27 Commits

Author SHA1 Message Date
Yi Zhao 22bd7aa878 base-files: only apply the bbappend if ima distro flag set
When the meta-integrity layer is included but feature ima is not set, we
would get the following error when the system startup:

  qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist.
  qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32.

Rename base-files_%.bbappend to base-files-integrity.inc and add a new
bbappend. Make sure this piece of code should be applied only if the ima
feature is set.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-12-03 15:12:41 +08:00
Yunguo Wei 37a59625e5 key-store: rename ima private key and certificate on target
If sample keys are selected, key-store service will deploy IMA private
key during first boot, but beople may be confused if we deploy a sample
private key like "xxx.crt", so this commit is making sure key/cert on
target are consistent with key files on build system.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2018-11-07 14:22:47 +08:00
Joe Slater 4a357121bf util-linux: allow -static linking for switch_root.static
Specify -no-pie to override possible -pie default.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-07-06 14:50:47 +08:00
Tom Rini a8419d577a meta-integrity, meta-signing-key: Populate the secondary keyring
Currently we provide a secondary trusted key that is signed by the
primary key.  We do not however DER encode this certificate.  Update
the key-store recipe to also make a DER encoding of this certificate and
include it in the same package as the PEM version of the certificate.
In the IMA init script, if we have any secondary certificate in a DER
encoding, load them into the secondary keyring before we try and load
the IMA keys.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Tom Rini b7b42cdec7 meta-integrity: init.ima: Switch to using keyctl
Rather than parse /proc/keys directly to find out the ID of the keyring
that we're using, let keyctl do this for us.  In order to do that we
need to have /proc available as /proc, so move it around before and
after working with keyctl.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-17 20:36:23 +08:00
Jia Zhang 04c1072d8f init.ima: Fix up the syntax error
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 22:46:19 -04:00
Jia Zhang f13d2e0ef8 init.ima: Fix the failure when importing the external policy from real rootfs
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-03-19 17:04:03 -04:00
Holger Dengler 0c4d9a8268 util-linux: Fix package name extension
Yocto (pyro) uses the character "_" to separate the package name from
the version number. If this character is used in the package name or
in a package name extension, the build will fail.
Replacing the "_" with one of the allowed characters fixes the problem.

Signed-off-by: Holger Dengler <dengler@linutronix.de>
2017-12-09 11:28:27 +08:00
Yunguo Wei 1259958f3c initrdscripts: rename expected ima certificate (#28)
evmctl is able to import DER format certificate only.

Although *.crt doesn't mean its a PEM certificate, but *.der makes more
sense.

Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
2017-11-12 09:43:48 +08:00
Jia Zhang b69537380c meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MIT
${COREBASE}/LICENSE is not a valid license file. So it is recommended
to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in
LIC_FILES_CHKSUM. This will become an error in the future.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-09-02 11:11:44 +08:00
Jia Zhang c2962bba6d sign_rpm_ext: make sure all target recipes are signed
Placing the key import logic under signing-keys cannot ensure all
target recipes are always signed. Instead, place it before
do_package_write_rpm.

Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-24 08:18:01 +08:00
Jia Zhang ab05be3c9c signing-keys: fix the race condition when concurrent import operations occur
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 22:42:32 +08:00
Jia Zhang 038aa54bc2 signing-keys: fix gpg key import failure due to wrong option position
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:03:18 +08:00
Jia Zhang 373d7276bc signing-keys: clean up
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 15:02:15 +08:00
Jia Zhang d5ca542dfb signing-keys: fix gpg key import failure
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-20 02:17:32 +08:00
Jia Zhang 8544d2a4a5 sign_rpm_ext.bbclass: use the default setting from meta-signing-key
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-19 12:54:19 +08:00
Jia Zhang 52bf3b6636 meta-integrity: move gpg keyring initialization to signing-keys
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
2017-08-17 23:29:26 +08:00
Lans Zhang eb08a619d8 init.ima: clean up and allow to load extra IMA policies from the real rootfs
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-15 16:15:38 +08:00
Lans Zhang e8d6e006e7 systemd: fix the conditions of PACKAGECONFIG for ima and cryptsetup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-04 22:03:45 +08:00
Lans Zhang dd9a695df8 systemd: enable ima and cryptsetup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-08-04 17:01:00 +08:00
Lans Zhang 77640af54c IMA: move the default policy file to /etc/ima directory
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-25 09:37:59 +08:00
Lans Zhang 625c3c6b61 base-file: mount securityfs
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-11 12:47:52 +08:00
Lans Zhang 7c83acd861 Clean up RDEPENDS
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-05 10:52:10 +08:00
Lans Zhang b736677f3f initrdscripts-ima: clean up code style and RDEPENDS
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:20:59 +08:00
Lans Zhang dda0659b71 init.ima: code style cleanup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:20:07 +08:00
Lans Zhang 407c56068d Code style fixup
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-07-04 17:19:42 +08:00
Lans Zhang 1b3e594449 meta-secure-core: initial commit
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2017-06-22 15:24:04 +08:00