fix runtime error:
samhain[4069]: FATAL: x_dnmalloc.c: 2790: hashval < AMOUNTHASH
Killed
The proper fix is not to disable dnmalloc. This change is in
continuation of samhain-mips64-aarch64-dnmalloc-hash-fix.patch
which requires CONFIG_ARCH_AARCH64 or CONFIG_ARCH_MIPS64 to be
defined for the corresponding architecture
Signed-off-by: Haseeb Ashraf <Haseeb_Ashraf@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add volatile file to create /var/log/yule when using systemd. Also
remove unused /var/log directory in do_install.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This adds various bits and pieces to enable generating a working example
of a full chain of trust up to dm-verity-protected rootfs level on Beagle
Bone Black.
The new initramfs is quite generic and should work for other SoCs as well
when using fitImage.
The following config can be used with current master poky,
meta-openembedded & meta-security to generate a BBB image using verified
boot and dm-verity.
UBOOT_SIGN_KEYDIR = "/tmp/test-keys/"
UBOOT_SIGN_KEYNAME = "dev"
UBOOT_SIGN_ENABLE = "1"
UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
UBOOT_MACHINE_beaglebone-yocto = "am335x_boneblack_vboot_config"
IMAGE_CLASSES += "dm-verity-img"
IMAGE_FSTYPES += "wic.xz ext4"
DM_VERITY_IMAGE = "core-image-full-cmdline"
DM_VERITY_IMAGE_TYPE = "ext4"
KERNEL_CLASSES += "kernel-fitimage"
KERNEL_IMAGETYPE_beaglebone-yocto = "fitImage"
IMAGE_INSTALL_remove = " kernel-image-zimage"
IMAGE_BOOT_FILES_remove = " zImage"
IMAGE_BOOT_FILES_append = " fitImage-${INITRAMFS_IMAGE}-${MACHINE}-${MACHINE};fitImage"
# Using systemd is not strictly needed but deals nicely with read-only
# filesystem by default.
DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
INITRAMFS_IMAGE = "dm-verity-image-initramfs"
INITRAMFS_FSTYPES = "cpio.gz"
INITRAMFS_IMAGE_BUNDLE = "1"
WKS_FILE = "beaglebone-yocto-verity.wks.in"
KERNEL_FEATURES_append = " features/device-mapper/dm-verity.scc"
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This adds a class that allows to generate conversions of ext[234] and
btrfs partitions images with dm-verity hash data appended at the end as
well as a corresponding .env file containing the root hash and data
offset that can be stored in a secure location (e.g. signed fitImage)
or signed and verified at run-time on its own.
The class depends on two variables:
DM_VERITY_IMAGE: defines the name of the main image (normally the
one that is used with the bitbake command to
build the main image)
DM_VERITY_IMAGE_TYPE: defines exactly one type for which to generate
the protected image.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
infopipe was previously on by default, so add it to the default
PACKAGECONFIG.
The systemd files are only installed when --with-infopipe is passed to
configure, so conditionally add them to SYSTEMD_SERVICE.
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When building with the curl PACKAGECONFIG, sssd will depend on the
jansson library.
Fixes the following error:
| checking for JANSSON... no
| checking jansson.h usability... no
| checking jansson.h presence... no
| checking for jansson.h... no
| configure: error:
| You must have the header file jansson.h installed to build sssd
| with secrets and KCM responder. If you want to build sssd without
these
| responders then specify --without-secrets --without-kcm when running
configure.
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
These files are installed when the ssh or curl PACKAGECONFIGs are enabled.
Fixes the following error:
ERROR: sssd-1.16.4-r0 do_package: QA Issue: sssd: Files/directories were
installed but not shipped in any package:
/lib/systemd/system/sssd-kcm.socket
/lib/systemd/system/sssd-kcm.service
/lib/systemd/system/sssd-ssh.socket
/lib/systemd/system/sssd-ssh.service
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
sudo was previously on by default, so add it to the default
PACKAGECONFIG.
The systemd files are only installed when --with-sudo is passed to
configure, so conditionally add them to SYSTEMD_SERVICE.
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
autofs was previously on by default, so add it to the default
PACKAGECONFIG.
The systemd files are only installed when --with-autofs is passed to
configure, so conditionally add them to SYSTEMD_SERVICE.
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
As linux-yocto upgraded to 5.x in oe-core, update
the bbappend to 5.x to remove the warning
ERROR: No recipes available for:
.../meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend
This patch hasn't been verified any further than allowing bitbake
to complete with a non-linux-yocto kernel. In particular options could
be different, or new ones needed / desired.
Signed-off-by: André Draszik <git@andred.net>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
sssd will attempt to build against nss if no crypto is selected. If a
bbappend sets PACKAGECONFIG = <list without nss or crypto>, the
appropriate DEPEND is not established.
Fixes the following configure error:
... snip ...
| checking for NSS... configure: error: Package requirements (nss) were not met:
|
| No package 'nss' found
|
| Consider adjusting the PKG_CONFIG_PATH environment variable if you
| installed software in a non-standard prefix.
|
| Alternatively, you may set the environment variables NSS_CFLAGS
| and NSS_LIBS to avoid the need to call pkg-config.
| See the pkg-config man page for more details.
|
| WARNING: exit code 1 from a shell command.
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes the following build error:
.. snip ..
| checking for python2... no
| checking for python3... (cached) python3.8
| configure: error:
| The program python2 was not found in search path.
| Please ensure that it is installed and its directory is included in the search
| path. It is required for building python2 bindings. If you do not want to build
| them please use argument --without-python2-bindings when running configure.
| WARNING: exit code 1 from a shell command.
Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
/bin/bash: pod2man: command not found
| Makefile:585: recipe for target 'TPMLIB_CancelCommand.3' failed
inherit perlnative to fix
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix sssd issue for ldblibdir, systemd, pam etc.
* fix ldblibdir which is not calculated right for cross compile
* create directory /var/log/sssd which is required by sssd daemon
* disable building python2 binding
* fix pam module path
* update systemd configure options and service files
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
As linux-yocto upgraded to 5.x in oe-core, update
the bbappend to 5.x to remove the warning:
WARNING: No recipes available for:
/buildarea/layers/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
[Droped 4.x part]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is a build error when using openscap-native sstate cache.
Steps to reproduce:
Create a new build project in build-1 directory.
$ bitbake openscap-native
Then remove the whole build directory only keep the sstate-cache
directory as a sstate mirror.
Create another new build project in build-2 directory.
Set SSTATE_MIRRORS
$ bitbake scap-security-guide
Error message:
OpenSCAP Error: Schema file 'xccdf/1.1/xccdf-schema.xsd' not found in path
'/buildarea/build-1/tmp/work-shared/openscap/oscap-build-artifacts/usr/share/openscap/schemas' when trying to validate
'/buildarea/build-2/tmp/work/core2-64-poky-linux/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/build/jre/xccdf-unlinked-resolved.xml'
[/buildarea/build-1/tmp/work/x86_64-linux/openscap-native/1.3.1+gitAUTOINC+4bbdb46ff6-r0/git/src/source/validate.c:104]
The oscap command from openscap-native tries to find the schema files in
build-1 directory since these paths are hardcoded when building
openscap-native.
We need to pass the correct schema/xslt/cpe paths to oscap to make sure
it can find the files in right location.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
v4.19 LTS has been dropped in poky in favor of v5.4. Drop the bbappend
from meta-security as right now the build fails.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
pam_google_authenticator.so was being installed where pam could not find
it. Move it where the rest of the pam modules site.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
