From 1b3e5944491c315ca99b832bc3afdb6a19d81430 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Thu, 22 Jun 2017 15:22:01 +0800 Subject: meta-secure-core: initial commit Signed-off-by: Lans Zhang --- meta-integrity/COPYING.MIT | 17 +++ meta-integrity/README.md | 166 +++++++++++++++++++++ meta-integrity/classes/rpm5-ima.bbclass | 156 +++++++++++++++++++ meta-integrity/conf/layer.conf | 19 +++ meta-integrity/files/ima_signing_blacklist | 1 + .../packagegroups/packagegroup-ima-initramfs.bb | 12 ++ .../recipes-base/packagegroups/packagegroup-ima.bb | 21 +++ .../packagegroups/packagegroup-ima.inc | 13 ++ .../recipes-core/base-files/base-files_%.bbappend | 4 + .../recipes-core/initrdscripts/files/init.ima | 129 ++++++++++++++++ .../initrdscripts/initrdscripts-ima.bb | 47 ++++++ .../recipes-core/util-linux/util-linux_%.bbappend | 16 ++ .../recipes-kernel/linux/linux-yocto-integrity.inc | 18 +++ .../linux/linux-yocto-rt_4.%.bbappend | 1 + .../recipes-kernel/linux/linux-yocto/ima.cfg | 35 +++++ .../recipes-kernel/linux/linux-yocto/ima.scc | 4 + .../recipes-kernel/linux/linux-yocto_4.%.bbappend | 1 + .../ima-evm-utils/0001-Don-t-build-man-pages.patch | 27 ++++ ...tall-evmctl-to-sbindir-rather-than-bindir.patch | 28 ++++ .../ima-evm-utils/ima-evm-utils_git.bb | 41 +++++ .../ima-policy/files/ima_policy.default | 24 +++ .../recipes-support/ima-policy/ima-policy_0.1.bb | 18 +++ .../keyutils/keyutils-fix-powerpc-cflags.patch | 28 ++++ ...eyutils-fix-the-cflags-for-all-of-targets.patch | 32 ++++ .../keyutils/keyutils-remove-m32-m64.patch | 19 +++ .../keyutils/keyutils_fix_library_install.patch | 30 ++++ .../keyutils/keyutils_fix_x86-64_cflags.patch | 24 +++ .../keyutils/keyutils_fix_x86_cflags.patch | 24 +++ .../recipes-support/keyutils/keyutils_1.5.9.bb | 48 ++++++ 29 files changed, 1003 insertions(+) create mode 100644 meta-integrity/COPYING.MIT create mode 100644 meta-integrity/README.md create mode 100644 meta-integrity/classes/rpm5-ima.bbclass create mode 100644 meta-integrity/conf/layer.conf create mode 100644 meta-integrity/files/ima_signing_blacklist create mode 100644 meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb create mode 100644 meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb create mode 100644 meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend create mode 100755 meta-integrity/recipes-core/initrdscripts/files/init.ima create mode 100644 meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb create mode 100644 meta-integrity/recipes-core/util-linux/util-linux_%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend create mode 100644 meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch create mode 100644 meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch create mode 100644 meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb create mode 100644 meta-integrity/recipes-support/ima-policy/files/ima_policy.default create mode 100644 meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb create mode 100644 meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch create mode 100644 meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch create mode 100644 meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch create mode 100644 meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch create mode 100644 meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch create mode 100644 meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch create mode 100644 meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb (limited to 'meta-integrity') diff --git a/meta-integrity/COPYING.MIT b/meta-integrity/COPYING.MIT new file mode 100644 index 0000000..fb950dc --- /dev/null +++ b/meta-integrity/COPYING.MIT @@ -0,0 +1,17 @@ +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/meta-integrity/README.md b/meta-integrity/README.md new file mode 100644 index 0000000..2efb494 --- /dev/null +++ b/meta-integrity/README.md @@ -0,0 +1,166 @@ +### meta-integrity +OpenEmbedded layer for Linux integrity support + +#### Integrity Measurement Architecture (IMA) +The Linux IMA subsystem introduces hooks within the Linux kernel to support +measuring the integrity of files that are loaded (including application code) +before it is executed or mmap()ed to memory. The measured value (hash) is then +registered in a log that can be consulted by administrators. + +To support proven integrity of the files, the IMA subsystem can interact with +the TPM chip within the system to protect the registered hashes from tampering +by a rogue administrator or application. The IMA subsystem, as already +supported by the Linux kernel, supports reporting on the hashes of files and +commands ran by privileged accounts (and more if you create your own +measurement policies). + +In addition, IMA appraisal can even register the measured value as an extended +attribute, and after subsequent measurement(s) validate this extended attribute +against the measured value and refuse to load the file (or execute the +application) if the hash does not match. In that case, the IMA subsystem allows +files and applications to be loaded if the hashes match (and will save the +updated hash if the file is modified) but refuse to load it if it doesn't. This +provides some protection against offline tampering of the files. + +NOTE: Extended file system attribute is required for IMA appraisal, but not +all file systems can support it. Typically, the pseudo file systems, such as +sysfs, proc, tmpfs and ramfs, certain disk-based file systems, such as FAT, +and network file systems, such as NFS, don't support extended attribute, +meaning IMA appraisal is not available with them. + +##### Dependency +- meta-tpm + This layer provides the kernel configurations for TPM 1.x enablement. + +- meta-tpm2 + This layer provides the kernel configurations for TPM 2.0 enablement. + +##### Use The External IMA Policy +initramfs is a good place to run some IMA initializations, such as loading +the IMA policy, as well as the public keys used to verify IMA signatures. + +###### The default external IMA policy +The default external IMA policy enforces appraising all the executable, shared +library, kernel modules and firmwares with the digital signature in the +effective root identity (euid=0). Hence, the opportunity of loading the default +external IMA policy occurs at the end of initramfs initializations, just before +switch_root. + +Instead of running switch_root directly from initramfs, a statically linked +switch_root from the real rootfs is called and it must be already signed +properly. Otherwise, switch_root will fail to mount the real rootfs and kernel +panic will happen due to this failure. + +The default external IMA policy is located at `/etc/ima_policy.default` in +initramfs. If a custom external IMA policy file exists, the default external +IMA policy file won't be used any more. + +The default external IMA policy enables the following constraint conditions: +- Appraise the files for exec'd (the executables), files mmap'd for exec + (shared libraries), kernel modules and firmwares in effective root identity + (euid=0). +- Enforce verifying the IMA signature when running the executables, shared + libraries, kernel modules and firmwares. +- Deny to run the newly created executables, shared libraries, kernel modules + and firmwares. +- Deny to run the tampered executables, shared libraries, kernel modules and + firmwares. +- Deny to run any executables, shared libraries, kernel modules and firmwares + in the filesystems without file extended attribute supported. +- Allow to run the manually signed executables, shared libraries, kernel + modules and firmwares. +- Allow to run the updated executables, shared libraries, kernel modules and + firmwares during RPM installation. +- Note the different behaviors when executing a script. + e.g, launching a python script with "./test.py" is allowed only when test.py + is signed, and launching a python script with "python test.py" is always + allowed as long as the python interpreter is signed. + +###### The custom external IMA policy +If the default external IMA policy cannot meet the protection requirement, it +is allowed to define the custom external IMA policy. + +- Deploy the custom policy file to installer image + +- Create `/opt/installer/sbin/config-installer.sh` in installer image + Define the IMA_POLICY variable, pointing to the path of policy file. + +The custom external IMA policy file is eventually installed to `/etc/ima_policy` +in initramfs. + +##### IMA certificate & private Key +The private key come in two flavors; one used by an installer to sign all +regular files in rootfs and one used by RPM to re-sign the executable, shared +library, kernel module and firmware during RPM installation. Correspondingly, +the IMA certificate is used to verify the IMA signature signed by the private +key. + +In addition, initramfs is a good place to import the IMA certificate likewise. + +###### The default IMA certificate & private key +The default IMA certificate & private key are generated by the build system. By +default, the sample keys are used for the purpose of development and +demonstration. Please ensure you know what your risk is to use the sample keys +in your product, because they are completely public. + +### Best practice +The following best practices should be applied with using IMA. + +- Enable UEFI/MOK secure boot + UEFI/MOK secure boot can verify the integrity of initramfs, providing the + protection against tampering of the external IMA policy files and IMA public + keys stored in initramfs. + +- Moderate measuring + Measuring the files owned by non-root user may introduce malicious attack. + Malicious user may create lots of files with different names or trigger + violation conditions to generate a mass of event logs recorded in the runtime + measurement list, and thus exhaust the persistent kernel memory. + +- Performance influence + Moderate policy can make a good balance between the performance and security. + Tune the default external policy (`/etc/ima_policy.default`) and modulate the + custom policy for the product requirement. + +- Use IMA digital signature to protect the executable + Using the digital signature scheme DIGSIG is safer than digest-based scheme. + Meanwhile, use `appraise_type=imasig` in your IMA policy to enforce running + this. + +- Use the measurement and audit rules together + The runtime measurement list is unable to track down the order of changes for + a file, e.g, a file content varies in order of X -> Y -> X. However, audit log + can record these changes in the right order. + +##### Known Issues +- The following operations may break the behavior of appraisal and cause the + failure of launching the executables, shared libraries, kernel modules and + firmwares: + - the syscalls used to set file last access and modification times. + - the syscalls used to set ownership of a file. + - the syscalls used to set permissions of a file. + + To fix the failure, manually re-sign the affected file. + + Note: RPM installation violates the IMA appraisal but its post_install + operation will always re-sign the affected files. + +- Overwriting an existing file with the same content is deemed as tampering of + the file. + +- The default IMA rules provides the ability of measuring the boot components + and calculating the aggregate integrity value for attesting. However, this + function conflicts with encrypted-storage feature which employs PCR policy + session to retrieve the passphrase in a safe way. If the installer enables + both of them, the default IMA rules will be not used. + +### Reference +[IMA wiki page](https://sourceforge.net/p/linux-ima/wiki/Home/) + +[OpenEmbedded layer for EFI Secure Boot](https://github.com/jiazhang0/meta-efi-secure-boot) + +[OpenEmbedded layer for signing key management](https://github.com/jiazhang0/meta-signing-key) + +[OpenEmbedded layer for TPM 1.x](https://github.com/jiazhang0/meta-tpm) + +[OpenEmbedded layer for TPM 2.0](https://github.com/jiazhang0/meta-tpm2) diff --git a/meta-integrity/classes/rpm5-ima.bbclass b/meta-integrity/classes/rpm5-ima.bbclass new file mode 100644 index 0000000..fbdefeb --- /dev/null +++ b/meta-integrity/classes/rpm5-ima.bbclass @@ -0,0 +1,156 @@ +inherit package + +PACKAGEFUNCS =+ "package_ima_hook" + +# security.ima is generated during the RPM build, and the base64-encoded +# value is written during RPM installation. In addition, if the private +# key is deployed on board, re-sign the updated files during RPM +# installation in higher priority. +python package_ima_hook() { + packages = d.getVar('PACKAGES', True) + pkgdest = d.getVar('PKGDEST', True) + ima_signing_blacklist = d.getVar('IMA_SIGNING_BLACKLIST', True) + ima_keys_dir = d.getVar('IMA_KEYS_DIR', True) + + pkg_suffix_blacklist = ('dbg', 'dev', 'doc', 'locale', 'staticdev') + + pkg_blacklist = () + with open(ima_signing_blacklist, 'r') as f: + pkg_blacklist = [ _.strip() for _ in f.readlines() ] + pkg_blacklist = tuple(pkg_blacklist) + + import base64, pipes, stat + + for pkg in packages.split(): + if (pkg.split('-')[-1] in pkg_suffix_blacklist) is True: + continue + + if pkg.startswith(pkg_blacklist) is True: + continue + + bb.note("Writing IMA %%post hook for %s ..." % pkg) + + pkgdestpkg = os.path.join(pkgdest, pkg) + + cmd = 'evmctl ima_sign --hashalgo sha256 -n --sigfile --key %s/x509_ima.key ' % (ima_keys_dir) + sig_list = [] + pkg_sig_list = [] + + for _ in pkgfiles[pkg]: + # Ignore the symbol links. + if os.path.islink(_): + continue + + # IMA appraisal is only applied to the regular file. + if not stat.S_ISREG(os.stat(_)[stat.ST_MODE]): + continue + + bb.note("Preparing to sign %s ..." % _) + + sh_name = pipes.quote(_) + print("Signing command: %s" % cmd + sh_name) + rc, res = oe.utils.getstatusoutput(cmd + sh_name + " >/dev/null") + if rc: + bb.fatal('Calculate IMA signature for %s failed with exit code %s:\n%s' % \ + (_, rc, res if res else "")) + + with open(_ + '.sig', 'rb') as f: + s = str(base64.b64encode(f.read()).decode('ascii')) + '|' + sig_list.append(s + os.sep + os.path.relpath(_, pkgdestpkg)) + + os.remove(_ + '.sig') + + ima_sig_list = '&'.join(sig_list) + + # When the statically linked binary is updated, use the + # dynamically linked one to resign or set. This situation + # occurs in runtime only. + setfattr_bin = 'setfattr.static' + evmctl_bin = 'evmctl.static' + # We don't want to create a statically linked echo program + # any more. + safe_echo = '1' + if pkg == 'attr-setfattr.static': + setfattr_bin = 'setfattr' + elif pkg == 'ima-evm-utils-evmctl.static': + evmctl_bin = 'evmctil' + elif pkg == 'coreutils': + safe_echo = '0' + + # The %post is dynamically constructed according to the currently + # installed package and enviroment. + postinst = r'''#!/bin/sh + +# %post hook for IMA appraisal +ima_resign=0 +sig_list="''' + ima_sig_list + r'''" + +if [ -z "$D" ]; then + evmctl_bin="${sbindir}/''' + evmctl_bin + r'''" + setfattr_bin="${bindir}/''' + setfattr_bin + r'''" + + [ -f "/etc/keys/privkey_evm.pem" -a -x "$evmctl_bin" ] && \ + ima_resign=1 + + safe_echo="''' + safe_echo + r'''" + + cond_print() + { + [ $safe_echo = "1" ] && echo $1 + } + + saved_IFS="$IFS" + IFS="&" + for entry in $sig_list; do + IFS="|" + + tokens="" + for token in $entry; do + tokens="$tokens$token|" + done + + for sig in $tokens; do + break + done + + IFS="$saved_IFS" + + f="$token" + + # If the filesystem doesn't support xattr, skip the following steps. + res=`"$setfattr_bin" -x security.ima "$f" 2>&1 | grep "Operation not supported$"` + [ x"$res" != x"" ] && { + cond_print "Current file system doesn't support to set xattr" + break + } + + if [ $ima_resign -eq 0 ]; then + cond_print "Setting up security.ima for $f ..." + + "$setfattr_bin" -n security.ima -v "0s$sig" "$f" || { + err=$? + cond_print "Unable to set up security.ima for $f (err: $err)" + exit 1 + } + else + cond_print "IMA signing for $f ..." + + "$evmctl_bin" ima_sign --hashalgo sha256 "$f" || { + err=$? + cond_print "Unable to sign $f (err: $err)" + exit 1 + } + fi + + IFS="&" + done + + IFS="$saved_IFS" +fi + +''' + postinst = postinst + (d.getVar('pkg_postinst_%s' % pkg, True) or '') + d.setVar('pkg_postinst_%s' % pkg, postinst) +} + +do_package[depends] += "ima-evm-utils-native:do_populate_sysroot" diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf new file mode 100644 index 0000000..f3c00e0 --- /dev/null +++ b/meta-integrity/conf/layer.conf @@ -0,0 +1,19 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have recipes-* directories, add to BBFILES +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "integrity" +BBFILE_PATTERN_integrity = "^${LAYERDIR}/" +BBFILE_PRIORITY_integrity = "10" + +IMA_SIGNING_BLACKLIST ??= "${LAYERDIR}/files/ima_signing_blacklist" + +LAYERDEPENDS_integrity = "\ + core \ + signing-key \ + tpm2 \ + tpm \ +" diff --git a/meta-integrity/files/ima_signing_blacklist b/meta-integrity/files/ima_signing_blacklist new file mode 100644 index 0000000..276a7bc --- /dev/null +++ b/meta-integrity/files/ima_signing_blacklist @@ -0,0 +1 @@ +kernel-devsrc diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb b/meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb new file mode 100644 index 0000000..89cb120 --- /dev/null +++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima-initramfs.bb @@ -0,0 +1,12 @@ +DESCRIPTION = "Linux Integrity Measurement Architecture (IMA) subsystem for initramfs" + +include packagegroup-ima.inc + +RDEPENDS_${PN} += " \ + util-linux-mount \ + util-linux-umount \ + gawk \ + ima-policy \ + key-store-ima-cert \ + initrdscripts-ima \ +" diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb new file mode 100644 index 0000000..e10300e --- /dev/null +++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.bb @@ -0,0 +1,21 @@ +DESCRIPTION = "Linux Integrity Measurement Architecture (IMA) subsystem" + +include packagegroup-ima.inc + +DEPENDS += " \ + ima-evm-utils-native \ + attr-native \ +" + +RDEPENDS_${PN} += " \ + attr \ + util-linux-switch_root.static \ + attr-setfattr.static \ + ima-evm-utils-evmctl.static \ +" + +# Note any private key is not available if user key signing model used. +RRECOMMENDS_${PN} += " \ + key-store-ima-privkey \ + key-store-system-trusted-privkey \ +" diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc new file mode 100644 index 0000000..64829dc --- /dev/null +++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc @@ -0,0 +1,13 @@ +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +S = "${WORKDIR}" + +ALLOW_EMPTY_${PN} = "1" + +RDEPENDS_${PN} = " \ + ima-evm-utils \ + coreutils \ + grep \ +" diff --git a/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 0000000..2636dad --- /dev/null +++ b/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,4 @@ +# Append iversion option for auto types +do_install_append() { + sed -i 's/\s*auto\s*defaults/&,iversion/' ${D}${sysconfdir}/fstab +} diff --git a/meta-integrity/recipes-core/initrdscripts/files/init.ima b/meta-integrity/recipes-core/initrdscripts/files/init.ima new file mode 100755 index 0000000..1e92ba2 --- /dev/null +++ b/meta-integrity/recipes-core/initrdscripts/files/init.ima @@ -0,0 +1,129 @@ +#!/bin/sh + +# Initramfs script for IMA initialzation +# +# This script is a halper used to load the external +# IMA policy and public keys used to verify the IMA +# signature. +# +# Copyright (c) 2017, Jia Zhang +# All rights reserved. +# +# See "LICENSE" for license terms. + +# Exit code: +# 0 - IMA initialiazation complete +# 1 - Kernel doesn't support securityfs +# 2 - Kernel doesn't support IMA +# 3 - There is no public key to load +# 4 - There is no IMA policy file defined +# 5 - Unable to load IMA policy file + +# If root directory is not specified, the root of +# initramfs assumed. +ROOT_DIR="${1}" + +SECURITYFS_DIR="${ROOT_DIR}/sys/kernel/security" + +# The policy files are always placed in initramfs +IMA_POLICY=/etc/ima_policy + +SECURITYFS_MOUNTED=0 + +function print_critical +{ + printf "\033[1;35m" + echo "$@" + printf "\033[0m" +} + +function print_error +{ + printf "\033[1;31m" + echo "$@" + printf "\033[0m" +} + +function print_warning +{ + printf "\033[1;33m" + echo "$@" + printf "\033[0m" +} + +function print_info +{ + printf "\033[1;32m" + echo "$@" + printf "\033[0m" +} + +function print_verbose +{ + printf "\033[1;36m" + echo "$@" + printf "\033[0m" +} + +function trap_handler +{ + local err=$? + + print_verbose "Cleaning up with exit code $err ..." + + [ $SECURITYFS_MOUNTED -eq 1 ] && + umount "$SECURITYFS_DIR" 2>"${ROOT_DIR}/dev/null" +} + +trap "trap_handler $?" SIGINT EXIT + +if grep -q "ima_appraise=off" "${ROOT_DIR}/proc/cmdline"; then + print_info "Skip to load the public key and IMA policy" + exit 0 +fi + +if ! grep -q securityfs "${ROOT_DIR}/proc/mounts"; then + ! mount -t securityfs none "$SECURITYFS_DIR" 2>"${ROOT_DIR}/dev/null" && { + print_error "Unable to mount securityfs filesystem" + exit 1 + } + SECURITYFS_MOUNTED=1 + securityfs_dir="$SECURITYFS_DIR" +else + securityfs_dirs="$(grep securityfs ${ROOT_DIR}/proc/mounts | awk '{print $2}')" + + # Use the first one. + for securityfs_dir in "$securityfs_dirs"; do + break + done +fi + +[ ! -d "$securityfs_dir/ima" ] && + print_info "IMA is not enabled. Exiting ..." && exit 2 + +keyring_id=0x`grep '\skeyring\s*\.ima: ' "${ROOT_DIR}/proc/keys" | awk '{ print $1 }'` + +for key in ${ROOT_DIR}/etc/keys/x509_evm*.pem; do + [ ! -s "$key" ] && continue + + if ! evmctl import "$key" "$keyring_id" >"${ROOT_DIR}/dev/null"; then + print_critical "Unable to load the public key $key for IMA appraisal" + else + print_verbose "The external public key $key loaded for IMA appraisal" + fi +done + +# Attempt to load the default policy. +[ ! -f "${IMA_POLICY}" ] && IMA_POLICY="${IMA_POLICY}.default" + +[ ! -f "${IMA_POLICY}" ] && { + print_warning "No IMA policy file defined" + exit 4 +} + +cat "${IMA_POLICY}" > "$securityfs_dir/ima/policy" && { + exit 0 +} || { + print_critical "Unable to load the IMA policy ${IMA_POLICY}" + exit 5 +} diff --git a/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb new file mode 100644 index 0000000..3860be2 --- /dev/null +++ b/meta-integrity/recipes-core/initrdscripts/initrdscripts-ima.bb @@ -0,0 +1,47 @@ +DESCRIPTION = "The initrd script for Linux Integrity Measurement Architecture (IMA)" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +S = "${WORKDIR}" + +ALLOW_EMPTY_${PN} = "1" + +SRC_URI = "\ + file://init.ima \ +" + +do_install() { + if [ x"${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}" = x"1" ]; then + install -m 0500 ${WORKDIR}/init.ima ${D} + fi +} + +FILES_${PN} += " \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', '/init.ima', '', d)} \ +" + +# Install the minimal stuffs only, and don't care how the external +# environment is configured. +# @bash: sh +# @coreutils: echo, mkdir, mknod, dirname, basename, cp, rm, sleep +# seq, printf, cut +# @grep: grep +# @gawk: awk +# @kmod: modprobe, depmod +# @net-tools: ifconfig +# @trousers: tcsd +# @procps: pkill +# @util-linux: blkid, mount, umount +RDEPENDS_${PN} += "\ + bash \ + coreutils \ + grep \ + gawk \ + kmod \ + net-tools \ + procps \ + util-linux-blkid \ + util-linux-mount \ + util-linux-umount \ +" diff --git a/meta-integrity/recipes-core/util-linux/util-linux_%.bbappend b/meta-integrity/recipes-core/util-linux/util-linux_%.bbappend new file mode 100644 index 0000000..1728f2e --- /dev/null +++ b/meta-integrity/recipes-core/util-linux/util-linux_%.bbappend @@ -0,0 +1,16 @@ +PACKAGES =+ "${PN}-switch_root.static" + +CFLAGS_remove += "-pie -fpie" + +do_compile_append_class-target() { + ${CC} ${CFLAGS} ${LDFLAGS} -static \ + sys-utils/switch_root.o \ + -o switch_root.static +} + +do_install_append_class-target() { + install -d ${D}${sbindir} + install -m 0700 ${B}/switch_root.static ${D}${sbindir}/switch_root.static +} + +FILES_${PN}-switch_root.static = "${sbindir}/switch_root.static" diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc new file mode 100644 index 0000000..8c08a45 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc @@ -0,0 +1,18 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:" + +IMA_ENABLED = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', '1', '0', d)}" + +DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1' else ''}" +# key-store-ima-cert is required in runtime but we hope it is available +# in initramfs only. So we don't add it to RDEPENDS_${PN} here. + +SRC_URI += " \ + ${@'file://ima.scc file://ima.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \ +" + +do_configure_append() { + [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ] && + openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \ + -outform DER -out "${B}/system_trusted_cert.x509" || + true +} diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend new file mode 100644 index 0000000..685d15c --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend @@ -0,0 +1 @@ +include linux-yocto-integrity.inc diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg new file mode 100644 index 0000000..073197a --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg @@ -0,0 +1,35 @@ +.......................................................................... +. WARNING +. +. This file is a kernel configuration fragment, and not a full kernel +. configuration file. The final kernel configuration is made up of +. an assembly of processed fragments, each of which is designed to +. capture a specific part of the final configuration (e.g. platform +. configuration, feature configuration, and board specific hardware +. configuration). For more information on kernel configuration, please +. consult the product documentation. +. +.......................................................................... + +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +# CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_NG_TEMPLATE=y is not set +CONFIG_IMA_SIG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +# CONFIG_IMA_DEFAULT_HASH_WP512 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_APPRAISE=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der" +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_AUDIT=y +CONFIG_INTEGRITY_AUDIT=y diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc new file mode 100644 index 0000000..c43e1c4 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Integrity Measurement Architecture (IMA) enablement" +define KFEATURE_COMPATIBILITY board + +kconf non-hardware ima.cfg diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend new file mode 100644 index 0000000..685d15c --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -0,0 +1 @@ +include linux-yocto-integrity.inc diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch new file mode 100644 index 0000000..db006c0 --- /dev/null +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Don-t-build-man-pages.patch @@ -0,0 +1,27 @@ +From b5bc04d9062a69e116ed60ad540b56cd057d47d1 Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Tue, 27 Dec 2016 14:25:58 +0800 +Subject: [PATCH] Don't build man pages + +Too many external tools are required to build the man pages. We don't +need them anyway. + +Signed-off-by: George McCollister +Signed-off-by: Lans Zhang +--- + Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..e527f34 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,4 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +-- +2.7.4 + diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch new file mode 100644 index 0000000..545be42 --- /dev/null +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch @@ -0,0 +1,28 @@ +From 412f60bbd5a7ed1eac7051bd2947d5fc0c95e86b Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Thu, 12 Jan 2017 16:55:03 +0800 +Subject: [PATCH] Install evmctl to $sbindir rather than $bindir + +Setting security.ima requires sys_admin capability. + +Signed-off-by: Lans Zhang +--- + src/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index deb18fb..aa8f666 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -9,7 +9,7 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS) + + include_HEADERS = imaevm.h + +-bin_PROGRAMS = evmctl ++sbin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c + evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) +-- +2.7.4 + diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 0000000..c1278a9 --- /dev/null +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,41 @@ +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +SRC_URI = " \ + git://git.code.sf.net/p/linux-ima/ima-evm-utils \ + file://0001-Don-t-build-man-pages.patch \ + file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ +" +SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7" +PV = "1.0+git${SRCPV}" + +S = "${WORKDIR}/git" + +PACKAGES =+ "${PN}-evmctl.static" + +DEPENDS += "openssl attr keyutils" +RDEPENDS_${PN}_class-target += "libcrypto libattr keyutils" + +inherit pkgconfig autotools + +# Specify any options you want to pass to the configure script using EXTRA_OECONF: +EXTRA_OECONF = "" + +CFLAGS_remove += "-pie -fpie" + +do_compile_append_class-target() { + ${CC} ${CFLAGS} ${LDFLAGS} -static \ + -include config.h -L=${libdir} \ + -Wl,--start-group -lcrypto -lkeyutils -ldl \ + ${S}/src/evmctl.c ${S}/src/libimaevm.c \ + -Wl,--end-group -o ${B}/src/evmctl.static +} + +do_install_append_class-target() { + install -m 0700 ${B}/src/evmctl.static ${D}${sbindir}/evmctl.static +} + +FILES_${PN}-dev += "${includedir}" +FILES_${PN}-evmctl.static = "${sbindir}/evmctl.static" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-integrity/recipes-support/ima-policy/files/ima_policy.default b/meta-integrity/recipes-support/ima-policy/files/ima_policy.default new file mode 100644 index 0000000..5d4ae47 --- /dev/null +++ b/meta-integrity/recipes-support/ima-policy/files/ima_policy.default @@ -0,0 +1,24 @@ +# The default external IMA policy + +# Don't appraise any file opened. +# However, we cannot write down such a rule, +# dont_appraise func=FILE_CHECK +# +# because this rule will accidently cause the security.ima +# being deleted in post_setattr() path. In fact, this is a +# real bug in policy engine when handling post_setattr() +# hook. The failure can be triggered in such a way: +# touch /bin/ls +# /bin/ls <- permission denied + +# Reduce performance loss +# audit func=FILE_CHECK fowner=0 mask=^MAY_READ +# measure func=FILE_CHECK fowner=0 mask=^MAY_READ + +appraise func=MMAP_CHECK euid=0 appraise_type=imasig + +appraise func=BPRM_CHECK euid=0 appraise_type=imasig + +appraise func=MODULE_CHECK euid=0 appraise_type=imasig + +appraise func=FIRMWARE_CHECK euid=0 appraise_type=imasig diff --git a/meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb b/meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb new file mode 100644 index 0000000..982717a --- /dev/null +++ b/meta-integrity/recipes-support/ima-policy/ima-policy_0.1.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "The default external IMA policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +SRC_URI = " \ + file://ima_policy.default \ + " + +S = "${WORKDIR}" + +do_install() { + install -d "${D}${sysconfdir}" + install -m 0400 "${WORKDIR}/ima_policy.default" \ + "${D}${sysconfdir}" +} + +FILES_${PN} = "${sysconfdir}" diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch new file mode 100644 index 0000000..11be1e1 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-powerpc-cflags.patch @@ -0,0 +1,28 @@ +From 1cc17e3c8b1f73db43011775292396338f932a20 Mon Sep 17 00:00:00 2001 +From: Lei Maohui +Date: Mon, 17 Aug 2015 15:30:40 +0900 +Subject: [PATCH] keyutils fix powerpc cflags + +--- + Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 82e1a0f..0746c82 100644 +--- a/Makefile ++++ b/Makefile +@@ -65,12 +65,10 @@ BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')- + LNS := ln -sf + + ifeq ($(BUILDFOR),32-bit) +-CFLAGS += -m32 + LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + else + ifeq ($(BUILDFOR),64-bit) +-CFLAGS += -m64 + LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + endif +-- +1.8.4.2 diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch new file mode 100644 index 0000000..77cf528 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-fix-the-cflags-for-all-of-targets.patch @@ -0,0 +1,32 @@ +From 8a1331d4abf9a96ee65e5fb31a00c7a2e0eed7c8 Mon Sep 17 00:00:00 2001 +From: Lei Maohui +Date: Mon, 17 Aug 2015 13:53:28 +0900 +Subject: [PATCH] fix the cflags for all of targets. + +Signed-off-by: Lei Maohui +--- + Makefile | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/Makefile b/Makefile +index e2d7e2d..82e1a0f 100644 +--- a/Makefile ++++ b/Makefile +@@ -64,7 +64,6 @@ BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')- + + LNS := ln -sf + +-ifeq ($(origin CFLAGS),undefined) + ifeq ($(BUILDFOR),32-bit) + CFLAGS += -m32 + LIBDIR := /usr/lib +@@ -76,7 +75,6 @@ LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + endif + endif +-endif + + ############################################################################### + # +-- +1.8.4.2 diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch new file mode 100644 index 0000000..a049fd2 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils-remove-m32-m64.patch @@ -0,0 +1,19 @@ +Index: keyutils-1.5.5/Makefile +=================================================================== +--- keyutils-1.5.5.orig/Makefile 2011-12-20 11:05:10.000000000 +0200 ++++ keyutils-1.5.5/Makefile 2011-12-20 11:06:27.000000000 +0200 +@@ -58,12 +58,12 @@ + LNS := ln -sf + + ifeq ($(BUILDFOR),32-bit) +-CFLAGS += -m32 ++#CFLAGS += -m32 + LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + else + ifeq ($(BUILDFOR),64-bit) +-CFLAGS += -m64 ++#CFLAGS += -m64 + LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + endif diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch new file mode 100644 index 0000000..adf0643 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_library_install.patch @@ -0,0 +1,30 @@ +Index: keyutils-1.5.5/Makefile +=================================================================== +--- keyutils-1.5.5.orig/Makefile 2011-11-30 17:27:43.000000000 +0200 ++++ keyutils-1.5.5/Makefile 2011-12-21 16:05:53.000000000 +0200 +@@ -59,13 +59,13 @@ + + ifeq ($(BUILDFOR),32-bit) + CFLAGS += -m32 +-LIBDIR := /lib ++LIBDIR := /usr/lib + USRLIBDIR := /usr/lib + else + ifeq ($(BUILDFOR),64-bit) + CFLAGS += -m64 +-LIBDIR := /lib64 +-USRLIBDIR := /usr/lib64 ++LIBDIR := /usr/lib ++USRLIBDIR := /usr/lib + endif + endif + +@@ -152,7 +152,7 @@ + $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) + $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) + mkdir -p $(DESTDIR)$(USRLIBDIR) +- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) ++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) + $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl + $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key + $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch new file mode 100644 index 0000000..b0c2d92 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch @@ -0,0 +1,24 @@ +From d3b6b98984a28e782cb22dc6c7bd0ea9a0e74f15 Mon Sep 17 00:00:00 2001 +From: Lei Maohui +Date: Mon, 17 Aug 2015 15:53:02 +0900 +Subject: [PATCH] keyutils fix x86-64 cflags + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 82e1a0f..23aa466 100644 +--- a/Makefile ++++ b/Makefile +@@ -60,7 +60,7 @@ endif + ifeq ($(origin USRLIBDIR),undefined) + USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR)) + endif +-BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit ++BUILDFOR := 64-bit + + LNS := ln -sf + +-- +1.8.4.2 diff --git a/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch new file mode 100644 index 0000000..f5d5f70 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils/keyutils_fix_x86_cflags.patch @@ -0,0 +1,24 @@ +From 3263917382af02e61f12f3774c32d3324a57059f Mon Sep 17 00:00:00 2001 +From: Lei Maohui +Date: Mon, 17 Aug 2015 11:48:22 +0900 +Subject: [PATCH] keyutils fix x86 cflags + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index e2d7e2d..f05bada 100644 +--- a/Makefile ++++ b/Makefile +@@ -60,7 +60,7 @@ endif + ifeq ($(origin USRLIBDIR),undefined) + USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR)) + endif +-BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit ++BUILDFOR := 32-bit + + LNS := ln -sf + +-- +1.8.4.2 diff --git a/meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb b/meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb new file mode 100644 index 0000000..64e0365 --- /dev/null +++ b/meta-integrity/recipes-support/keyutils/keyutils_1.5.9.bb @@ -0,0 +1,48 @@ +SUMMARY = "Linux Key Management Utilities" +DESCRIPTION = "Keyutils is a set of utilities for managing the key retention \ +facility in the kernel, which can be used by filesystems, block devices and \ +more to gain and retain the authorization and encryption keys required to \ +perform secure operations." +SECTION = "base" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45" + +PR = "r1" + +SRCREV = "9209a0c8fd63afc59f644e078b40cec531409c30" + +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=git \ + file://keyutils_fix_library_install.patch \ + file://keyutils-fix-the-cflags-for-all-of-targets.patch \ + " +SRC_URI_append_arm = " file://keyutils-remove-m32-m64.patch" +SRC_URI_append_aarch64 = " file://keyutils-remove-m32-m64.patch" +SRC_URI_append_mips = " file://keyutils-remove-m32-m64.patch" +SRC_URI_append_mips64 = " file://keyutils-remove-m32-m64.patch" +SRC_URI_append_x86 = " file://keyutils_fix_x86_cflags.patch" +SRC_URI_append_x86-64 = " file://keyutils_fix_x86-64_cflags.patch" +SRC_URI_append_powerpc = "file://keyutils-fix-powerpc-cflags.patch" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep + +INSTALL_FLAGS = " \ + LIBDIR=${libdir} \ + USRLIBDIR=${libdir} \ + BINDIR=${bindir} \ + SBINDIR=${sbindir} \ + ETCDIR=${sysconfdir} \ + SHAREDIR=${datadir} \ + MANDIR=${mandir} \ + INCLUDEDIR=${includedir} \ + DESTDIR=${D} \ +" + +do_install() { + cd ${S} && oe_runmake ${INSTALL_FLAGS} install +} + +FILES_${PN} += "${datadir}/request-key-debug.sh" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf