mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-04-20 11:29:37 +00:00
Code Issues Projects Releases Wiki Activity
907 Commits 38 Branches 0 Tags
f9fdf977300d4a3e970be9ee43e324dcf500db3a
Commit Graph

45 Commits

Author SHA1 Message Date
Armin Kuster
f9fdf97730 layer.conf: Add hardknott to LAYERSERIES_COMPAT 
Thats codename for 3.3

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-18 08:01:19 -07:00
Ming Liu
6ada80aa3e ima-evm-keys: add file-checksums to IMA_EVM_X509 
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-18 08:01:19 -07:00
Ming Liu
9504d02694 ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic 
This fixes following systemd boot issues:
[    7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied
[    7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
[    7.459270] systemd[1]: Freezing execution.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-03-02 11:56:27 -08:00
Ming Liu
6612bf719f ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic 
Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
ffab25f929 initramfs-framework-ima: let ima_enabled return 0 
Otherwise, ima script would not run as intended.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
4dc646c8ce README.md: update according to the refactoring in ima-evm-rootfs.bbclass 
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
76d1e3ecad meta: refactor IMA/EVM sign rootfs 
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:

| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "

and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.

To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.

Also add ima-evm-keys to IMAGE_INSTALL.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
52bfc654e8 initramfs-framework-ima: RDEPENDS on ima-evm-keys 
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
f70207e1c1 ima-evm-keys: add recipe 
Create a recipe to package IMA/EMV public keys.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
0f34b25763 initramfs-framework-ima: fix a wrong path 
/etc/ima-policy > /etc/ima/ima-policy.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Ming Liu
ca1c2086ad ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty 
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2021-02-23 20:34:51 -08:00
Armin Kuster
58c17d008d meta-security: Add gatesgarth to LAYERSERIES_COMPAT 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-19 18:14:23 -07:00
Sajjad Ahmed
8bcc4d7057 layer.conf: use += instead of := to update BBFILES 
Updating BBFILES with := isn't the standard way and can break
parsing under certain conditions, instead use += which is widely used.

Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-10-19 18:14:13 -07:00
Armin Kuster
f876289913 meta-integrity: add dynamic-layer for strongswan 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-07-18 18:26:44 -07:00
Armin Kuster
9f8bdb7751 strongswan: Add bbappends for ima changes 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-07-18 18:26:44 -07:00
Martin Jansa
7f7897590c layer.conf: update LAYERSERIES_COMPAT for dunfell 
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-03-27 16:53:25 -07:00
Armin Kuster
5d629ccb54 meta-integrity: fix issues with yocto-check-layer 
[v2]
re-did solutions

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2020-01-04 10:55:26 -08:00
Armin Kuster
72b05edff5 meta-security: add layer index callouts 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-12-07 15:31:34 -08:00
Armin Kuster
a0dee993cd layer.conf: Update for zeus series 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Acked-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-10-11 07:41:01 -07:00
Armin Kuster
225c3bc7d0 initramfs-framework-ima: correct IMA_POLICY name 
it had ima_policy_hashed  and did not match the recipe
ima-policy-hashed

found by yocto-check-layer

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-09-07 08:32:50 -07:00
Armin Kuster
563c2af19c integrity-image: IMA_EVM_KEY_DIR has no affect, remove 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-24 20:43:55 -07:00
Armin Kuster
0a32d622c8 meta-integrity: remove kernel fragments now in cache 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-15 20:10:33 -07:00
Dmitry Eremin-Solenikov
9549b76a90 layer.conf: switch to keyutils from meta-oe 
As pointer by Martin Jansa, keyutils package is now a part of meta-oe,
so switch to using keyutils from that layer.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-07 07:09:50 -07:00
Dmitry Eremin-Solenikov
eebe0ff18a linux: add support for kernel modules signing 
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
 2019-08-07 07:09:50 -07:00
Dmitry Eremin-Solenikov
79bc2559fe kernel-modsign.bbclass: add support for kernel modules signing 
Add bbclass responsible for handling signing of kernel modules.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>

fixup class to avoid including in every configure task

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-07 07:09:43 -07:00
Dmitry Eremin-Solenikov
c2ddc05c20 ima-evm-utils: bump to release 1.2.1 
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-04 13:13:38 -07:00
Dmitry Eremin-Solenikov
c9c4e6c228 meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE 
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
 2019-08-04 13:12:41 -07:00
lumag
fc20f45964 ima-evm-utils: refresh xattr patch 
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-04 12:17:25 -07:00
lumag
2fa48c800d ima-evm-utils: bump version 
Currently selected SRCREV (782224f33cd711050cbf6146a12122cd73f9136b)
comes after 1.1 ima-evm-utils release, so bump PV accordingly.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-04 12:17:25 -07:00
lumag
964972ea01 layer.conf: add dependency on meta-security 
ima-evm-utils recipe depends on keyutils recipe which is a part of
meta-security layer.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-08-04 12:17:25 -07:00
Armin Kuster
f63db8ce1d ima-evm-utils: update to tip 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-06-26 15:47:47 -07:00
Armin Kuster
41708b0b0c image: add image for testing 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
4970243bfc runtime qa: moderize ima test 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
7b287954f7 initramfs: clean up to pull in packages. 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
d1d4e78708 data: remove policies 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
cf0123e130 policy: add ima appraise all policy 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
1293478068 ima_policy_simple: add another sample policy 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
c84f39f8e0 ima-policy-hashed: add new recipe 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
8910674d19 base-files: add appending to automount securityfs 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
e7771ce287 linux: update bbappend 
remove untested code

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
f26869aef3 ima.cfg: update to 5.0 kernel 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
756a1649b7 ima-evm-utils: cleanup and update to tip 
update to tip
backported patches to fix build issues.
fix native support

Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
d86d3353b2 README: update 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
b2587711d1 layer.conf: add LAYERSERIES_COMPAT 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:52 -07:00
Armin Kuster
6680225c05 meta-integrity: port over from meta-intel-iot-security 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2019-05-28 07:38:41 -07:00