summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tpm2-tss: drop libgcryptRicardo Salveti2024-07-011-3/+1
| | | | | | | | | Upstream removed gcrypt backend as part of the 3.0.0 release (https://github.com/tpm2-software/tpm2-tss/pull/1781), but it was not removed from the recipe during the update. Signed-off-by: Ricardo Salveti <ricardo@foundries.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Enable passing private key passwordStefan Berger2024-07-012-0/+6
| | | | | | | | Allow users to pass the private key password using IMA_EVM_EVMCTL_KEY_PASSWORD. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctlStefan Berger2024-07-012-2/+9
| | | | | | | | | Introduce IMA_EVM_PRIVKEY_KEY_OPT to pass additional options to evmctl when signing files. An example is --keyid <id> that makes evmctl use a specific key id when signing files. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Remove stale variables and documentationStefan Berger2024-07-012-11/+1
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: fix sendemail.to valueMartin Jansa2024-07-011-1/+1
| | | | | | * other places were updated to use yocto-patches, but not this one Signed-off-by: Armin Kuster <akuster808@gmail.com>
* {tcp,udp}-smack-test: fix few more implicit-function-declaration issues ↵Martin Jansa2024-07-013-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | fatal with gcc-14 tcp-smack-test: tcp_server.c: In function 'main': tcp_server.c:50:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration] 50 | port = atoi(argv[1]); | ^~~~ tcp_server.c:62:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration] 62 | if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0) | ^~~~~~~~~ udp-smack-test: udp_client.c: In function 'main': udp_client.c:52:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration] 52 | if(fsetxattr(sock, attr, label, strlen(label),0) < 0) | ^~~~~~~~~ udp_client.c:67:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration] 67 | close(sock); | ^~~~~ | pclose udp_server.c: In function 'main': udp_server.c:42:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration] 42 | port = atoi(argv[1]); | ^~~~ udp_server.c:57:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration] 57 | if(fsetxattr(sock, attr, label, strlen(label), 0) < 0) | ^~~~~~~~~ udp_server.c:84:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration] 84 | close(sock); | ^~~~~ | pclose Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: Start WORKDIR -> UNPACKDIR transitionWang Mingyu2024-06-171-1/+3
| | | | | | | Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-hashed: Start WORKDIR -> UNPACKDIR transitionWang Mingyu2024-06-171-1/+1
| | | | | | | Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: WORKDIR -> UNPACKDIRChangqing Li2024-06-171-1/+1
| | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: WORKDIR -> UNPACKDIR transitionChangqing Li2024-06-179-31/+32
| | | | | | | | | * WORKDIR -> UNPACKDIR transition * Switch away from S = WORKDIR Signed-off-by: Changqing Li <changqing.li@windriver.com> [Fixed up the smack changes due to prior patch] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: upgrade 0.1.72 -> 0.1.73Yi Zhao2024-06-171-1/+1
| | | | | | | | ChangeLog: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.73 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* sssd: remove duplicate option --without-python2-bindingsGael PORTAY2024-06-171-1/+0
| | | | | | | | | | | The option --without-python2-bindings was added twice, by the commit 4375507f39ed4bc62e1304838870be65f3a81460, and then after python2 was deprecated with the commit 96737082ad20eabcbbaa82b0cacee0d05d50eaab. This removes the latter. Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* mmap-smack-test, smack-test, tcp-smack-test, udp-smack-test: don't use S = ↵Martin Jansa2024-06-174-7/+13
| | | | | | | | | | | | | | | | | | | | | ${WORKDIR} * fixes: Parsing recipes... ERROR: meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: meta-security/recipes-mac/smack/udp-smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: meta-security/recipes-mac/smack/smack-test_1.0.bb: Using S = ${WORKDIR} is no longer supported ERROR: Parsing halted due to errors, see error messages above * see: https://lists.openembedded.org/g/openembedded-architecture/message/2007 * it's fatal error since: https://git.openembedded.org/openembedded-core/commit/?h=master&id=32cba1cc916ad530c5e6630a927e74ca6f06289b Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* {tcp,udp}-smack-test: fix implicit-function-declaration issues fatal with gcc-14Martin Jansa2024-06-172-0/+2
| | | | | | | | | | | | | | | tcp-smack-test: http://errors.yoctoproject.org/Errors/Details/766925/ tcp_client.c:55:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration] udp-client-tests: http://errors.yoctoproject.org/Errors/Details/766927/ udp_client.c:41:16: error: implicit declaration of function 'atoi' [-Wimplicit-function-declaration] udp_client.c:51:12: error: implicit declaration of function 'fsetxattr' [-Wimplicit-function-declaration] udp_client.c:66:9: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration] Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: upgrade 4.0.1 -> 4.1.2Valentin Kunin2024-06-172-8/+19
| | | | | | | | | | | | | | Bump tpm2-tss library version from 4.0.1 to 4.1.2. This simply involves renaming the recipe and chaning the target SHA256 library file hash. Also update the fixup_hosttools.patch to apply to the new version of the library. It stays the same functionally, but some line numbers needed to be updated to apply cleanly. Signed-off-by: Valentin Kunin <kunin@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-parsec: Update parsec-service to 1.4.1Gowtham Suresh Kumar2024-05-282-33/+47
| | | | | Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tss: BBCLASSEXTEND nativesdkTim Orling2024-05-081-1/+1
| | | | | | | Dependency for nativesdk-swtpm Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libtpm: BBCLASSEXTEND nativesdkTim Orling2024-05-081-1/+1
| | | | | | | nativesdk-swtpm needs nativesdk-libtpm Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-tools: BBCLASSEXTEND native and nativesdkTim Orling2024-05-081-0/+2
| | | | | | | tpm2-pkcs11-tools-native needs tpm2-tools-native Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-pkcs11: BBCLASSEXTEND native and nativesdkTim Orling2024-05-081-0/+2
| | | | | | | swtpm-native requires tpm2-pkcs11-tools-native for gnutls PACKAGECONFIG Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* swtpm: upgrade 0.8.1 -> 0.8.2Tim Orling2024-05-081-1/+1
| | | | | | | | | | | | | version 0.8.2: - swtpm: - cuse: Lock file_ops_lock before reading tpm_running - build-sys: - Add support for --disable-tests to disable tests https://github.com/stefanberger/swtpm/compare/v0.8.1...v0.8.2 Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: upgrade 0.1.71 -> 0.1.72Yi Zhao2024-05-081-1/+1
| | | | | | | | ChangeLog: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.72 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: upgrade 1.3.9 -> 1.3.10Yi Zhao2024-05-081-1/+1
| | | | | | | | ChangeLog: https://github.com/OpenSCAP/openscap/releases/tag/1.3.10 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: update libseccomp dependenciesMarta Rybczynska2024-05-081-1/+1
| | | | | | | | | | | libseccomp requires DISTRO_FEATURE seccomp enabled. This one is automatically removed for riscv, so we do not need to add an additional condition. This change is necessary for cve-check on world with meta-security Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: remove __pycache__ in ptest directoryYi Zhao2024-05-081-0/+5
| | | | | | | | | | | | Remove __pycache__ directories as they contain references to TMPDIR. Fix QA warnings: WARNING: scap-security-guide-0.1.71-r0 do_package_qa: QA Issue: File /usr/lib64/scap-security-guide/ptest/git/utils/_pycache_/gen_reference_table.cpython-312.pyc in package scap-security-guide-ptest contains reference to TMPDIR Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ibmtpm2tss: upgrade 1661 -> 2.2.0Yi Zhao2024-04-222-19/+21
| | | | | | | | * Refresh patch * Fix UPSTREAM_CHECK_GITTAGREGEX Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lynis: upgrade 3.0.9 -> 3.1.1Wang Mingyu2024-04-222-55/+2
| | | | | | | | 0001-osdetection-add-OpenEmbedded-and-Poky.patch removed since it's included in 3.1.1. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ibmswtpm2: upgrade 164-2020-192.1 -> 183-2024-03-27Yi Zhao2024-04-161-3/+3
| | | | | | | | | | Remove '-DALG_CAMELLIA=ALG_NO' from CFLAGS to fix compile error: | TpmProfile_Common.h:109: error: "ALG_CAMELLIA" redefined [-Werror] | 109 | #define ALG_CAMELLIA ALG_YES | | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: update to new patches mailing listArmin Kuster2024-04-095-12/+12
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pyinotify: Make asyncore support optional for Python 3Mingli Yu2024-03-272-0/+96
| | | | | | | | | | | | | | | | | | | | | | Simple fix for Python 3.12 since it dropped asyncore. Catches the import error instead of using a version check so that the user can install the compatibility package for any uses that can't be upgraded to asyncio or similar immediately. Fixes: # python3 Python 3.12.1 (main, Dec 7 2023, 20:45:44) [GCC 13.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import pyinotify Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib64/python3.12/site-packages/pyinotify.py", line 71, in <module> import asyncore ModuleNotFoundError: No module named 'asyncore' >>> Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update for the scarthgap release seriesMax Krummenacher2024-03-275-5/+5
| | | | | Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* arpwatch: install man8 dirJeremy A. Puhlman2024-03-271-1/+1
| | | | | | | | | | | | | | The install expects man8 directory to already exists. If not created the man page gets installed as "man8", which causes conflicts with other packages, that expect it to be a directory. 'arpsnmp' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/sbin/arpsnmp' './arpwatch.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' removed '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' './arpsnmp.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8' Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Check for usrmerge before removing /usr/libJeremy A. Puhlman2024-03-271-1/+3
| | | | | Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Set IMAGE_NAME_SUFFIX to emptyKevin Hao2024-03-271-0/+2
| | | | | | | | | | | | | | | According to the Yocto reference manual [1], the IMAGE_NAME_SUFFIX should be set to empty for the initramfs image. Otherwise, we may incur a build error like following due to the initrd check in live-vm-common.bbclass: ERROR: core-image-minimal-1.0-r0 do_bootimg: build-test/tmp/deploy/images/genericx86-64/dm-verity-image-initramfs-genericx86-64.cpio.gz is invalid. initrd image creation failed. ERROR: core-image-minimal-1.0-r0 do_bootimg: ExecutionError('build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/run.build_hddimg.1961965', 1, None, None) ERROR: Logfile of failure stored in: build-test/tmp/work/genericx86_64-poky-linux/core-image-minimal/1.0/temp/log.do_bootimg.1961965 ERROR: Task (poky/meta/recipes-core/images/core-image-minimal.bb:do_bootimg) failed with exit code '1' [1] https://docs.yoctoproject.org/ref-manual/variables.html#term-IMAGE_NAME_SUFFIX Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: update to tip to fix new build issue.Armin Kuster2024-03-272-62/+3
| | | | | | drop patch now included. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aprwatch: Add path for sendmailJeremy A. Puhlman2024-03-271-0/+1
| | | | | | | | Arpwatch won't build on a system without a sendmail provider installed with out this setting. Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* arpwatch: fix misspelling of PACKAGECONFIGJeremy A. Puhlman2024-03-271-1/+1
| | | | | Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity: Set the IMAGE_FSTYPES correctly when dm-verity is enabledKevin Hao2024-03-271-5/+19
| | | | | | | | | | | | | | | | | | | | | After the using inherit_defer for the image classes in oe-core commit 451363438d38 ("classes/recipes: Switch to use inherit_defer"), the using of anonymous python function in dm-verity-img.bbclass to set the IMAGE_FSTYPES doesn't work anymore. The reason is that image.bbclass also use anonymous python function to add the do_image_xxx task for the corresponding filesystem type. The anonymous function in dm-verity-img.bbclass is evaluated much later than the one in image.bbclass. Then the task such as do_image_vhash will not be added as we expect. So we choose to use "+=" to set the IMAGE_FSTYPES. The populate_sdk_ext.bbclass may generate a dependency list like below: core-image-minimal.do_sdk_depends -> lib32-core-image-minimal.do_image_vhash So we also need to make sure the do_image_vhash task for the multilib filesystem is added. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity: Adjust the image names according to the oe-core changeKevin Hao2024-03-273-5/+5
| | | | | | | | | | | | | | | | After the oe-core commit 26d97acc7137 ("image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}"), the image names have changed from core-image-minimal-qemux86-64-20230307181808.rootfs.ext4 core-image-minimal-qemux86-64.ext4 to core-image-minimal-qemux86-64.rootfs-20230307181456.ext4 core-image-minimal-qemux86-64.rootfs.ext4 Adjust the images name used by dm-verity according to this change. Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* docs: dm-verity.txt: Fix a typoKevin Hao2024-03-271-1/+1
| | | | | Signed-off-by: Kevin Hao <kexin.hao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Drop ${PYTHON_PN}Armin Kuster2024-03-275-15/+15
| | | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> --- V2] Fix typo in python3-pyinotify changes
* lynis: Add missing runtime dependenciesBELOUARGA Mohamed2024-02-201-1/+1
| | | | | | | | Lynis tool needs ip, ss, tr and netstat. If they are missing Lynis skips some important audit tests. Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* checksec: Add more runtime dependencies to checksec toolBELOUARGA Mohamed2024-02-201-1/+1
| | | | | | | Checksec tool depends of commands "find, file and ps" Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: fix build with python 3.12Yi Zhao2024-02-202-1/+60
| | | | | | | | | | | | | | Backport a patch to fix build with python 3.12: $ bitbake openscap-native Traceback (most recent call last): File "<string>", line 1, in <module> ModuleNotFoundError: No module named 'distutils' CMake Error at swig/python3/CMakeLists.txt:35 (install): install TARGETS given no LIBRARY DESTINATION for module target "_openscap_py". Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity-image-minimal: Fix IMAGE_INSTALLLeon Anavi2024-02-201-6/+4
| | | | | | | | | | | | | Append to IMAGE_INSTALL rather than directly setting the variable and does it after inheriting core-image.bbclass because in it IMAGE_INSTALL is set with a default value CORE_IMAGE_BASE_INSTALL. Variable CORE_IMAGE_BASE_INSTALL includes CORE_IMAGE_EXTRA_INSTALL so the change allows adding auditd to CORE_IMAGE_EXTRA_INSTALL as per the instructions in meta-integrity/README.md. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto%.bbappend: Add audit.cfgLeon Anavi2024-02-203-2/+10
| | | | | | | | | | | | | | Add audit.cfg configuration fragment. By default it is not appended to SRC_URI. It allows enabling the audit kernel subsystem which may help to debug appraisal issues. Boot with "integrity_audit=1" to capture a more complete set of events in /var/log/audit/. Previously the same configuration fragment was provided by layer meta-security-framework but it is no longer maintained therefore it makes sense to have audit.cfg in layer meta-integrity. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* scap-security-guide: update to 0.1.71Armin Kuster2024-01-281-3/+3
| | | | | | change branch name to stable. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-fail2ban: remove unused distutils dependencyArmin Kuster2024-01-281-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pyinotify: do not rely on smtpd moduleArmin Kuster2024-01-281-1/+0
| | | | | | | It's not mentioned anywhere in source code, and python 3.12 has removed it. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: libhoth: SRCREV bump e520f8f...e482716Yushi Sun2024-01-281-1/+1
| | | | | | | | | | | | | | | | | Nicholas Nooney (1): Update error messages in htool_exec_hostcmd (#43) Royce (1): Add ability to process raw host commands (#41) Yoan Andreev (1): Payload getstatus (#40) daimeng (1): htool: Allow console snapshot on proxy channels (#42) Signed-off-by: Yushi Sun <yushis@google.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-05 23:18:08 +0000