summaryrefslogtreecommitdiffstats
path: root/meta-integrity
Commit message (Collapse)AuthorAgeFilesLines
* base-files: only apply the bbappend if ima distro flag setYi Zhao2018-12-082-5/+6
| | | | | | | | | | | | | | When the meta-integrity layer is included but feature ima is not set, we would get the following error when the system startup: qemux86-64 systemd-remount-fs[81]: mount: /sys/kernel/security: mount point does not exist. qemux86-64 systemd-remount-fs[81]: /bin/mount for /sys/kernel/security exited with exit status 32. Rename base-files_%.bbappend to base-files-integrity.inc and add a new bbappend. Make sure this piece of code should be applied only if the ima feature is set. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* Maintain the stable branch sumoJia Zhang2018-09-2113-798/+1
| | | | | | | | | | | The following commits are reverted by the way: - meta-integrity: rpm: Add back in required patches for rocko (5fa9c85) - meta-intel-sgx: Initial support of linux-sgx-driver (7d4f711) The former is applicable to rocko only, and the latter is still experimental. Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* meta-integrity: rpm: Add back in required patches for rockoTom Rini2018-07-3112-0/+797
| | | | | | | | | | In 59a9f43b899c ("meta-integrity: Drop RPM patches that are upstream now") we removed patches to RPM that were not required with a move up to 4.14.0 as they are upstream. However, rocko ships with an older version of RPM and still needs these patches. Add conditional logic to apply these patches only for rocko. Signed-off-by: Tom Rini <trini@konsulko.com>
* layer.conf: Mark as compatible with rockoTom Rini2018-07-251-1/+1
| | | | | | | As we also work with the 'rocko' release list that in our LAYERSERIES_COMPAT. Signed-off-by: Tom Rini <trini@konsulko.com>
* util-linux: allow -static linking for switch_root.staticJoe Slater2018-07-061-1/+3
| | | | | | | Specify -no-pie to override possible -pie default. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sign_rpm_ext.bbclass: fix check_rpm_public_key racing at recipe parsing timeHongxu Jia2018-05-311-4/+1
| | | | | | | | | | | | | | | | All recipe will be parsed which caused lockfile of check_rpm_public_key racing issue. ... |WARNING: meta-secure-core/meta/recipes-core/images/secure-core-image-initramfs.bb: oe-core/bitbake/lib/bb/utils.py:400: ResourceWarning: unclosed file <_io.TextIOWrapper name='tmp-glibc/check_rpm_public_key.lock' mode='a+' encoding='UTF-8'> ... Refer do_package_write_rpm, add check_rpm_public_key to prefunc of do_rootfs, only the running image recipe will invoke check_rpm_public_key. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* layer.conf: add LAYERSERIES_COMPATTrevor Woerner2018-05-261-0/+2
| | | | | | see https://patchwork.openembedded.org/patch/140542/ Signed-off-by: Trevor Woerner <twoerner@gmail.com>
* sign_rpm_ext.bbclass: check rpm public key at image recipe parsing timeHongxu Jia2018-05-231-0/+4
| | | | | | | | | | | | | | | | | While multiple builds share a common sstate, the latter build failed to build image which the public key not found. ... |ERROR: initramfs-ostree-image-1.0-r0 do_rootfs: Importing GPG key failed. Command 'rpmkeys --root=<path>/rootfs --import <path>/rpm-key' returned 1: ... The latter build will not regenerate rpm packages and check_rpm_public_key will not be invoked. Explicitly invoke check_rpm_public_key at image recipe parsing time, which make sure gpg public key be imported. Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* meta-integrity, meta-signing-key: Populate the secondary keyringTom Rini2018-05-171-0/+13
| | | | | | | | | | | | Currently we provide a secondary trusted key that is signed by the primary key. We do not however DER encode this certificate. Update the key-store recipe to also make a DER encoding of this certificate and include it in the same package as the PEM version of the certificate. In the IMA init script, if we have any secondary certificate in a DER encoding, load them into the secondary keyring before we try and load the IMA keys. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: init.ima: Switch to using keyctlTom Rini2018-05-172-3/+5
| | | | | | | | | Rather than parse /proc/keys directly to find out the ID of the keyring that we're using, let keyctl do this for us. In order to do that we need to have /proc available as /proc, so move it around before and after working with keyctl. Signed-off-by: Tom Rini <trini@konsulko.com>
* keyutils: refresh patches to fix QA warningYi Zhao2018-04-113-23/+26
| | | | | | | | | Refresh the following patches: keyutils-fix-the-cflags-for-all-of-targets.patch keyutils_fix_x86-64_cflags.patch keyutils_fix_x86_cflags.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* init.ima: Fix up the syntax errorJia Zhang2018-03-191-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* ima/linux-yocto: Enable CONFIG_IMA_READ_POLICY and CONFIG_IMA_APPRAISE_BOOTPARAMJia Zhang2018-03-191-1/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* integrity/linux-yocto: Enable CONFIG_SYSTEM_BLACKLIST_KEYRINGJia Zhang2018-03-191-0/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* init.ima: Fix the failure when importing the external policy from real rootfsJia Zhang2018-03-191-1/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* meta-integrity: Ensure that we have CONFIG_SECURITY enabled in the kernelTom Rini2018-02-221-0/+1
| | | | | | | | To make it easier to use this layer with various BSP layers we need to ensure that we set CONFIG_SECURITY=y as that is in turn required by the rest of our features, except for CONFIG_SECURITYFS Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: Fix build problem on ima-inspectTom Rini2018-02-171-1/+1
| | | | | | | The sources require that we have pkgconfig support as well, add missing inherit. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: Add ima-inspect utilityTom Rini2018-02-162-0/+12
| | | | | | | | ima_inspect is a small program that allows to give a human-readable representation of the contents of the extended attributes (xattrs) that the Linux IMA security subsystem creates and manages for files. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: Drop RPM patches that are upstream nowTom Rini2018-02-1412-796/+0
| | | | | | | | As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using rpm-4.14.0 as the base version. This includes all of the patches we had been applying. Signed-off-by: Tom Rini <trini@konsulko.com>
* util-linux: Fix package name extensionHolger Dengler2017-12-092-3/+3
| | | | | | | | | Yocto (pyro) uses the character "_" to separate the package name from the version number. If this character is used in the package name or in a package name extension, the build will fail. Replacing the "_" with one of the allowed characters fixes the problem. Signed-off-by: Holger Dengler <dengler@linutronix.de>
* linux-yocto: fix loading kernel module due to being strippedJia Zhang2017-11-261-0/+2
| | | | | | | | | The kernel module will be stripped during do_package, including the modsign signature. Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-integrity: enable modsign support in kernelJia Zhang2017-11-213-5/+30
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* initrdscripts: rename expected ima certificate (#28)Yunguo Wei2017-11-121-1/+1
| | | | | | | | evmctl is able to import DER format certificate only. Although *.crt doesn't mean its a PEM certificate, but *.der makes more sense. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* rpm: always include rpm-integrity.inc for RPM signingJia Zhang2017-10-271-1/+1
| | | | | | rpm-integrity is required for RPM signing which is enabled by default. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-integrity: fix build failure caused by 6aa83f98bJia Zhang2017-10-271-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* rpm: only apply bbappend file when ima in DISTRO_FEATURES (#27)Kai2017-10-272-22/+23
| | | | | | | | | | Rename bbappend file of rpm and only include it when image in DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during do rootfs: | WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile: | [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long Signed-off-by: Kai Kang <kai.kang@windriver.com>
* keyutils: update to 1.5.10 (#22)Wenzong Fan2017-09-273-49/+57
| | | | | | | | | | | | | | | * rebase patches: - keyutils_fix_library_install.patch - keyutils-remove-m32-m64.patch * append '-Wall' to CFLAGS for fixing: .../recipe-sysroot/usr/include/features.h:376:4: error: \ #warning _FORTIFY_SOURCE requires compiling with \ optimization (-O) [-Werror=cpp] * cleanup alternative targets, the *keyring*.7 files have been removed from keyutils 1.5.10. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-023-4/+3
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Update BB_HASHBASE_WHITELISTJia Zhang2017-09-011-0/+4
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: add tpm2, tpm as LAYERRECOMMENDS (#9)Wenzong Fan2017-08-241-0/+3
| | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* sign_rpm_ext: make sure all target recipes are signedJia Zhang2017-08-242-24/+26
| | | | | | | | Placing the key import logic under signing-keys cannot ensure all target recipes are always signed. Instead, place it before do_package_write_rpm. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: remove INHERIT += "sign_rpm_ext"Jia Zhang2017-08-231-2/+0
| | | | | | This definition should be placed in local.conf. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix the race condition when concurrent import operations occurJia Zhang2017-08-201-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* encrypted-storage: use luks as the feature name for current implementationJia Zhang2017-08-201-3/+3
| | | | | | | | encrypted-storage layer will include more security features about encrypted storage so the term "encrypted-storage" won't be used to specify a dedicated technology term such as "LUKS". Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failure due to wrong option positionJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: clean upJia Zhang2017-08-201-3/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: define the location of default gpg keyring to TMPDIRJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: fix permission warningJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failureJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: clean upJia Zhang2017-08-191-9/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: Fix the GPG_PATH directory not exist issue (#4)Guojian2017-08-191-8/+7
| | | | | | | | | | | | | | | If "GPG_PATH" is set in the init script, then "signing-keys" get_public_keys task will execute failed. So the "GPG_PATH" directory would be created when "GPG_PATH" is set. The do_get_public_keys failed to import gpg key error information is as following: ---------------------------------------------------------------------------------------- ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key (layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore): gpg: fatal: can't create directory `tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)Guojian2017-08-191-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The keyutils-doc package supply some same name man7 files with man-pages, it will cause the rpm package installation or upgrade failed. The keyutils-doc and man-pages rpm packages' transction check error information is as following: -------------------------------------------------------------------- Running transaction test Error: Transaction check error: file /usr/share/man/man7/keyrings.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/persistent-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/process-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/thread-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-192-14/+3
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: set default GPG_PATH if it is not specified (#2)yunguowei2017-08-191-0/+15
| | | | | | | | | | | commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization to signing-keys) tried to initialize keyring in the task check_public_keys of the recipe signing-keys. However, it does work with the recipe signing-keys only, and GPG_PATH can't be passed to other recipes. We bring the python anonymous function back, and it makes sure GPG_PATH is set before signing the packages for every recipe. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-integrity: move gpg keyring initialization to signing-keysJia Zhang2017-08-172-38/+37
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: support RPM signingLans Zhang2017-08-171-6/+45
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* ima-evm-utils: support to build with openssl-1.1.xLans Zhang2017-08-162-0/+300
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* README.md: update reference linksLans Zhang2017-08-161-2/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-161-12/+25
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* init.ima: clean up and allow to load extra IMA policies from the real rootfsLans Zhang2017-08-151-10/+18
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-21 01:56:49 +0000