meta-integrity: port over from meta-intel-iot-security

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-07 16:59:28 +00:00 · 2019-05-16 15:41:49 -07:00
parent 479d9cc23a
commit 6680225c05
30 changed files with 1402 additions and 0 deletions
@@ -0,0 +1,32 @@
+# This recipe creates a module for the initramfs-framework in OE-core
+# which initializes IMA by loading a policy before transferring
+# control to the init process in the rootfs. The advantage over having
+# that init process doing the policy loading (which systemd could do)
+# is that already the integrity of the init binary itself will be
+# checked by the kernel.
+
+SUMMARY = "IMA module for the modular initramfs system"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+RDEPENDS_${PN} += "initramfs-framework-base"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_hashed"
+FILESEXTRAPATHS =. "${IMA_EVM_BASE}/data:"
+
+SRC_URI = " \
+    file://${IMA_POLICY} \
+    file://ima \
+"
+
+do_install () {
+    install -d ${D}/${sysconfdir}/ima
+    install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima-policy
+    install -d ${D}/init.d
+    install ${WORKDIR}/ima  ${D}/init.d/20-ima
+}
+
+FILES_${PN} = "/init.d ${sysconfdir}"
+RDEPENDS_${PN} = "keyutils"
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Loads IMA policy into the kernel.
+
+ima_enabled() {
+    if [ "$bootparam_no_ima" = "true" ]; then
+        return 1
+    fi
+}
+
+ima_run() {
+    info "Initializing IMA (can be skipped with no_ima boot parameter)."
+    if ! grep -w securityfs /proc/mounts >/dev/null; then
+        if ! mount -t securityfs securityfs /sys/kernel/security; then
+            fatal "Could not mount securityfs."
+        fi
+    fi
+    if [ ! -d /sys/kernel/security/ima ]; then
+        fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel."
+    fi
+
+    # Instead of depending on the kernel to load the IMA X.509 certificate,
+    # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492)
+    # where the loaded key was not checked sufficiently. We use keyctl here because it is
+    # slightly smaller than evmctl and is needed anyway.
+    # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349).
+    for kind in ima evm; do
+        key=/etc/keys/x509_$kind.der
+        if [ -s $key ]; then
+            id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1)
+            if [ "$id" ]; then
+                id=$(printf "%d" 0x$id)
+            fi
+            if [ -z "$id" ]; then
+                id=`keyctl search @u keyring _$kind 2>/dev/null`
+                if [ -z "$id" ]; then
+	            id=`keyctl newring _$kind @u`
+                fi
+            fi
+            info "Loading $key into $kind keyring $id"
+            keyctl padd asymmetric "" $id <$key
+        fi
+    done
+
+    # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly
+    # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
+    # checking the write of each line. To minimize the risk of policy loading going wrong we
+    # also remove comments and blank lines ourselves.
+    if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then
+        fatal "Could not load IMA policy."
+    fi
+}