summaryrefslogtreecommitdiffstats
path: root/meta-integrity/recipes-core
Commit message (Collapse)AuthorAgeFilesLines
* meta-secure-core: fix wrong operator combinationYi Zhao2021-11-181-1/+1
| | | | | | | | Operations like XXX:append += "YYY" are almost always wrong and this is a common mistake made in the metadata. Improve them to use the standard format. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-secure-core: Convert to new override syntaxYi Zhao2021-08-094-10/+10
| | | | | | Converting the metadata to use ":" as the override character instead of "_". Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* util-linux: only apply the bbappend if ima distro flag setYi Zhao2019-06-262-19/+20
| | | | | | | | | | | | | | | | Run yocto-check-layer-wrapper to check layer compliance of Yocto will report the signatures error: util-linux:do_compile: 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 -> 53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99 bitbake-diffsigs --task util-linux do_compile --signature 9c04caa1d37ca0fa0caa2f48a01912d1b3d35de2ac668c4cddd6158bbac9c374 53de68708253461d617177c02a60d0e798f5f7727c14cc8e6b9a8bbedc53de99 Rename util-linux_%.bbappend to util-linux-integrity.inc and add a new bbappend. Make sure this piece of code should be applied only if the ima feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* base-files: only apply the bbappend if ima distro flag setYi Zhao2018-12-032-5/+6
| | | | | | | | | | | | | | When the meta-integrity layer is included but feature ima is not set, we would get the following error when the system startup: qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist. qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32. Rename base-files_%.bbappend to base-files-integrity.inc and add a new bbappend. Make sure this piece of code should be applied only if the ima feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* key-store: rename ima private key and certificate on targetYunguo Wei2018-11-071-2/+2
| | | | | | | | | If sample keys are selected, key-store service will deploy IMA private key during first boot, but beople may be confused if we deploy a sample private key like "xxx.crt", so this commit is making sure key/cert on target are consistent with key files on build system. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* util-linux: allow -static linking for switch_root.staticJoe Slater2018-07-061-1/+3
| | | | | | | Specify -no-pie to override possible -pie default. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* meta-integrity, meta-signing-key: Populate the secondary keyringTom Rini2018-05-171-0/+13
| | | | | | | | | | | | Currently we provide a secondary trusted key that is signed by the primary key. We do not however DER encode this certificate. Update the key-store recipe to also make a DER encoding of this certificate and include it in the same package as the PEM version of the certificate. In the IMA init script, if we have any secondary certificate in a DER encoding, load them into the secondary keyring before we try and load the IMA keys. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: init.ima: Switch to using keyctlTom Rini2018-05-172-3/+5
| | | | | | | | | Rather than parse /proc/keys directly to find out the ID of the keyring that we're using, let keyctl do this for us. In order to do that we need to have /proc available as /proc, so move it around before and after working with keyctl. Signed-off-by: Tom Rini <trini@konsulko.com>
* init.ima: Fix up the syntax errorJia Zhang2018-03-191-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* init.ima: Fix the failure when importing the external policy from real rootfsJia Zhang2018-03-191-1/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* util-linux: Fix package name extensionHolger Dengler2017-12-091-2/+2
| | | | | | | | | Yocto (pyro) uses the character "_" to separate the package name from the version number. If this character is used in the package name or in a package name extension, the build will fail. Replacing the "_" with one of the allowed characters fixes the problem. Signed-off-by: Holger Dengler <dengler@linutronix.de>
* initrdscripts: rename expected ima certificate (#28)Yunguo Wei2017-11-121-1/+1
| | | | | | | | evmctl is able to import DER format certificate only. Although *.crt doesn't mean its a PEM certificate, but *.der makes more sense. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-021-1/+1
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: make sure all target recipes are signedJia Zhang2017-08-241-24/+0
| | | | | | | | Placing the key import logic under signing-keys cannot ensure all target recipes are always signed. Instead, place it before do_package_write_rpm. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix the race condition when concurrent import operations occurJia Zhang2017-08-201-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failure due to wrong option positionJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: clean upJia Zhang2017-08-201-3/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failureJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-191-12/+0
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: move gpg keyring initialization to signing-keysJia Zhang2017-08-171-0/+37
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* init.ima: clean up and allow to load extra IMA policies from the real rootfsLans Zhang2017-08-151-10/+18
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: fix the conditions of PACKAGECONFIG for ima and cryptsetupLans Zhang2017-08-041-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: enable ima and cryptsetupLans Zhang2017-08-041-0/+4
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* IMA: move the default policy file to /etc/ima directoryLans Zhang2017-07-251-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* base-file: mount securityfsLans Zhang2017-07-111-0/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* Clean up RDEPENDSLans Zhang2017-07-051-1/+0
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* initrdscripts-ima: clean up code style and RDEPENDSLans Zhang2017-07-041-23/+20
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* init.ima: code style cleanupLans Zhang2017-07-041-14/+8
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* Code style fixupLans Zhang2017-07-042-5/+6
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-secure-core: initial commitLans Zhang2017-06-224-0/+196
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-04 20:38:43 +0000