Commit Graph

784 Commits

Author SHA1 Message Date
Ralph Siemsen 91730c85bb tpm2-tools: update to 4.1.3
Minor version bump from 4.1.1 to 4.1.3, containing two fixes:

4.1.3 - 2020-06-02
* tpm2_create: Fix issue with userauth attribute being cleared if
policy is specified.

4.1.2 - 2020-05-18
* Fix missing handle maps for ESY3 handle breaks. See #1994.
  https://github.com/tpm2-software/tpm2-tools/pull/1994

Details of changes
https://github.com/tpm2-software/tpm2-tools/commits/4.1.X

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-17 08:05:50 -07:00
Ralph Siemsen de4e7fced9 tpm2-tools: backport fix for CVE-2021-3565
tpm2_import used a fixed AES key for the inner wrapper, which means that
a MITM attack would be able to unwrap the imported key. Even the
use of an encrypted session will not prevent this. The TPM only
encrypts the first parameter which is the fixed symmetric key.

To fix this, ensure the key size is 16 bytes or bigger and use
OpenSSL to generate a secure random AES key.

Upstream commit (with offset adjusted)
https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-03-17 08:05:36 -07:00
Armin Kuster c74cc97641 apparmor: fix QA warning with systemd enabled
ERROR: apparmor-2.13.4-r0 do_package: QA Issue: apparmor: Files/directories were installed but not shipped in any package:
  /usr/lib/systemd
  /usr/lib/systemd/system
  /usr/lib/systemd/system/apparmor.service

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-17 08:54:49 -07:00
Armin Kuster 71fb4e16b3 apparmor: fix issue with older use of shell in make
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-17 08:24:04 -07:00
Armin Kuster a8340f10ea README: updated branch for Dunfell
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-17 07:16:48 -07:00
Armin Kuster 16b5bdec29 ibmswtpm2: fix QA warning
ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-16 18:47:51 -07:00
Sajjad Ahmed 4963043a05 layer.conf: use += instead of := to update BBFILES
Updating BBFILES with := isn't the standard way and can break
parsing under certain conditions, instead use += which is widely used.

Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 63e1cf3ffa)
2020-10-16 07:25:01 -07:00
Mingli Yu 717a38a8e4 scap-security-guide: add expat-native to DEPENDS
Add expat-native to DEPENDS to fix the below do_configure error:
| CMake Error at CMakeLists.txt:165 (message):
|  xmlwf is required!

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4c2f7ffd49)
2020-10-16 07:24:41 -07:00
Armin Kuster d2b9de25cb packagegroup-core-security: remove clamav from musl image
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 496a734c14)
2020-10-16 07:24:06 -07:00
Armin Kuster f01129b22e apparmor: fix build issue with ptest enabled.
minor spacing cleanup

Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 2a7963df18)
2020-10-16 07:23:21 -07:00
Naveen Saini 29fd9f98b3 linux-%/5.x: Add dm-verity fragment as needed
Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d9feafe991)
2020-10-16 07:22:41 -07:00
Naveen Saini 8cf792d3aa wic: add wks.in for intel dm-verity
Based on systemd-bootdisk-microcode.wks.in, this adds
the dm-verity image similar to the beaglebone wks
already in meta-security.

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 0de4f3bfb7)
2020-10-16 07:21:47 -07:00
Naveen Saini 4aab56bbca initramfs-framework/dmverity: add retry loop for slow boot devices
Detection of USB devices by the kernel is slow enough. We need to
keep trying for a while (default: 5s seconds, controlled by roottimeout=<seconds>)
and sleep between each attempt (default: one second, rootdelay=<seconds>).

Fix is based on https://git.yoctoproject.org/cgit.cgi/poky/commit/meta/recipes-core/initrdscripts/initramfs-framework/rootfs?id=ee6a6c3461694ce09789bf4d852cea2e22fc95e4

Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e23767fc72)
2020-10-16 07:19:30 -07:00
Armin Kuster aa5a6f7d12 apparmor: exclude mips64, not supported
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit f176756890)
2020-10-16 07:17:55 -07:00
Armin Kuster 59e5512023 packagegroup-core-security: dont include suricata on riscv or ppc
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit caf76696e8)
2020-10-16 07:16:29 -07:00
niko.mauno@vaisala.com 6cd5fc4921 beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR
Since dm-verity-image.bbclass effectively injects

  <DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE>

dependency for do_image_wic task, we can change verity rootfs artifact
reference here from DEPLOY_DIR_IMAGE to IMGDEPLOYDIR in order to
mitigate following breakage which was observed when bitbaking
<DM_VERITY_IMAGE> target from scratch (using sstate-cache provided
artifacts):

  | wic.filemap.Error: cannot open image file '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity': [Errno 2] No such file or directory: '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity'
  | WARNING: exit code 1 from a shell command.
  |
  ERROR: Task (.../meta/recipes-core/images/core-image-minimal.bb:do_image_wic) failed with exit code '1'

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4602d64208)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 08f791321b dm-verity-image-initramfs: Drop locales from image
Since IMAGE_LINGUAS defaults to 'en-us en-gb' and since localization is
not needed on this type of purpose-specific initramfs image, reset the
variable which helps by shaving off almost 700kB from resulting bundled
zImage-initramfs artifact.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5f196cf59d)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 5f26a25883 dm-verity-image-initramfs: Add base-passwd package
This removes following boot-time complaints from udevd regarding
missing group declarations:

  [    6.624454] udevd[163]: specified group 'tty' unknown
  [    6.625340] udevd[163]: specified group 'dialout' unknown
  [    6.625692] udevd[163]: specified group 'kmem' unknown
  [    6.626022] udevd[163]: specified group 'input' unknown
  [    6.626541] udevd[163]: specified group 'video' unknown
  [    6.626977] udevd[163]: specified group 'audio' unknown
  [    6.627532] udevd[163]: specified group 'lp' unknown
  [    6.628187] udevd[163]: specified group 'disk' unknown
  [    6.628558] udevd[163]: specified group 'cdrom' unknown

Size impact of this change on resulting bundled zImage-initramfs
artifact is less than +1kB which is neglible.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e88895e109)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 5f2c8e8e25 dm-verity-initramfs-image: Cosmetic improvements
- revise declaration ordering as suggested by oe-stylize.py
 - sort PACKAGE_INSTALL entries in alphabetic order
 - split long command line in deploy_verity_hash()

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 1d21cec5fd)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 1e1944d13c dm-verity-image-initramfs: Use initramfs-framework
Switch from this layer's initramfs-dm-verity recipe to poky-provided
initramfs-framework suite to manage veritysetup et al.

This commit also removes initramfs-dm-verity recipe which is not
referred from elsewhere in this meta layer.

Also update the install path of dm-verity.env from /usr/share to
/usr/share/misc in order to better comply with FHS3.0, see
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html#usrsharemiscMiscellaneousArchitecture

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 45e8b20cd0)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com e63669a811 initramfs-framework: Add dmverity module
Add 'initramfs-module-dmverity' as an extension to poky upstream
provided initramfs-framework suite via matchingly named bbappend file.

Together with pre-existing 'initramfs-module-udev' this module can be
used to facilitate dm-verity rootfs mounting from initramfs context
that is bundled with Linux kernel.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 489f7c900c)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com fa8c5e1d1a dm-verity-img.bbclass: Stage verity.env file
Introduce new STAGING_VERITY_DIR variable specific to this bbclass which
defines the directory where the verity.env file is stored during
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can
consequtively be picked up into associated initramfs rootfs (which
facilitates executing 'veritysetup' and related actions).

By doing this we mitigate failures that were thus far associated to this
facility, such as

  install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory

and

  install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 170945ff9f)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com c8d3edb3c4 linux-yocto(-dev): Add dm-verity fragment as needed
Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 6f40921308)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 9e8522aeb5 dm-verity-image-initramfs: Bind at do_image instead
Bind custom actions in this image recipe in do_image() rather than
do_rootfs(), which can help shaving even dozens of seconds from duration
of 'bitbake <DM_VERITY_IMAGE>' command re-execution.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 03fdaf2f04)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 6b600629c6 dm-verity-image-initramfs: Ensure verity hash sync
In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.

Without this change, executing e.g. the following sequence

  $ bitbake <DM_VERITY_IMAGE>
  $ bitbake -c clean <DM_VERITY_IMAGE>
  $ bitbake <DM_VERITY_IMAGE>

results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like

  Mounting /dev/vda over dm-verity as the root filesystem
  [    8.729974] device-mapper: verity: sha256 using implementation sha256-generic
  [    8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
  Verity device detected corruption after activation.
  [    8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
  [    8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
  ...
  [    9.135707] EXT4-fs (dm-0): unable to read superblock
  [    9.142897] EXT4-fs (dm-0): unable to read superblock
  [    9.145393] EXT4-fs (dm-0): unable to read superblock
  [    9.147905] FAT-fs (dm-0): unable to read boot sector
  mount: /new_root: can't read superblock on /dev/mapper/rootfs.
  BusyBox v1.32.0 () multi-call binary.

  Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
  [    9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
  [    9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
  [    9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
  ...
  [    9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 4cf81a5847)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com 061308362f dm-verity-img.bbclass: Reorder parse-time check
Relocate checking if DM_VERITY_IMAGE and DM_VERITY_IMAGE_TYPE are
defined as non-empty strings before DM_VERITY_IMAGE vs. PN
comparison is performed. By doing so we start seeing following kind
of bitbake parse-time console warnings in case either DM_VERITY_IMAGE
or DM_VERITY_IMAGE_TYPE is not set, when 'dm-verity-img' is defined
in IMAGE_CLASSES:

  WARNING: .../meta/recipes-core/images/core-image-minimal.bb: dm-verity-img class inherited but not used
  WARNING: .../meta-openembedded/meta-oe/recipes-core/images/meta-oe-ptest-image.bb: dm-verity-img class inherited but not used

whereas before this change this warning was printed only once, when
image pointed by <DM_VERITY_IMAGE> was parsed (and recipe with that
name could be found in BBFILES mask scipe), and DM_VERITY_IMAGE_TYPE
was not set.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit fd23d52565)
2020-10-16 07:16:05 -07:00
niko.mauno@vaisala.com c85640cf54 dm-verity-img.bbclass: Fix bashisms
Resort to printf in order to avoid usage of non-POSIX compliant echo
flags. This mitigates following errors visible in console during
boot-up with image that has been built on a host that symlinks
'/bin/sh' to 'dash':

  /init: /usr/share/dm-verity.env: line 1: -NE_UUID: not found
  /init: /usr/share/dm-verity.env: line 2: -ne: not found
  /init: /usr/share/dm-verity.env: line 3: 642864e8-6a17-46b9-ba1e-9386a3909c8d: not found
  /init: /usr/share/dm-verity.env: line 4: -NE_HASH_TYPE: not found
  /init: /usr/share/dm-verity.env: line 5: -ne: not found
  /init: /usr/share/dm-verity.env: line 6: 1: not found
  /init: /usr/share/dm-verity.env: line 7: -NE_DATA_BLOCKS: not found
  /init: /usr/share/dm-verity.env: line 8: -ne: not found
  /init: /usr/share/dm-verity.env: line 9: 12064: not found
  /init: /usr/share/dm-verity.env: line 10: -NE_DATA_BLOCK_SIZE: not found
  /init: /usr/share/dm-verity.env: line 11: -ne: not found
  /init: /usr/share/dm-verity.env: line 12: 1024: not found
  /init: /usr/share/dm-verity.env: line 13: -NE_HASH_BLOCK_SIZE: not found
  /init: /usr/share/dm-verity.env: line 14: -ne: not found
  /init: /usr/share/dm-verity.env: line 15: 4096: not found
  /init: /usr/share/dm-verity.env: line 16: -NE_HASH_ALGORITHM: not found
  /init: /usr/share/dm-verity.env: line 17: -ne: not found
  /init: /usr/share/dm-verity.env: line 18: sha256: not found
  /init: /usr/share/dm-verity.env: line 19: -NE_SALT: not found
  /init: /usr/share/dm-verity.env: line 20: -ne: not found
  /init: /usr/share/dm-verity.env: line 21: 19d98185b42a897a37db6c56c7470ab2d455f0de46daa0df735eee6263816439: not found
  /init: /usr/share/dm-verity.env: line 22: -NE_ROOT_HASH: not found
  /init: /usr/share/dm-verity.env: line 23: -ne: not found
  /init: /usr/share/dm-verity.env: line 24: 298d75fc2ea27fe594b6a37158a6ae7538e77d918bab98c475934f625de0e4ab: not found

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit ad55aaca1b)
2020-10-16 07:15:34 -07:00
Jonatan Pålsson 369a7bd129 sssd: Make manpages buildable
Some XML related fixes are needed to make the sssd manpages buildable

Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5efa53b2b2)
2020-10-16 07:14:24 -07:00
Kai Kang 9fdaf248f5 sssd: disable build secrets
It requires http_parser.h to build secrets:

| configure: error:
| You must have the header file http_parser.h installed to build sssd
| with secrets responder. If you want to build sssd without secret responder
| then specify --without-secrets when running configure.

The header file is from package http-parser[1] rather than apache2. But
there is no recipe http-parser in openembedded. So disable build secrets
for sssd and remove related systemd service and socket files.

Reference:
1. https://github.com/nodejs/http-parser

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 7831969f8c)
2020-10-16 07:14:05 -07:00
Armin Kuster 36d732f97c packagegroup-core-security: remove libseccomp for riscv*
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 29f47b4485)
2020-10-16 07:06:46 -07:00
Armin Kuster bb321aa1d7 libsecomp: rv32/rv64 target builds are not supported yet
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b5a5cbe1f5)
2020-10-16 07:06:23 -07:00
Armin Kuster a1d933f457 packagegroup-core-security: remove clamav for riscv*
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 98ff502d40)
2020-10-16 07:05:47 -07:00
Armin Kuster 3f6a0ff540 packagegroup-core-security-ptest: update fail2ban ptest pkg name
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit a2a102b2de)
2020-10-16 06:46:49 -07:00
Armin Kuster 6d6f7151f2 gitlab-ci: add support for dunfell
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15 09:20:11 -07:00
Adrian d4ec0d86b4 gitignore added
After running testimage there are some python left overs at
lib/oeqa/runtime/cases/__pycache__/

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-09-29 07:21:24 -07:00
Charlie Davies 213e1f95b0 clamav: update SO_VER to 9.0.4
Signed-off-by: Charlie Davies <charles.davies@whitetree.xyz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-09-12 21:49:26 -07:00
Charlie Davies 31ee54056b clamav: add INSTALL_CLAMAV_CVD flag to do_install
Recipe provides INSTALL_CLAMAV_CVD flag to bypass clamav
cvd db creation. During do_install this flag should be
used to conditionally skip install of cvd db if needed.

Signed-off-by: Charlie Davies <charles.davies@whitetree.xyz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-09-12 10:18:00 -07:00
Armin Kuster ef4bfb5b71 trousers: Several Security fixes
Source:  meta-security
MR: 105088
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/meta-security/commit/?id=787ba6faeaa8823a4d87e5edd15581cb4e12fa70
ChangeID: b55bccb002b9eb2c49dfe380406e2597bb1ade90
Description:

Fixes:
CVE-2020-24332
CVE-2020-24330
CVE-2020-24331

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 787ba6faea)
Signed-off-by: Armin Kuster <akuster@mvista.com>
2020-08-24 12:18:49 -07:00
Jeremy Puhlman 982a29bbb7 packagegroup-security-tpm2: Depend on preferred provider for cryptsetup
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-14 21:27:35 -07:00
Jeremy Puhlman b3a2f0016a cryptsetup-tpm-incubator: RPROVIDES cryptsetup and cryptsetup-dev
Without this we get weird conflict when you include dev packages:
rror: Transaction check error:
  file /usr/include/libcryptsetup.h conflicts between attempted installs of
cryptsetup-tpm-incubator-dev-0.9.9-r0.corei7_64 and
lib32-cryptsetup-dev-2.3.2-r0.1.i586
  file /usr/lib64/libcryptsetup.so conflicts between attempted installs of
cryptsetup-tpm-incubator-dev-0.9.9-r0.corei7_64 and
cryptsetup-dev-2.3.2-r0.1.corei7_64
  file /usr/lib64/pkgconfig/libcryptsetup.pc conflicts between attempted
installs of cryptsetup-tpm-incubator-dev-0.9.9-r0.corei7_64 and
cryptsetup-dev-2.3.2-r0.1.corei7_64
  file /usr/lib/libcryptsetup.so conflicts between attempted installs of
lib32-cryptsetup-tpm-incubator-dev-0.9.9-r0.i586 and
lib32-cryptsetup-dev-2.3.2-r0.1.i586
  file /usr/lib/pkgconfig/libcryptsetup.pc conflicts between attempted installs
of lib32-cryptsetup-tpm-incubator-dev-0.9.9-r0.i586 and
lib32-cryptsetup-dev-2.3.2-r0.1.i586

Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-14 21:27:35 -07:00
Zheng Ruoqin 0b69bd3553 bastille: Deleted redundant inherit to fix error when enable multilib.
There is no need to inherit module-base. Because this inherit will stop
bastille to build to lib32-bastille.

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-14 21:27:35 -07:00
Zheng Ruoqin 53c47a5136 ccs-tools:Fix build error when enable multilib.
ERROR: lib32-ccs-tools-1.8.4-r0 do_install: oe_runmake failed
ERROR: lib32-ccs-tools-1.8.4-r0 do_install: Execution of
'/build-armv8/tmp/work/armv7ahf-neon-mllib32-linux-gnueabi/lib32-ccs-tools/1.8.4-r0/temp/run.do_install.22368'
failed with exit code 1:
make: *** No rule to make target 'install'.  Stop.
WARNING: exit code 1 from a shell command.

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-14 21:27:35 -07:00
Armin Kuster 2b10d60721 isafw.bbclass: typo in layer name
move class to proper layer

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-14 21:27:35 -07:00
Alexander Kanavin 217fadb03d apparmor: pull in coreutils/findutils only when not using systemd as init manager
The utilities from those packages (xargs, comm) are only used in sysvinit
scripts, and so there is no need to pull them in when systemd is in use.
Both are gpl3 licensed, so this is beneficial for builds where gpl3 is not
allowed.

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-19 16:04:19 -07:00
Jeremy Puhlman 4ebf5e84dd tripwire: Remove makefiles from the man directories.
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-19 16:04:19 -07:00
Jeremy Puhlman 2e228691a6 clamav: resolve multilib issues
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-06-19 16:04:12 -07:00
Haseeb Ashraf d83f7cb0c9 samhain: dnmalloc hash fix for aarch64 and mips64
fix runtime error:
samhain[4069]: FATAL: x_dnmalloc.c: 2790: hashval < AMOUNTHASH
Killed

The proper fix is not to disable dnmalloc. This change is in
continuation of samhain-mips64-aarch64-dnmalloc-hash-fix.patch
which requires CONFIG_ARCH_AARCH64 or CONFIG_ARCH_MIPS64 to be
defined for the corresponding architecture

Signed-off-by: Haseeb Ashraf <Haseeb_Ashraf@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-05-15 05:30:57 -07:00
Yi Zhao b7db91fd19 samhain-server: add volatile file for systemd
Add volatile file to create /var/log/yule when using systemd. Also
remove unused /var/log directory in do_install.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-05-15 05:30:57 -07:00
Bartosz Golaszewski 4e1535874e dm-verity: add a working example for BeagleBone Black
This adds various bits and pieces to enable generating a working example
of a full chain of trust up to dm-verity-protected rootfs level on Beagle
Bone Black.

The new initramfs is quite generic and should work for other SoCs as well
when using fitImage.

The following config can be used with current master poky,
meta-openembedded & meta-security to generate a BBB image using verified
boot and dm-verity.

  UBOOT_SIGN_KEYDIR = "/tmp/test-keys/"
  UBOOT_SIGN_KEYNAME = "dev"
  UBOOT_SIGN_ENABLE = "1"
  UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
  UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config"

  IMAGE_CLASSES += "dm-verity-img"
  IMAGE_FSTYPES += "wic.xz ext4"

  DM_VERITY_IMAGE = "core-image-full-cmdline"
  DM_VERITY_IMAGE_TYPE = "ext4"

  KERNEL_CLASSES += "kernel-fitimage"
  KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage"

  IMAGE_INSTALL_remove = " kernel-image-zimage"
  IMAGE_BOOT_FILES_remove = " zImage"
  IMAGE_BOOT_FILES_append = " fitImage-${INITRAMFS_IMAGE}-${MACHINE}-${MACHINE};fitImage"

  # Using systemd is not strictly needed but deals nicely with read-only
  # filesystem by default.
  DISTRO_FEATURES_append = " systemd"
  DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
  VIRTUAL-RUNTIME_init_manager = "systemd"
  VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"

  INITRAMFS_IMAGE = "dm-verity-image-initramfs"
  INITRAMFS_FSTYPES = "cpio.gz"
  INITRAMFS_IMAGE_BUNDLE = "1"

  WKS_FILE = "beaglebone-yocto-verity.wks.in"

  KERNEL_FEATURES_append = " features/device-mapper/dm-verity.scc"

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-05-15 05:30:57 -07:00
Bartosz Golaszewski d136601097 classes: provide a class for generating dm-verity meta-data images
This adds a class that allows to generate conversions of ext[234] and
btrfs partitions images with dm-verity hash data appended at the end as
well as a corresponding .env file containing the root hash and data
offset that can be stored in a secure location (e.g. signed fitImage)
or signed and verified at run-time on its own.

The class depends on two variables:
  DM_VERITY_IMAGE:      defines the name of the main image (normally the
                        one that is used with the bitbake command to
                        build the main image)
  DM_VERITY_IMAGE_TYPE: defines exactly one type for which to generate
                        the protected image.

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-05-15 05:30:57 -07:00