Adding to your local.conf right out of the gate:
EXTRA_IMAGE_FEATURES = "read-only-rootfs"
while you are trying to sort out other things can be just another
complication to an already steep learning curve.
For example, I found simply enabling this with systemd caused:
systemd[1]: Failed to fork off sandboxing environment for executing generators: Protocol error
[!!!!!!] Failed to start up manager.
systemd[1]: Freezing execution.
While I'd like to get to the root cause of that, it doesn't change that
things boot fine w/o adding to EXTRA_IMAGE_FEATURES, even though the
rootfs is still read-only courtesy of dm-verity.
Reword things so as to make it clear it isn't strictly a hard requirement
and hence can be delayed as people work through their implementation.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Some platform creators tend to list a whole bunch of layers by
default in conf/bblayers.conf. Without getting into the debate of
whether that is a good idea, it can tend to have the effect of
people seeing the meta-security DISTRO_FEATURES warning time and
time again and becoming essentially numb to it.
After having fallen into this trap myself, I figured it was worth
the extra mention in the dm-verity doc so there is a better chance
of users realizing "hey - this applies to me!".
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To avoid having linux-%.bbappend included in targets unrelated to the
linux kernel, rename linux-%.bbappend to linux-yocto%.bbappend.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Append ':append' to do_configure so it does not replace all existing
do_configure's.
Only run 'sed' when DISTRO_FEATURES contains 'ima' and the .config file
exists.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop the kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg.
Instead, require projects that use squashfs to set this option.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
commit: 0594aee packagegroup-security-tpm2.bb: remove dynamic pkgs
is causing an issue with some users. Restore the packages and opted
to fix via PACKAGE_ARCH = "${TUNE_PKGARCH}"
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Yocto mickledore introduced the addpylib directive for explicitly adding
layer paths to the PYTHONPATH.
Standalone OEQA test suite discovery does not require this directive but
it is required to import test cases from other layers, e.g. to extend
and modify the test cases.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The IMA policy will be specified using the IMA_EVM_POLICY variable since
systemd will not be involved in loading the policy but the init script will
load it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding
kernel configuration options for IMA and EVM.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix the ima_policy_appraise_all policy to appraise all executables
and libraries. Also update the list of files that are not appraised to not
appraise cgroup related files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Additional maintainer entries should be added to ones provided by oe-core,
but not be replacing them, as that breaks oe-core tests.
Another option is to place them directly into recipes.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* The dependency on autoconf-archive is only needed when building from
the Git repository (and it should really be autoconf-archive-native).
* Removing the build dependency on tpm2-abrmd does not change the output
in any way, i.e., nothing is used from it.
* The runtime dependency on libtss2 is added automatically by bitbake
since /usr/bin/tpm2 is linked with libtss2-esys.so.0.
* The runtime dependency on tpm2-abrmd is optional. Such dependencies
are better handled at a higher level, e.g., by depending on
packagegroup-security-tpm2.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If PACKAGECONFIG is not defined in local.conf then
its default value is not included in cls.tc.td map.
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes:
ERROR: Missing SRC_URI checksum, please add those to the recipe:
SRC_URI[parsec-service-1.2.0.sha256sum] = "f58e7ba859c22cc1904dc8298b1a7d94ee1ba3b4d4808f28e4cc0c96ddb149c9"
Needed to S dir too.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
v2]
Fix patch applying
FIxes:
ERROR: Missing SRC_URI checksum, please add those to the recipe:
SRC_URI[parsec-tool-0.6.0.sha256sum] = "f51d5d7f0caca1c335324b52482fa5edbf6c9cfd2e6865e5cb22716d52dcb367"
Needed to have the package version included in the name.
Fixes:
ERROR: parsec-tool-0.6.0-r0 do_populate_lic: QA Issue: parsec-tool: LIC_FILES_CHKSUM points to an invalid file:
and
error: manifest path `/home/akuster/oss/clean/poky/build/tmp/work/cortexa53-poky-linux/parsec-tool/0.6.0-r0/parsec-tool-0.6.0//Cargo.toml` does not exist
Set S to CARGO_VENDORING_DIRECTORY/BP to fix the LIC_FILES_CHKSUM and compile errors.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Had to delete some wonky Cargo.toml files to get update_crates to work.
Manually updated one crate to a newer version included by update_crates as it would not compile.
Manually applied several crates missed by update_crates.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop setuid-log-folder.patch, using sed instead.
Refresh patch check-setuid-use-more-portable-find-args.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Currently CVE-2023-22745 does not show up in kirkstone CVE report.
This fixes that.
Products from yocto's CVE check NVD database:
sqlite> select * from products where product like "tpm2%";
CVE-2017-7524|tpm2-tools_project|tpm2.0-tools|||1.1.0|<=
CVE-2020-24455|tpm2_software_stack_project|tpm2_software_stack|||2.4.3|<
CVE-2020-24455|tpm2_software_stack_project|tpm2_software_stack|3.0.0|>=|3.0.1|<
CVE-2021-3565|tpm2-tools_project|tpm2-tools|5.1|>=|5.1.1|<
CVE-2021-3565|tpm2-tools_project|tpm2-tools|||4.3.2|<
CVE-2023-22745|tpm2_software_stack_project|tpm2_software_stack|||4.0.0|<=
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Building documentation fails due to missing asciidoc, xsltproc etc
so it's better to just disable building them by default.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
