meta-secure-core: initial commit

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

29 files changed, 1003 insertions, 0 deletions

diff --git a/meta-integrity/COPYING.MIT b/meta-integrity/COPYING.MIT
new file mode 100644
index 0000000..fb950dc
--- /dev/null
+++ b/meta-integrity/COPYING.MIT
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy 
+of this software and associated documentation files (the "Software"), to deal 
+in the Software without restriction, including without limitation the rights 
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is 
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in 
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 
+THE SOFTWARE.
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
new file mode 100644
index 0000000..2efb494
--- /dev/null
+++ b/meta-integrity/README.md
@@ -0,0 +1,166 @@
+### meta-integrity
+OpenEmbedded layer for Linux integrity support
+
+#### Integrity Measurement Architecture (IMA)
+The Linux IMA subsystem introduces hooks within the Linux kernel to support
+measuring the integrity of files that are loaded (including application code)
+before it is executed or mmap()ed to memory. The measured value (hash) is then
+registered in a log that can be consulted by administrators.
+
+To support proven integrity of the files, the IMA subsystem can interact with
+the TPM chip within the system to protect the registered hashes from tampering
+by a rogue administrator or application. The IMA subsystem, as already
+supported by the Linux kernel, supports reporting on the hashes of files and
+commands ran by privileged accounts (and more if you create your own
+measurement policies).
+
+In addition, IMA appraisal can even register the measured value as an extended
+attribute, and after subsequent measurement(s) validate this extended attribute
+against the measured value and refuse to load the file (or execute the
+application) if the hash does not match. In that case, the IMA subsystem allows
+files and applications to be loaded if the hashes match (and will save the
+updated hash if the file is modified) but refuse to load it if it doesn't. This
+provides some protection against offline tampering of the files.
+
+NOTE: Extended file system attribute is required for IMA appraisal, but not
+all file systems can support it. Typically, the pseudo file systems, such as
+sysfs, proc, tmpfs and ramfs, certain disk-based file systems, such as FAT,
+and network file systems, such as NFS, don't support extended attribute,
+meaning IMA appraisal is not available with them.
+
+##### Dependency
+- meta-tpm
+  This layer provides the kernel configurations for TPM 1.x enablement.
+
+- meta-tpm2
+  This layer provides the kernel configurations for TPM 2.0 enablement.
+
+##### Use The External IMA Policy
+initramfs is a good place to run some IMA initializations, such as loading
+the IMA policy, as well as the public keys used to verify IMA signatures.
+
+###### The default external IMA policy
+The default external IMA policy enforces appraising all the executable, shared
+library, kernel modules and firmwares with the digital signature in the
+effective root identity (euid=0). Hence, the opportunity of loading the default
+external IMA policy occurs at the end of initramfs initializations, just before
+switch_root.
+
+Instead of running switch_root directly from initramfs, a statically linked
+switch_root from the real rootfs is called and it must be already signed
+properly. Otherwise, switch_root will fail to mount the real rootfs and kernel
+panic will happen due to this failure.
+
+The default external IMA policy is located at `/etc/ima_policy.default` in
+initramfs. If a custom external IMA policy file exists, the default external
+IMA policy file won't be used any more.
+
+The default external IMA policy enables the following constraint conditions:
+- Appraise the files for exec'd (the executables), files mmap'd for exec
+  (shared libraries), kernel modules and firmwares in effective root identity
+  (euid=0).
+- Enforce verifying the IMA signature when running the executables, shared
+  libraries, kernel modules and firmwares.
+- Deny to run the newly created executables, shared libraries, kernel modules
+  and firmwares.
+- Deny to run the tampered executables, shared libraries, kernel modules and
+  firmwares.
+- Deny to run any executables, shared libraries, kernel modules and firmwares
+  in the filesystems without file extended attribute supported.
+- Allow to run the manually signed executables, shared libraries, kernel
+  modules and firmwares.
+- Allow to run the updated executables, shared libraries, kernel modules and
+  firmwares during RPM installation.
+- Note the different behaviors when executing a script.
+  e.g, launching a python script with "./test.py" is allowed only when test.py
+  is signed, and launching a python script with "python test.py" is always
+  allowed as long as the python interpreter is signed.
+
+###### The custom external IMA policy
+If the default external IMA policy cannot meet the protection requirement, it
+is allowed to define the custom external IMA policy.
+
+- Deploy the custom policy file to installer image
+
+- Create `/opt/installer/sbin/config-installer.sh` in installer image
+  Define the IMA_POLICY variable, pointing to the path of policy file.
+
+The custom external IMA policy file is eventually installed to `/etc/ima_policy`
+in initramfs.
+
+##### IMA certificate & private Key
+The private key come in two flavors; one used by an installer to sign all
+regular files in rootfs and one used by RPM to re-sign the executable, shared
+library, kernel module and firmware during RPM installation. Correspondingly,
+the IMA certificate is used to verify the IMA signature signed by the private
+key.
+
+In addition, initramfs is a good place to import the IMA certificate likewise.
+
+###### The default IMA certificate & private key
+The default IMA certificate & private key are generated by the build system. By
+default, the sample keys are used for the purpose of development and
+demonstration. Please ensure you know what your risk is to use the sample keys
+in your product, because they are completely public.
+
+### Best practice
+The following best practices should be applied with using IMA.
+
+- Enable UEFI/MOK secure boot
+  UEFI/MOK secure boot can verify the integrity of initramfs, providing the
+  protection against tampering of the external IMA policy files and IMA public
+  keys stored in initramfs.
+
+- Moderate measuring
+  Measuring the files owned by non-root user may introduce malicious attack.
+  Malicious user may create lots of files with different names or trigger
+  violation conditions to generate a mass of event logs recorded in the runtime
+  measurement list, and thus exhaust the persistent kernel memory.
+
+- Performance influence
+  Moderate policy can make a good balance between the performance and security.
+  Tune the default external policy (`/etc/ima_policy.default`) and modulate the
+  custom policy for the product requirement.
+
+- Use IMA digital signature to protect the executable
+  Using the digital signature scheme DIGSIG is safer than digest-based scheme.
+  Meanwhile, use `appraise_type=imasig` in your IMA policy to enforce running
+  this.
+
+- Use the measurement and audit rules together
+  The runtime measurement list is unable to track down the order of changes for
+  a file, e.g, a file content varies in order of X -> Y -> X. However, audit log
+  can record these changes in the right order.
+
+##### Known Issues
+- The following operations may break the behavior of appraisal and cause the
+  failure of launching the executables, shared libraries, kernel modules and
+  firmwares:
+  - the syscalls used to set file last access and modification times.
+  - the syscalls used to set ownership of a file.
+  - the syscalls used to set permissions of a file.
+
+  To fix the failure, manually re-sign the affected file.
+
+  Note: RPM installation violates the IMA appraisal but its post_install
+  operation will always re-sign the affected files.
+
+- Overwriting an existing file with the same content is deemed as tampering of
+  the file.
+
+- The default IMA rules provides the ability of measuring the boot components
+  and calculating the aggregate integrity value for attesting. However, this
+  function conflicts with encrypted-storage feature which employs PCR policy
+  session to retrieve the passphrase in a safe way. If the installer enables
+  both of them, the default IMA rules will be not used.
+
+### Reference
+[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/)
+
+[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot)
+
+[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key)
+
+[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm)
+
+[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2)
diff --git a/meta-integrity/classes/rpm5-ima.bbclass b/meta-integrity/classes/rpm5-ima.bbclass
new file mode 100644
index 0000000..fbdefeb
--- /dev/null
+++ b/meta-integrity/classes/rpm5-ima.bbclass
@@ -0,0 +1,156 @@
+inherit package
+
+PACKAGEFUNCS =+ "package_ima_hook"
+
+# security.ima is generated during the RPM build, and the base64-encoded
+# value is written during RPM installation. In addition, if the private
+# key is deployed on board, re-sign the updated files during RPM
+# installation in higher priority.
+python package_ima_hook() {
+    packages = d.getVar('PACKAGES', True)
+    pkgdest = d.getVar('PKGDEST', True)
+    ima_signing_blacklist = d.getVar('IMA_SIGNING_BLACKLIST', True)
+    ima_keys_dir = d.getVar('IMA_KEYS_DIR', True)
+
+    pkg_suffix_blacklist = ('dbg', 'dev', 'doc', 'locale', 'staticdev')
+
+    pkg_blacklist = ()
+    with open(ima_signing_blacklist, 'r') as f:
+        pkg_blacklist = [ _.strip() for _ in f.readlines() ]
+        pkg_blacklist = tuple(pkg_blacklist)
+
+    import base64, pipes, stat
+
+    for pkg in packages.split():
+        if (pkg.split('-')[-1] in pkg_suffix_blacklist) is True:
+            continue
+
+        if pkg.startswith(pkg_blacklist) is True:
+            continue
+
+        bb.note("Writing IMA %%post hook for %s ..." % pkg)
+
+        pkgdestpkg = os.path.join(pkgdest, pkg)
+
+        cmd = 'evmctl ima_sign --hashalgo sha256 -n --sigfile --key %s/x509_ima.key ' % (ima_keys_dir)
+        sig_list = []
+        pkg_sig_list = []
+
+        for _ in pkgfiles[pkg]:
+            # Ignore the symbol links.
+            if os.path.islink(_):
+                continue
+
+            # IMA appraisal is only applied to the regular file.
+            if not stat.S_ISREG(os.stat(_)[stat.ST_MODE]):
+                continue
+
+            bb.note("Preparing to sign %s ..." % _)
+
+            sh_name = pipes.quote(_)
+            print("Signing command: %s" % cmd + sh_name)
+            rc, res = oe.utils.getstatusoutput(cmd + sh_name + " >/dev/null")
+            if rc:
+                bb.fatal('Calculate IMA signature for %s failed with exit code %s:\n%s' % \
+                    (_, rc, res if res else ""))
+
+            with open(_ + '.sig', 'rb') as f:
+                s = str(base64.b64encode(f.read()).decode('ascii')) + '|'
+                sig_list.append(s + os.sep + os.path.relpath(_, pkgdestpkg))
+
+            os.remove(_ + '.sig')
+
+        ima_sig_list = '&'.join(sig_list)
+
+        # When the statically linked binary is updated, use the
+        # dynamically linked one to resign or set. This situation
+        # occurs in runtime only.
+        setfattr_bin = 'setfattr.static'
+        evmctl_bin = 'evmctl.static'
+        # We don't want to create a statically linked echo program
+        # any more.
+        safe_echo = '1'
+        if pkg == 'attr-setfattr.static':
+            setfattr_bin = 'setfattr'
+        elif pkg == 'ima-evm-utils-evmctl.static':
+            evmctl_bin = 'evmctil'
+        elif pkg == 'coreutils':
+            safe_echo = '0'
+
+        # The %post is dynamically constructed according to the currently
+        # installed package and enviroment.
+        postinst = r'''#!/bin/sh
+
+# %post hook for IMA appraisal
+ima_resign=0
+sig_list="''' + ima_sig_list + r'''"
+
+if [ -z "$D" ]; then
+    evmctl_bin="${sbindir}/''' + evmctl_bin + r'''"
+    setfattr_bin="${bindir}/''' + setfattr_bin + r'''"
+
+    [ -f "/etc/keys/privkey_evm.pem" -a -x "$evmctl_bin" ] && \
+        ima_resign=1
+
+    safe_echo="''' + safe_echo + r'''"
+
+    cond_print()
+    {
+        [ $safe_echo = "1" ] && echo $1
+    }
+
+    saved_IFS="$IFS"
+    IFS="&"
+    for entry in $sig_list; do
+        IFS="|"
+
+        tokens=""
+        for token in $entry; do
+            tokens="$tokens$token|"
+        done
+
+        for sig in $tokens; do
+            break
+        done
+
+        IFS="$saved_IFS"
+
+        f="$token"
+
+        # If the filesystem doesn't support xattr, skip the following steps.
+        res=`"$setfattr_bin" -x security.ima "$f" 2>&1 | grep "Operation not supported$"`
+        [ x"$res" != x"" ] && {
+            cond_print "Current file system doesn't support to set xattr"
+            break
+        }
+
+        if [ $ima_resign -eq 0 ]; then
+            cond_print "Setting up security.ima for $f ..."
+
+            "$setfattr_bin" -n security.ima -v "0s$sig" "$f" || {
+                err=$?
+                cond_print "Unable to set up security.ima for $f (err: $err)"
+                exit 1
+            }
+        else
+            cond_print "IMA signing for $f ..."
+
+            "$evmctl_bin" ima_sign --hashalgo sha256 "$f" || {
+                err=$?
+                cond_print "Unable to sign $f (err: $err)"
+                exit 1
+            }
+        fi
+
+        IFS="&"
+    done
+
+    IFS="$saved_IFS"
+fi
+
+'''
+        postinst = postinst + (d.getVar('pkg_postinst_%s' % pkg, True) or '')
+        d.setVar('pkg_postinst_%s' % pkg, postinst)
+}
+
+do_package[depends] += "ima-evm-utils-native:do_populate_sysroot"
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
new file mode 100644
index 0000000..f3c00e0
--- /dev/null
+++ b/meta-integrity/conf/layer.conf
@@ -0,0 +1,19 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+        ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "integrity"
+BBFILE_PATTERN_integrity = "^${LAYERDIR}/"
+BBFILE_PRIORITY_integrity = "10"
+
+IMA_SIGNING_BLACKLIST ??= "${LAYERDIR}/files/ima_signing_blacklist"
+
+LAYERDEPENDS_integrity = "\
+    core \
+    signing-key \
+    tpm2 \
+    tpm \
+"
diff --git a/meta-integrity/files/ima_signing_blacklist b/meta-integrity/files/ima_signing_blacklist
new file mode 100644
index 0000000..276a7bc
--- /dev/null
+++ b/meta-integrity/files/ima_signing_blacklist
@@ -0,0 +1 @@
+kernel-devsrc
diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb b/meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb
new file mode 100644
index 0000000..89cb120
--- /dev/null
+++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb
@@ -0,0 +1,12 @@
+DESCRIPTION = "Linux Integrity Measurement Architecture (IMA) subsystem for initramfs"
+
+include packagegroup-ima.inc
+
+RDEPENDS_${PN} += " \
+    util-linux-mount \
+    util-linux-umount \
+    gawk \
+    ima-policy \
+    key-store-ima-cert \
+    initrdscripts-ima \
+"
diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb
new file mode 100644
index 0000000..e10300e
--- /dev/null
+++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb
@@ -0,0 +1,21 @@
+DESCRIPTION = "Linux Integrity Measurement Architecture (IMA) subsystem"
+
+include packagegroup-ima.inc
+
+DEPENDS += " \
+    ima-evm-utils-native \
+    attr-native \
+"
+
+RDEPENDS_${PN} += " \
+    attr \
+    util-linux-switch_root.static \
+    attr-setfattr.static \
+    ima-evm-utils-evmctl.static \
+"
+
+# Note any private key is not available if user key signing model used.
+RRECOMMENDS_${PN} += " \
+    key-store-ima-privkey \
+    key-store-system-trusted-privkey \
+"
diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc
new file mode 100644
index 0000000..64829dc
--- /dev/null
+++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc
@@ -0,0 +1,13 @@
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+S = "${WORKDIR}"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = " \
+    ima-evm-utils \
+    coreutils \
+    grep \
+"
diff --git a/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-integrity/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..2636dad
--- /dev/null
+++ b/meta-integrity/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+# Append iversion option for auto types
+do_install_append() {
+    sed -i 's/\s*auto\s*defaults/&,iversion/' ${D}${sysconfdir}/fstab
+}
diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima
new file mode 100755
index 0000000..1e92ba2
--- /dev/null
+++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima
@@ -0,0 +1,129 @@
+#!/bin/sh
+
+# Initramfs script for IMA initialzation
+#
+# This script is a halper used to load the external
+# IMA policy and public keys used to verify the IMA
+# signature.
+#
+# Copyright (c) 2017, Jia Zhang <lans.zhang2008@gmail.com>
+# All rights reserved.
+# 
+# See "LICENSE" for license terms.
+
+# Exit code:
+# 0 - IMA initialiazation complete
+# 1 - Kernel doesn't support securityfs
+# 2 - Kernel doesn't support IMA
+# 3 - There is no public key to load
+# 4 - There is no IMA policy file defined
+# 5 - Unable to load IMA policy file
+
+# If root directory is not specified, the root of
+# initramfs assumed.
+ROOT_DIR="${1}"
+
+SECURITYFS_DIR="${ROOT_DIR}/sys/kernel/security"
+
+# The policy files are always placed in initramfs
+IMA_POLICY=/etc/ima_policy
+
+SECURITYFS_MOUNTED=0
+
+function print_critical
+{
+    printf "\033[1;35m"
+    echo "$@"
+    printf "\033[0m"
+}
+
+function print_error
+{
+    printf "\033[1;31m"
+    echo "$@"
+    printf "\033[0m"
+}
+
+function print_warning
+{
+    printf "\033[1;33m"
+    echo "$@"
+    printf "\033[0m"
+}
+
+function print_info
+{
+    printf "\033[1;32m"
+    echo "$@"
+    printf "\033[0m"
+}
+
+function print_verbose
+{
+    printf "\033[1;36m"
+    echo "$@"
+    printf "\033[0m"
+}
+
+function trap_handler
+{
+    local err=$?
+
+    print_verbose "Cleaning up with exit code $err ..."
+
+    [ $SECURITYFS_MOUNTED -eq 1 ] &&
+        umount "$SECURITYFS_DIR" 2>"${ROOT_DIR}/dev/null"
+}
+
+trap "trap_handler $?" SIGINT EXIT
+
+if grep -q "ima_appraise=off" "${ROOT_DIR}/proc/cmdline"; then
+    print_info "Skip to load the public key and IMA policy"
+    exit 0
+fi
+
+if ! grep -q securityfs "${ROOT_DIR}/proc/mounts"; then
+   ! mount -t securityfs none "$SECURITYFS_DIR" 2>"${ROOT_DIR}/dev/null" && {
+       print_error "Unable to mount securityfs filesystem"
+       exit 1
+   }
+   SECURITYFS_MOUNTED=1
+   securityfs_dir="$SECURITYFS_DIR"
+else
+   securityfs_dirs="$(grep securityfs ${ROOT_DIR}/proc/mounts | awk '{print $2}')"
+
+   # Use the first one.
+   for securityfs_dir in "$securityfs_dirs"; do
+       break
+   done
+fi
+
+[ ! -d "$securityfs_dir/ima" ] &&
+    print_info "IMA is not enabled. Exiting ..." && exit 2
+
+keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'`
+
+for key in ${ROOT_DIR}/etc/keys/x509_evm*.pem; do
+    [ ! -s "$key" ] && continue
+
+    if ! evmctl import "$key" "$keyring_id" >"${ROOT_DIR}/dev/null"; then
+        print_critical "Unable to load the public key $key for IMA appraisal"
+    else
+        print_verbose "The external public key $key loaded for IMA appraisal"
+    fi
+done
+
+# Attempt to load the default policy.
+[ ! -f "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default"
+
+[ ! -f "${IMA_POLICY}" ] && {
+    print_warning "No IMA policy file defined"
+    exit 4
+}
+
+cat "${IMA_POLICY}" > "$securityfs_dir/ima/policy" && {
+    exit 0
+} || {
+    print_critical "Unable to load the IMA policy ${IMA_POLICY}"
+    exit 5
+}
diff --git a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb
new file mode 100644
index 0000000..3860be2
--- /dev/null
+++ b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb
@@ -0,0 +1,47 @@
+DESCRIPTION = "The initrd script for Linux Integrity Measurement Architecture (IMA)"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+S = "${WORKDIR}"
+
+ALLOW_EMPTY_${PN} = "1"
+
+SRC_URI = "\
+    file://init.ima \
+"
+
+do_install() {
+    if [ x"${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}" = x"1" ]; then
+        install -m 0500 ${WORKDIR}/init.ima ${D}
+    fi
+}
+
+FILES_${PN} += " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'ima', '/init.ima', '', d)} \
+"
+
+# Install the minimal stuffs only, and don't care how the external
+# environment is configured.
+# @bash: sh
+# @coreutils: echo, mkdir, mknod, dirname, basename, cp, rm, sleep
+#             seq, printf, cut
+# @grep: grep
+# @gawk: awk
+# @kmod: modprobe, depmod
+# @net-tools: ifconfig
+# @trousers: tcsd
+# @procps: pkill
+# @util-linux: blkid, mount, umount
+RDEPENDS_${PN} += "\
+    bash \
+    coreutils \
+    grep \
+    gawk \
+    kmod \
+    net-tools \
+    procps \
+    util-linux-blkid \
+    util-linux-mount \
+    util-linux-umount \
+"
diff --git a/meta-integrity/recipes-core/util-linux/util-linux_%.bbappend b/meta-integrity/recipes-core/util-linux/util-linux_%.bbappend
new file mode 100644
index 0000000..1728f2e
--- /dev/null
+++ b/meta-integrity/recipes-core/util-linux/util-linux_%.bbappend
@@ -0,0 +1,16 @@
+PACKAGES =+ "${PN}-switch_root.static"
+
+CFLAGS_remove += "-pie -fpie"
+
+do_compile_append_class-target() {
+    ${CC} ${CFLAGS} ${LDFLAGS} -static \
+        sys-utils/switch_root.o \
+        -o switch_root.static
+}
+
+do_install_append_class-target() {
+    install -d ${D}${sbindir}
+    install -m 0700 ${B}/switch_root.static ${D}${sbindir}/switch_root.static
+}
+
+FILES_${PN}-switch_root.static = "${sbindir}/switch_root.static"
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
new file mode 100644
index 0000000..8c08a45
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -0,0 +1,18 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+
+IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}"
+
+DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}"
+# key-store-ima-cert is required in runtime but we hope it is available
+# in initramfs only. So we don't add it to RDEPENDS_${PN} here.
+
+SRC_URI += " \
+    ${@'file://ima.scc file://ima.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
+"
+
+do_configure_append() {
+    [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ] &&
+        openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \
+            -outform DER -out "${B}/system_trusted_cert.x509" ||
+        true
+}
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend
new file mode 100644
index 0000000..685d15c
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend
@@ -0,0 +1 @@
+include linux-yocto-integrity.inc
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
new file mode 100644
index 0000000..073197a
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
@@ -0,0 +1,35 @@
+..........................................................................
+.                                WARNING
+.
+. This file is a kernel configuration fragment, and not a full kernel
+. configuration file.  The final kernel configuration is made up of
+. an assembly of processed fragments, each of which is designed to
+. capture a specific part of the final configuration (e.g. platform
+. configuration, feature configuration, and board specific hardware
+. configuration).  For more information on kernel configuration, please
+. consult the product documentation.
+.
+..........................................................................
+
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE=y is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_APPRAISE=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der"
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_AUDIT=y
+CONFIG_INTEGRITY_AUDIT=y
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc
new file mode 100644
index 0000000..c43e1c4
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Integrity Measurement Architecture (IMA) enablement"
+define KFEATURE_COMPATIBILITY board
+
+kconf non-hardware ima.cfg
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend
new file mode 100644
index 0000000..685d15c
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -0,0 +1 @@
+include linux-yocto-integrity.inc
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch
new file mode 100644
index 0000000..db006c0
--- /dev/null
+++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch
@@ -0,0 +1,27 @@
+From b5bc04d9062a69e116ed60ad540b56cd057d47d1 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Tue, 27 Dec 2016 14:25:58 +0800
+Subject: [PATCH] Don't build man pages
+
+Too many external tools are required to build the man pages. We don't
+need them anyway.
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ Makefile.am | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 06ebf59..e527f34 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,5 +1,4 @@
+ SUBDIRS = src
+-dist_man_MANS = evmctl.1
+ 
+ doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+ EXTRA_DIST = autogen.sh $(doc_DATA)
+-- 
+2.7.4
+
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch
new file mode 100644
index 0000000..545be42
--- /dev/null
+++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch
@@ -0,0 +1,28 @@
+From 412f60bbd5a7ed1eac7051bd2947d5fc0c95e86b Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Thu, 12 Jan 2017 16:55:03 +0800
+Subject: [PATCH] Install evmctl to $sbindir rather than $bindir
+
+Setting security.ima requires sys_admin capability.
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index deb18fb..aa8f666 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -9,7 +9,7 @@ libimaevm_la_LIBADD =  $(OPENSSL_LIBS)
+ 
+ include_HEADERS = imaevm.h
+ 
+-bin_PROGRAMS = evmctl
++sbin_PROGRAMS = evmctl
+ 
+ evmctl_SOURCES = evmctl.c
+ evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
+-- 
+2.7.4
+
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb
new file mode 100644
index 0000000..c1278a9
--- /dev/null
+++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb
@@ -0,0 +1,41 @@
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+SRC_URI = " \
+        git://git.code.sf.net/p/linux-ima/ima-evm-utils \
+        file://0001-Don-t-build-man-pages.patch \
+        file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \
+"
+SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7"
+PV = "1.0+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+PACKAGES =+ "${PN}-evmctl.static"
+
+DEPENDS += "openssl attr keyutils"
+RDEPENDS_${PN}_class-target += "libcrypto libattr keyutils"
+
+inherit pkgconfig autotools
+
+# Specify any options you want to pass to the configure script using EXTRA_OECONF:
+EXTRA_OECONF = ""
+
+CFLAGS_remove += "-pie -fpie"
+
+do_compile_append_class-target() {
+    ${CC} ${CFLAGS} ${LDFLAGS} -static \
+        -include config.h -L=${libdir} \
+        -Wl,--start-group -lcrypto -lkeyutils -ldl \
+        ${S}/src/evmctl.c ${S}/src/libimaevm.c \
+        -Wl,--end-group -o ${B}/src/evmctl.static
+}
+
+do_install_append_class-target() {
+    install -m 0700 ${B}/src/evmctl.static ${D}${sbindir}/evmctl.static
+}
+
+FILES_${PN}-dev += "${includedir}"
+FILES_${PN}-evmctl.static = "${sbindir}/evmctl.static"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-integrity/recipes-support/ima-policy/files/ima_policy.default b/meta-integrity/recipes-support/ima-policy/files/ima_policy.default
new file mode 100644
index 0000000..5d4ae47
--- /dev/null
+++ b/meta-integrity/recipes-support/ima-policy/files/ima_policy.default
@@ -0,0 +1,24 @@
+# The default external IMA policy
+
+# Don't appraise any file opened.
+# However, we cannot write down such a rule,
+#     dont_appraise func=FILE_CHECK
+#
+# because this rule will accidently cause the security.ima
+# being deleted in post_setattr() path. In fact, this is a
+# real bug in policy engine when handling post_setattr()
+# hook. The failure can be triggered in such a way:
+# touch /bin/ls
+# /bin/ls <- permission denied
+
+# Reduce performance loss
+# audit func=FILE_CHECK fowner=0 mask=^MAY_READ
+# measure func=FILE_CHECK fowner=0 mask=^MAY_READ
+
+appraise func=MMAP_CHECK euid=0 appraise_type=imasig
+
+appraise func=BPRM_CHECK euid=0 appraise_type=imasig
+
+appraise func=MODULE_CHECK euid=0 appraise_type=imasig
+
+appraise func=FIRMWARE_CHECK euid=0 appraise_type=imasig
diff --git a/meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb b/meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb
new file mode 100644
index 0000000..982717a
--- /dev/null
+++ b/meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "The default external IMA policy"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = " \
+           file://ima_policy.default \
+          "
+
+S = "${WORKDIR}"
+
+do_install() {
+    install -d "${D}${sysconfdir}"
+    install -m 0400 "${WORKDIR}/ima_policy.default" \
+        "${D}${sysconfdir}"
+}
+
+FILES_${PN} = "${sysconfdir}"
diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch
new file mode 100644
index 0000000..11be1e1
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch
@@ -0,0 +1,28 @@
+From 1cc17e3c8b1f73db43011775292396338f932a20 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui at cn.fujitsu.com>
+Date: Mon, 17 Aug 2015 15:30:40 +0900
+Subject: [PATCH] keyutils fix powerpc cflags
+
+---
+ Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 82e1a0f..0746c82 100644
+--- a/Makefile
++++ b/Makefile
+@@ -65,12 +65,10 @@ BUILDFOR    := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-
+ LNS              := ln -sf
+ 
+ ifeq ($(BUILDFOR),32-bit)
+-CFLAGS         += -m32
+ LIBDIR            := /usr/lib
+ USRLIBDIR                 := /usr/lib
+ else
+ ifeq ($(BUILDFOR),64-bit)
+-CFLAGS         += -m64
+ LIBDIR            := /usr/lib
+ USRLIBDIR                 := /usr/lib
+ endif
+-- 
+1.8.4.2
diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch
new file mode 100644
index 0000000..77cf528
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch
@@ -0,0 +1,32 @@
+From 8a1331d4abf9a96ee65e5fb31a00c7a2e0eed7c8 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui at cn.fujitsu.com>
+Date: Mon, 17 Aug 2015 13:53:28 +0900
+Subject: [PATCH] fix the cflags for all of targets.
+
+Signed-off-by: Lei Maohui <leimaohui at cn.fujitsu.com>
+---
+ Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index e2d7e2d..82e1a0f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -64,7 +64,6 @@ BUILDFOR      := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-
+ 
+ LNS            := ln -sf
+ 
+-ifeq ($(origin CFLAGS),undefined)
+ ifeq ($(BUILDFOR),32-bit)
+ CFLAGS         += -m32
+ LIBDIR            := /usr/lib
+@@ -76,7 +75,6 @@ LIBDIR     := /usr/lib
+ USRLIBDIR      := /usr/lib
+ endif
+ endif
+-endif
+ 
+ ###############################################################################
+ #
+-- 
+1.8.4.2
diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch
new file mode 100644
index 0000000..a049fd2
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch
@@ -0,0 +1,19 @@
+Index: keyutils-1.5.5/Makefile
+===================================================================
+--- keyutils-1.5.5.orig/Makefile        2011-12-20 11:05:10.000000000 +0200
++++ keyutils-1.5.5/Makefile     2011-12-20 11:06:27.000000000 +0200
+@@ -58,12 +58,12 @@
+ LNS            := ln -sf
+ 
+ ifeq ($(BUILDFOR),32-bit)
+-CFLAGS         += -m32
++#CFLAGS                += -m32
+ LIBDIR         := /usr/lib
+ USRLIBDIR      := /usr/lib
+ else
+ ifeq ($(BUILDFOR),64-bit)
+-CFLAGS         += -m64
++#CFLAGS                += -m64
+ LIBDIR         := /usr/lib
+ USRLIBDIR      := /usr/lib
+ endif
diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch
new file mode 100644
index 0000000..adf0643
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch
@@ -0,0 +1,30 @@
+Index: keyutils-1.5.5/Makefile
+===================================================================
+--- keyutils-1.5.5.orig/Makefile        2011-11-30 17:27:43.000000000 +0200
++++ keyutils-1.5.5/Makefile     2011-12-21 16:05:53.000000000 +0200
+@@ -59,13 +59,13 @@
+ 
+ ifeq ($(BUILDFOR),32-bit)
+ CFLAGS         += -m32
+-LIBDIR         := /lib
++LIBDIR         := /usr/lib
+ USRLIBDIR      := /usr/lib
+ else
+ ifeq ($(BUILDFOR),64-bit)
+ CFLAGS         += -m64
+-LIBDIR         := /lib64
+-USRLIBDIR      := /usr/lib64
++LIBDIR         := /usr/lib
++USRLIBDIR      := /usr/lib
+ endif
+ endif
+ 
+@@ -152,7 +152,7 @@
+        $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
+        $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
+        mkdir -p $(DESTDIR)$(USRLIBDIR)
+-       $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
++       $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
+        $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl
+        $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key
+        $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh
diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch
new file mode 100644
index 0000000..b0c2d92
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch
@@ -0,0 +1,24 @@
+From d3b6b98984a28e782cb22dc6c7bd0ea9a0e74f15 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui at cn.fujitsu.com>
+Date: Mon, 17 Aug 2015 15:53:02 +0900
+Subject: [PATCH] keyutils fix x86-64 cflags
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 82e1a0f..23aa466 100644
+--- a/Makefile
++++ b/Makefile
+@@ -60,7 +60,7 @@ endif
+ ifeq ($(origin USRLIBDIR),undefined)
+ USRLIBDIR      := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR))
+ endif
+-BUILDFOR       := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
++BUILDFOR       := 64-bit
+ 
+ LNS            := ln -sf
+ 
+--
+1.8.4.2
diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch
new file mode 100644
index 0000000..f5d5f70
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch
@@ -0,0 +1,24 @@
+From 3263917382af02e61f12f3774c32d3324a57059f Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui at cn.fujitsu.com>
+Date: Mon, 17 Aug 2015 11:48:22 +0900
+Subject: [PATCH] keyutils fix x86 cflags
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index e2d7e2d..f05bada 100644
+--- a/Makefile
++++ b/Makefile
+@@ -60,7 +60,7 @@ endif
+ ifeq ($(origin USRLIBDIR),undefined)
+ USRLIBDIR      := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR))
+ endif
+-BUILDFOR       := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
++BUILDFOR       := 32-bit
+ 
+ LNS            := ln -sf
+ 
+--
+1.8.4.2
diff --git a/meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb b/meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb
new file mode 100644
index 0000000..64e0365
--- /dev/null
+++ b/meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb
@@ -0,0 +1,48 @@
+SUMMARY = "Linux Key Management Utilities"
+DESCRIPTION = "Keyutils is a set of utilities for managing the key retention \
+facility in the kernel, which can be used by filesystems, block devices and \
+more to gain and retain the authorization and encryption keys required to \
+perform secure operations."
+SECTION = "base"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45"
+
+PR = "r1"
+
+SRCREV = "9209a0c8fd63afc59f644e078b40cec531409c30"
+
+SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=git \
+          file://keyutils_fix_library_install.patch \
+          file://keyutils-fix-the-cflags-for-all-of-targets.patch \
+          "
+SRC_URI_append_arm = " file://keyutils-remove-m32-m64.patch"
+SRC_URI_append_aarch64 = " file://keyutils-remove-m32-m64.patch"
+SRC_URI_append_mips = " file://keyutils-remove-m32-m64.patch"
+SRC_URI_append_mips64 = " file://keyutils-remove-m32-m64.patch"
+SRC_URI_append_x86 = " file://keyutils_fix_x86_cflags.patch"
+SRC_URI_append_x86-64 = " file://keyutils_fix_x86-64_cflags.patch"
+SRC_URI_append_powerpc = "file://keyutils-fix-powerpc-cflags.patch"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep
+
+INSTALL_FLAGS = " \
+    LIBDIR=${libdir} \
+    USRLIBDIR=${libdir} \
+    BINDIR=${bindir} \
+    SBINDIR=${sbindir} \
+    ETCDIR=${sysconfdir} \
+    SHAREDIR=${datadir} \
+    MANDIR=${mandir} \
+    INCLUDEDIR=${includedir} \
+    DESTDIR=${D} \
+"
+
+do_install() {
+    cd ${S} && oe_runmake ${INSTALL_FLAGS} install
+}
+
+FILES_${PN} += "${datadir}/request-key-debug.sh"
+
+BBCLASSEXTEND = "native nativesdk"