Changelog:
Dawid Dabrowski
Add support for payload update protocol for generic Titan images.
Nick Nooney
Add BUILD rules to support using libhoth with external tools.
Yoan Andreev
Add spi passthrough enable and disable commands.
Add arm_coordinated_reset.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE
for filenames where the ima_evm_sign_rootfs script can write the names
of files and their IMA or EVM signatures into. Both variables are
optional. The content of the file with IMA signatures may look like
this:
/usr/bin/gpiodetect ima:0x0302046730eefd...
/usr/bin/pwscore ima:0x0302046730eefd004...
Having the filenames along with their signatures is useful for signing
files in the initrd when the initrd is running out of a tmpfs filesystem
that has support for xattrs. This allows to enable an IMA appraisal
policy already in the initrd where files must be signed as soon as the
policy becomes active.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Parsec-service and parsec-tool recipes have been updated to use
1.3.0 and 0.7.0 versions respectively.
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
On a systemd-based system, one is likely to make use of
'backend=systemd', which requires the systemd module.
Both the pyinotify and systemd backends require the distutils module.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Currently, one gets
Unable to import fail2ban database module as sqlite is not available
So we need to ensure the sqlite3 python module is available. That will
automatically pull in libsqlite3.
Since fail2ban does not actually depend on the the CLI which the
sqlite3 package provides, drop that dependency.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fail2ban ships with a suitable .service file, so install that if
systemd is in DISTRO_FEATURES. The logic in rm_sysvinit_initddir in
systemd.bbclass will then take care of removing the sysvinit script if
sysvinit is not in DISTRO_FEATURES.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
Royce Rajan
0e3eec6 Claim + Release USB connection when running `htool console`
b36ebfc bazel: Stamp Git commit as version
fd90feb meson: Stamp Git commit as version
ba1403d Add get/clear panic record commands (#30)
Chris Evans
e34e9bd Update README.md for recently-added commands.
Daimeng Wang
611381e htool: Implement authz_record read/erase/build/set
aaed60f htool: Add authz_record command API
ad68019 libhoth: MTD allows zero byte read
Pai Peng
101f711 Add the 'statistics' command
Signed-off-by: John Broadbent <jebr@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After usrmerge had been enabled, paxctl has the fowllowing error:
ERROR: ccs-tools-1.8.9-r0 do_package: QA Issue: ccs-tools: Files/directories were installed but not shipped in any package:
/sbin/ccs-init
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After usrmerge had been enabled, paxctl has the fowllowing error:
ERROR: paxctl-0.9-r0 do_package: QA Issue: paxctl: Files/directories were installed but not shipped in any package:
/sbin/paxctl
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update to tip of branch
Drop 0001-scap-security-guide-add-openembedded-distro-support.patch is now included in tip
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is a build error when using openscap-native sstate cache mirror.
Steps to reproduce:
Create a new build project in build-1 directory.
$ bitbake openscap-native
Then remove all directories in build-1 directory except sstate-cache.
Use the sstate-cache directory as sstate mirror.
Create another new build project in build-2 directory.
Set SSATE_MIRRORS to point to the sstate-cache in build-1 directory.
$ bitbake scap-security-guide
Error message:
OpenSCAP Error: Schema file 'sds/1.3/scap-source-data-stream_1.3.xsd' not found in path
'/build-1/tmp-glibc/work-shared/openscap/oscap-build-artifacts/usr/share/openscap/schemas' when trying to validate
'/build-2/tmp-glibc/work/corei7-64-wrs-linux/scap-security-guide/0.1.67/build/ssg-openembedded-ds.xml'
[/build-1/tmp-glibc/work/x86_64-linux/openscap-native/1.3.8/git/src/source/validate.c:103]
The oscap command from openscap-native tries to find the schema files in
build-1 directory since these paths are hardcoded when building
openscap-native.
We need to pass the correct cpe/schemas/xsl paths to oscap to make sure
it can find the files in right location.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
So that the security features in this layer can be used on the
rt kernel.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update sssd from 2.7.4 to 2.9.1.
* backport patch to fix interpreter of script sss_analyze
* add runtime dependency python3-systemd when systemd is enabled
* update FILES
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Markus Rudy (17):
Use Github TeX Markdown instead of image includes.
Merge pull request #134 from burgerdev/md-tex
Merge pull request #135 from vvidic/cli-base64
RFD 002: public key format at rest (#109)
Merge pull request #137 from vvidic/hmac
Merge pull request #138 from vvidic/hmac2
Update list of supported Python versions
Install golint instead of 'get'ting it.
Merge pull request #139 from burgerdev/actions
Clarify format of public key at rest
Test all supported config file keys
Merge pull request #144 from burgerdev/public-key-format
Fix linter findings for #144
Use 'release' buildtype for NixOS builds
Merge pull request #149 from google/l9i/bye-java
RFD 001: GLOME Login v2 (#102)
login/v2 implementation for Go (#162)
Philipp Kern (21):
Merge pull request #133 from google/l9i/pam-fix
Merge pull request #132 from google/l9i/nix-shell
Merge pull request #140 from vvidic/defaul-typo
Merge pull request #142 from vvidic/soversion
Merge pull request #146 from burgerdev/lint
Merge pull request #148 from google/dependabot/go_modules/go/golang.org/x/crypto-0.1.0
Merge pull request #152 from google/l9i/cpplint
Merge pull request #154 from vvidic/docker-public-key
Merge pull request #155 from vvidic/prompt-fix
Insert a slash after url-prefix when writing it into prompt
Merge pull request #156 from google/url-prefix-compat
Merge pull request #157 from vvidic/config-order
State that devices require randomness for the protocol to work
Update docs/protocol.md
Merge pull request #158 from google/pkern-patch-1
Fix error to state "at most" instead of "at least"
Merge pull request #153 from vvidic/min-tag-length
Merge pull request #159 from vvidic/host-id-type
README.md: Codeblock fixups
Merge branch 'master' into l9i/README
Merge pull request #141 from google/l9i/README
Piotr Lewandowski (12):
Fix failing PAM test
Treat warning as errors
Define OPENSSL_API_COMPAT to require OpenSSL >=1.1
Use werror only for CI
Add nix-shell config for setting up dev environment
Add GitHub Action workflow for shell.nix
Add intro and installation steps to README.md
Address reviewer's comments
Wrap lines
Delete Java implementation
Rename `url-prefix` to `prompt` (#131)
Add `cpplint` linter
Valentin Vidic (10):
Update CLI to use base64 instead of hex tags.
Replace deprecated OpenSSL HMAC API with EVP.
Replace OpenSSL EVP_DigestSign API with HMAC()
Fix typo: defaul => default
Use project version in library version
Update Docker scripts for new public key format
Fix setting of prompt parameter
Parse command line again after reading the config
Add config option for minimum authcode length #122
Add config option for host-id type #122
dependabot[bot] (1):
Bump golang.org/x/crypto in /go
Signed-off-by: Luke Granger-Brown <lukegb@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Using <DM_VERITY_IMAGE_TYPE> in the depends variable does not work for
compressed image types like squashfs-zst, as the resulting task
dependency still contains the incompatible dash. Replacing the dash by
an underscore resolves this issue.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This add the basic framework to allow the test suite to run. It takes a very long time
so it my not be practical to run in some cases (days in my case).
The ptest log format has not been verified.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Variables PREFERRED_PYTHON_PATH and PYTHON3_PATH are set with
${PYTHON_EXECUTABLE}. For cross compile, ${PYTHON_EXECUTABLE} may point
to other path rather than standard dir such as /usr/bin. Then the
generated library file contains such path which should NOT. Update to
make variables PREFERRED_PYTHON_PATH and PYTHON3_PATH configurable to
fix buildpaths issue:
| WARNING: openscap-1.3.7-r0 do_package_qa: QA Issue: File
| /usr/lib/libopenscap.so.25.5.1 in package openscap contains reference
| to TMPDIR [buildpaths]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
