meta-integrity: port over from meta-intel-iot-security

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-31 12:50:19 +00:00 · 2019-05-16 15:41:49 -07:00
parent 479d9cc23a
commit 6680225c05
30 changed files with 1402 additions and 0 deletions
@@ -0,0 +1,19 @@
+DESCRIPTION = "IMA/EVM control utility"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS = " \
+openssl \
+attr \
+keyutils \
+pkgconfig \
+"
+
+# blkid is called by evmctl when creating evm checksums.
+# This is less useful when signing files on the build host,
+# so disable it when compiling on the host.
+RDEPENDS_${PN}_append_class-target = " util-linux-blkid"
+
+inherit autotools
+
+BBCLASSEXTEND = "native"
@@ -0,0 +1,68 @@
+From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Fri, 30 Sep 2016 10:22:16 +0200
+Subject: [PATCH] command line: apply operation to all paths
+
+Previously, invocations like "evmctl ima_hash foo bar" silently
+ignored all parameters after the first path name ("foo" in this
+example).
+
+Now evmctl iterates over all specified paths. It aborts with an
+error as soon as the selected operation fails for a path.
+
+Supporting more than one parameter is useful in combination with
+"find" and "xargs" because it is noticably faster than invoking
+evmutil separately for each file, in particular when run under pseudo
+(a fakeroot environment used by the OpenEmbedded build system).
+
+This complements the recursive mode and can be used when more control
+over file selection is needed.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ src/evmctl.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 23cf54c..2072034 100644
+--- a/src/evmctl.c
+++ b/src/evmctl.c
+@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type)
+ static int do_cmd(struct command *cmd, find_cb_t func)
+ {
+ 	char *path = g_argv[optind++];
+-	int err, dts = REG_MASK; /* only regular files by default */
+	int err = 0, dts = REG_MASK; /* only regular files by default */
+ 
+ 	if (!path) {
+ 		log_err("Parameters missing\n");
+@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func)
+ 		return -1;
+ 	}
+ 
+-	if (recursive) {
+-		if (search_type) {
+-			dts = get_file_type(path, search_type);
+-			if (dts < 0)
+-				return dts;
+	while (path && !err) {
+		if (recursive) {
+			if (search_type) {
+				dts = get_file_type(path, search_type);
+				if (dts < 0)
+					return dts;
+			}
+			err = find(path, dts, func);
+		} else {
+			err = func(path);
+ 		}
+-		err = find(path, dts, func);
+-	} else {
+-		err = func(path);
+		path = g_argv[optind++];
+ 	}
+ 
+ 	return err;
+-- 
+2.1.4
+
@@ -0,0 +1,50 @@
+From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 13 May 2015 03:41:02 -0700
+Subject: [PATCH] Makefile.am: disable man page creation
+
+Depends on asciidoc, which is not available.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ Makefile.am | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 06ebf59..4ddd52c 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1,5 +1,5 @@
+ SUBDIRS = src
+-dist_man_MANS = evmctl.1
+# dist_man_MANS = evmctl.1
+ 
+ doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+ EXTRA_DIST = autogen.sh $(doc_DATA)
+@@ -39,4 +39,21 @@ rmman:
+ 
+ doc: evmctl.1.html rmman evmctl.1
+ 
+# requires asciidoc, xslproc, docbook-xsl
+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org
+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
+#
+#evmctl.1.html: README
+#	@asciidoc -o $@ $<
+#
+#evmctl.1:
+#	asciidoc -d manpage -b docbook -o evmctl.1.xsl README
+#	xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
+#	rm -f evmctl.1.xsl
+#
+#rmman:
+#	rm -f evmctl.1
+#
+#doc: evmctl.1.html rmman evmctl.1
+
+ .PHONY: $(tarname)
+-- 
+1.8.4.5
+
@@ -0,0 +1,47 @@
+From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 17 Jun 2015 14:28:18 +0200
+Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines
+
+Compilation on older Linux distros (like Ubuntu 12.04) fails
+because linux/xattr.h does not yet have the IMA defines. Compiling
+there makes sense when only the tools are needed, for example when
+signing an image in cross-compile mode.
+
+To support this, add fallbacks for the two defines which are needed.
+Their value is part of the Linux ABI and thus fixed.
+
+Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ src/evmctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index c54efbb..23cf54c 100644
+--- a/src/evmctl.c
+++ b/src/evmctl.c
+@@ -56,6 +56,18 @@
+ #include <ctype.h>
+ #include <termios.h>
+ 
+/*
+ * linux/xattr.h might be old to have this. Allow compilation on older
+ * Linux distros (like Ubuntu 12.04) by falling back to our own
+ * definition.
+ */
+#ifndef XATTR_IMA_SUFFIX
+# define XATTR_IMA_SUFFIX "ima"
+#endif
+#ifndef XATTR_NAME_IMA
+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
+#endif
+
+ #include <openssl/sha.h>
+ #include <openssl/pem.h>
+ #include <openssl/hmac.h>
+-- 
+2.1.4
+
@@ -0,0 +1,17 @@
+require ima-evm-utils.inc
+
+PV = "1.0+git${SRCPV}"
+SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7"
+SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils"
+S = "${WORKDIR}/git"
+
+# Documentation depends on asciidoc, which we do not have, so
+# do not build documentation.
+SRC_URI += "file://disable-doc-creation.patch"
+
+# Workaround for upstream incompatibility with older Linux distros.
+# Relevant for us when compiling ima-evm-utils-native.
+SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
+
+# Required for xargs with more than one path as argument (better for performance).
+SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"