| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Patch sent upstream.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Header file conflict between 32-bit and 64-bit versions
Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add a temporary patch that resolves a file change notification issue
with overlayfs where IMA did not become aware of the file changes
since the 'lower' inode's i_version had not changed. The issue will be
resolved in later kernels with the following patch that builds on
newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Update the README describing how IMA support can be used.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The IMA policy will be specified using the IMA_EVM_POLICY variable since
systemd will not be involved in loading the policy but the init script will
load it.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding
kernel configuration options for IMA and EVM.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Fix the ima_policy_appraise_all policy to appraise all executables
and libraries. Also update the list of files that are not appraised to not
appraise cgroup related files.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Additional maintainer entries should be added to ones provided by oe-core,
but not be replacing them, as that breaks oe-core tests.
Another option is to place them directly into recipes.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Don't build man as it needs pandoc
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
include: CVE-2023-1017 & CVE-2023-1018
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
includes CVE-2022-23645
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
a bit of re-org
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
a bit of re-org.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* The dependency on autoconf-archive is only needed when building from
the Git repository (and it should really be autoconf-archive-native).
* Removing the build dependency on tpm2-abrmd does not change the output
in any way, i.e., nothing is used from it.
* The runtime dependency on libtss2 is added automatically by bitbake
since /usr/bin/tpm2 is linked with libtss2-esys.so.0.
* The runtime dependency on tpm2-abrmd is optional. Such dependencies
are better handled at a higher level, e.g., by depending on
packagegroup-security-tpm2.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Make sure that all changes a saved after running the tests.
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
If PACKAGECONFIG is not defined in local.conf then
its default value is not included in cls.tc.td map.
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
ERROR: Missing SRC_URI checksum, please add those to the recipe:
SRC_URI[parsec-service-1.2.0.sha256sum] = "f58e7ba859c22cc1904dc8298b1a7d94ee1ba3b4d4808f28e4cc0c96ddb149c9"
Needed to S dir too.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
v2]
Fix patch applying
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIxes:
ERROR: Missing SRC_URI checksum, please add those to the recipe:
SRC_URI[parsec-tool-0.6.0.sha256sum] = "f51d5d7f0caca1c335324b52482fa5edbf6c9cfd2e6865e5cb22716d52dcb367"
Needed to have the package version included in the name.
Fixes:
ERROR: parsec-tool-0.6.0-r0 do_populate_lic: QA Issue: parsec-tool: LIC_FILES_CHKSUM points to an invalid file:
and
error: manifest path `/home/akuster/oss/clean/poky/build/tmp/work/cortexa53-poky-linux/parsec-tool/0.6.0-r0/parsec-tool-0.6.0//Cargo.toml` does not exist
Set S to CARGO_VENDORING_DIRECTORY/BP to fix the LIC_FILES_CHKSUM and compile errors.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The PERLVERSION likely has the wrong value in the native context
due to reasons discussed in openembedded-core[1]. The upstream
suggestion was to avoid use of PERLVERSION and switch to the direct
function.
1. https://lore.kernel.org/openembedded-core/20230405003850.384813-1-patrick@stwcx.xyz/T/#u
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Had to delete some wonky Cargo.toml files to get update_crates to work.
Manually updated one crate to a newer version included by update_crates as it would not compile.
Manually applied several crates missed by update_crates.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Now manditory via Poky commit: https://git.yoctoproject.org/poky/commit/bitbake/lib/bb/fetch2?id=4d9886e1435dba3785973cc920865f8ab67e644d
used cargo-update-recipe-crates to fixup
Drop krill.inc in favor of new crate file name
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Drop setuid-log-folder.patch, using sed instead.
Refresh patch check-setuid-use-more-portable-find-args.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently CVE-2023-22745 does not show up in kirkstone CVE report.
This fixes that.
Products from yocto's CVE check NVD database:
sqlite> select * from products where product like "tpm2%";
CVE-2017-7524|tpm2-tools_project|tpm2.0-tools|||1.1.0|<=
CVE-2020-24455|tpm2_software_stack_project|tpm2_software_stack|||2.4.3|<
CVE-2020-24455|tpm2_software_stack_project|tpm2_software_stack|3.0.0|>=|3.0.1|<
CVE-2021-3565|tpm2-tools_project|tpm2-tools|5.1|>=|5.1.1|<
CVE-2021-3565|tpm2-tools_project|tpm2-tools|||4.3.2|<
CVE-2023-22745|tpm2_software_stack_project|tpm2_software_stack|||4.0.0|<=
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Building documentation fails due to missing asciidoc, xsltproc etc
so it's better to just disable building them by default.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Change LIC_FILES_CHKSUM to use COPYING
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
refresh patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
drop debian patch as the file was dropped upstream.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
fixup another python file to use py3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
refresh patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
This recipe is not maintained and will be dropped by the next LTS if nothing changes.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
