mirror of
https://git.yoctoproject.org/meta-security
synced 2026-06-05 02:20:50 +00:00
niko.mauno@vaisala.com
4cf81a5847
In order to ensure that the bundled initramfs always contains the most recently generated DM_VERITY_IMAGE specific root filesystems' root hash, we disable the timestamp for do_rootfs() task here, meaning that the task will be re-executed whenever some task that depends on it executes. Without this change, executing e.g. the following sequence $ bitbake <DM_VERITY_IMAGE> $ bitbake -c clean <DM_VERITY_IMAGE> $ bitbake <DM_VERITY_IMAGE> results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like Mounting /dev/vda over dm-verity as the root filesystem [ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic [ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read Verity device detected corruption after activation. [ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read ... [ 9.135707] EXT4-fs (dm-0): unable to read superblock [ 9.142897] EXT4-fs (dm-0): unable to read superblock [ 9.145393] EXT4-fs (dm-0): unable to read superblock [ 9.147905] FAT-fs (dm-0): unable to read boot sector mount: /new_root: can't read superblock on /dev/mapper/rootfs. BusyBox v1.32.0 () multi-call binary. Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS] [ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1 [ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 ... [ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Meta-security
=============
This layer provides security tools, hardening tools for Linux kernels
and libraries for implementing security mechanisms.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/openembedded-core
branch: master
revision: HEAD
prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-oe
branch: master
revision: HEAD
prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-perl
branch: master
revision: HEAD
prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-python
branch: master
revision: HEAD
prio: default
URI: git://git.openembedded.org/meta-openembedded/meta-networking
branch: master
revision: HEAD
prio: default
Adding the security layer to your build
========================================
In order to use this layer, you need to make the build system aware of
it.
Assuming the security layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the security layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/oe-core/meta \
/path/to/meta-openembedded/meta-oe \
/path/to/meta-openembedded/meta-perl \
/path/to/meta-openembedded/meta-python \
/path/to/meta-openembedded/meta-networking \
/path/to/layer/meta-security \
Maintenance
-----------
Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
For pull requests, please use create-pull-request and send-pull-request.
Maintainers: Armin Kuster <akuster808@gmail.com>
License
=======
All metadata is MIT licensed unless otherwise stated. Source code included
in tree for individual recipes is under the LICENSE stated in each recipe
(.bb file) unless otherwise stated.