing the external policy from real rootfs
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 17:04:03 -04:00
Tom Rini 184dc8bb25 meta-integrity: Ensure that we have CONFIG_SECURITY enabled in the kernel
To make it easier to use this layer with various BSP layers we need to
ensure that we set CONFIG_SECURITY=y as that is in turn required by the
rest of our features, except for CONFIG_SECURITYFS

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-22 09:12:30 +08:00
Tom Rini cf8ae9e69b meta-integrity: Fix build problem on ima-inspect
The sources require that we have pkgconfig support as well, add missing
inherit.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-17 08:36:24 +08:00
Tom Rini d0c0bedbbe meta-integrity: Add ima-inspect utility
ima_inspect is a small program that allows to give a human-readable
representation of the contents of the extended attributes (xattrs) that
the Linux IMA security subsystem creates and manages for files.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-16 16:31:52 +08:00
Tom Rini 59a9f43b89 meta-integrity: Drop RPM patches that are upstream now
As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using
rpm-4.14.0 as the base version.  This includes all of the patches we had
been applying.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-02-14 09:13:47 +08:00
Holger Dengler 0c4d9a8268 util-linux: Fix package name extension
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.

Signed-off-by: Holger Dengler <dengler@linutronix.de>
2017-12-09 11:28:27 +08:00
Jia Zhang a22324542d linux-yocto: fix loading kernel module due to being stripped
The kernel module will be stripped during do_package, including the
modsign signature.

Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-26 13:09:01 +08:00
Jia Zhang 59ca43808c meta-integrity: enable modsign support in kernel
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-11-21 09:32:12 -05:00
Yunguo Wei 1259958f3c initrdscripts: rename expected ima certificate (#28)
evmctl is able to import DER format certificate only.

Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2017-11-12 09:43:48 +08:00
Jia Zhang 0477a93cf9 rpm: always include rpm-integrity.inc for RPM signing
rpm-integrity is required for RPM signing which is enabled by default.

Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 23:25:55 +08:00
Jia Zhang c2b8134dc3 meta-integrity: fix build failure caused by 6aa83f98b
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
2017-10-27 22:04:27 +08:00
Kai 6aa83f98bc rpm: only apply bbappend file when ima in DISTRO_FEATURES (#27)
Rename bbappend file of rpm and only include it when image in
DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during
do rootfs:

| WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile:
| [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long

Signed-off-by: Kai Kang <kai.kang@windriver.com>
2017-10-27 20:57:45 +08:00
Wenzong Fan 616263c4e6 keyutils: update to 1.5.10 (#22)
* rebase patches:
  - keyutils_fix_library_install.patch
  - keyutils-remove-m32-m64.patch

* append '-Wall' to CFLAGS for fixing:
  .../recipe-sysroot/usr/include/features.h:376:4: error: \
  #warning _FORTIFY_SOURCE requires compiling with \
  optimization (-O) [-Werror=cpp]

* cleanup alternative targets, the *keyring*.7 files have been
  removed from keyutils 1.5.10.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-09-27 05:36:58 -04:00
Jia Zhang b69537380c meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MIT
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-02 11:11:44 +08:00
Jia Zhang 49fadf7ef0 Update BB_HASHBASE_WHITELIST
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-01 20:28:38 +08:00
Wenzong Fan c41b36ea73 meta-integrity: add tpm2, tpm as LAYERRECOMMENDS (#9)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
2017-08-24 13:34:03 +08:00
Jia Zhang c2962bba6d sign_rpm_ext: make sure all target recipes are signed
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-24 08:18:01 +08:00
Jia Zhang 6fd5d7be55 meta-integrity: remove INHERIT += "sign_rpm_ext"
This definition should be placed in local.conf.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-23 17:38:01 +08:00
Jia Zhang ab05be3c9c signing-keys: fix the race condition when concurrent import operations occur
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 22:42:32 +08:00
Jia Zhang b1e14f4e88 encrypted-storage: use luks as the feature name for current implementation
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:31:11 +08:00
Jia Zhang 038aa54bc2 signing-keys: fix gpg key import failure due to wrong option position
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:03:18 +08:00
Jia Zhang 373d7276bc signing-keys: clean up
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:02:15 +08:00
Jia Zhang 6b7e09b444 sign_rpm_ext: define the location of default gpg keyring to TMPDIR
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:00:05 +08:00
Jia Zhang 5c584cb628 sign_rpm_ext: fix permission warning
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 11:18:24 +08:00
Jia Zhang d5ca542dfb signing-keys: fix gpg key import failure
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 02:17:32 +08:00
Jia Zhang 820376c2b5 sign_rpm_ext.bbclass: clean up
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-19 21:52:51 +08:00
Guojian 050cc889bb sign_rpm_ext: Fix the GPG_PATH directory not exist issue (#4)
If "GPG_PATH" is set in the init script, then "signing-keys"
get_public_keys task will execute failed.

So the "GPG_PATH" directory would be created when "GPG_PATH" is set.

The do_get_public_keys failed to import gpg key error information is as following:
----------------------------------------------------------------------------------------
ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key
(layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore):
gpg: fatal: can't create directory
`tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory

Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
2017-08-19 15:18:58 +08:00
Guojian b8fd1f0fef keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)
The keyutils-doc package supply some same name man7 files with
man-pages, it will cause the rpm package installation or upgrade failed.

The keyutils-doc and man-pages rpm packages' transction check error
information is as following:
--------------------------------------------------------------------
Running transaction test
Error: Transaction check error:
  file /usr/share/man/man7/keyrings.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/persistent-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/process-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/thread-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/user-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64
  file /usr/share/man/man7/user-session-keyring.7 from install of
keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file
from package man-pages-4.11-r0.0.core2_64

Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
2017-08-19 15:17:38 +08:00
Jia Zhang 8544d2a4a5 sign_rpm_ext.bbclass: use the default setting from meta-signing-key
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-19 12:54:19 +08:00
yunguowei e3f58965ab sign_rpm_ext: set default GPG_PATH if it is not specified (#2)
commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization
to signing-keys) tried to initialize keyring in the task check_public_keys
of the recipe signing-keys. However, it does work with the recipe
signing-keys only, and GPG_PATH can't be passed to other recipes.

We bring the python anonymous function back, and it makes sure GPG_PATH
is set before signing the packages for every recipe.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2017-08-19 12:44:39 +08:00
Jia Zhang 52bf3b6636 meta-integrity: move gpg keyring initialization to signing-keys
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-17 23:29:26 +08:00
Lans Zhang 464433a169 sign_rpm_ext: support RPM signing
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-17 11:22:49 +08:00
Lans Zhang 8ff4d25a90 ima-evm-utils: support to build with openssl-1.1.x
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 14:56:23 +08:00
Lans Zhang b7705a7587 README.md: update reference links
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 10:57:24 +08:00
Lans Zhang 9fc35f2627 meta-integrity/README.md: update
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-16 10:47:33 +08:00
Lans Zhang eb08a619d8 init.ima: clean up and allow to load extra IMA policies from the real rootfs
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-15 16:15:38 +08:00