summaryrefslogtreecommitdiffstats
path: root/meta-integrity
Commit message (Collapse)AuthorAgeFilesLines
* ima-evm-utils: Update ima-evm-utils to v1.5 and add a patchStefan Berger2023-05-062-2/+42
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux: overlayfs: Add kernel patch resolving a file change notification issueStefan Berger2023-05-062-0/+43
| | | | | | | | | | | | | Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity: Update the README for IMA supportStefan Berger2023-05-061-9/+11
| | | | | | | Update the README describing how IMA support can be used. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Sign all executables and the ima-policy in the root filesystemStefan Berger2023-05-061-5/+20
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICYStefan Berger2023-05-062-3/+3
| | | | | | | | | The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Fix the IMA kernel featureStefan Berger2023-05-067-251/+63
| | | | | | | | Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Fix the ima_policy_appraise_all to appraise executables & librariesStefan Berger2023-05-061-1/+8
| | | | | | | | | Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Document and replace keys and adapt scripts for EC keysStefan Berger2023-05-068-62/+50
| | | | | | | | | | For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: disable documentation from buildMikko Rapeli2023-03-261-0/+1
| | | | | | | | Building documentation fails due to missing asciidoc, xsltproc etc so it's better to just disable building them by default. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: update LAYERSERIES_COMPAT for mickledoreMartin Jansa2023-01-041-1/+1
| | | | | | | | * oe-core switched to mickedore in: https://git.openembedded.org/openembedded-core/commit/?id=57239d66b933c4313cf331d35d13ec2d0661c38f Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: kernel-modsign: prevents splitting out debug symbolsJose Quaresma2022-07-051-0/+2
| | | | | | | | | | Starting with [1] kernel modules symbols is being slipped in OE-core and this breaks the kernel modules sign, so disable it. [1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Post release codename changesArmin Kuster2022-06-071-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: Update to 1.4Armin Kuster2022-05-234-181/+2
| | | | | | | | | | | | | Switch from git to https in SRC_URI Drop patches not upstreamed. Passes OEQA: RESULTS - ima.IMACheck.test_ima_enabled: PASSED (1.05s) RESULTS - ima.IMACheck.test_ima_hash: PASSED (6.13s) RESULTS - ima.IMACheck.test_ima_overwrite: PASSED (131.31s) RESULTS - ima.IMACheck.test_ima_signature: PASSED (69.03s) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: don't use lnrArmin Kuster2022-03-111-1/+1
| | | | | | | | | | | | lnr is a script in oe-core that creates relative symlinks, with the same behaviour as `ln --relative --symlink`. It was added back in 2014[1] as not all of the supported host distributions at the time shipped coreutils 8.16, the first release with --relative. However the oldest coreutils release in the supported distributions is now 8.22 in CentOS 7, so lnr can be deprecated and users switched to ln. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update to use kirkstoneArmin Kuster2022-02-201-1/+1
| | | | | | | Update the layers to use the kirkstone namespace. No compatibility is made for honister due to the variable renaming. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: drop strongswan bbappendsArmin Kuster2021-12-272-62/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: kernel-modsign: Change weak default valueDaiane Angolini2021-08-261-1/+1
| | | | | | | | Assign a weak default value for MODSIGN_KEY_DIR so the other layers can set a default value for them as well. Signed-off-by: Daiane Angolini <daiane.angolini@foundries.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update to honisterMartin Jansa2021-08-011-1/+1
| | | | | | | This marks the layers as compatible with honister now they use the new override syntax. Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* meta-integrity: Convert to new override syntaxArmin Kuster2021-08-0115-28/+28
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity/recipe-kernel: use sanity checkArmin Kuster2021-06-062-5/+6
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: add sanity checkArmin Kuster2021-06-063-1/+31
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: introduce IMA_FORCEMing Liu2021-04-122-2/+12
| | | | | | | | | | | | | | Introduce IMA_FORCE to allow the IMA policy be applied forcely even 'no_ima' boot parameter is available. This ensures the end users have a way to disable 'no_ima' support if they want to, because it may expose a security risk if an attacker can find a way to change kernel arguments, it will easily bypass rootfs authenticity checks. Signed-off-by: Sergio Prado <sergio.prado@toradex.com> Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta: drop IMA_POLICY from policy recipesMing Liu2021-04-023-21/+6
| | | | | | | | | | | | IMA_POLICY is being referred as policy recipe name in some places and it is also being referred as policy file in other places, they are conflicting with each other which make it impossible to set a IMA_POLICY global variable in config file. Fix it by dropping IMA_POLICY definitions from policy recipes Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Add hardknott to LAYERSERIES_COMPATArmin Kuster2021-03-181-1/+1
| | | | | | Thats codename for 3.3 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: add file-checksums to IMA_EVM_X509Ming Liu2021-03-181-0/+1
| | | | | | | | This ensures when a end user change the IMA_EVM_X509 key file, ima-evm-keys recipe will be rebuilt. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagicMing Liu2021-03-021-0/+3
| | | | | | | | | | | This fixes following systemd boot issues: [ 7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied [ 7.457677] systemd[1]: Failed to allocate manager object: Permission denied [!!!!!!] Failed to allocate manager object. [ 7.459270] systemd[1]: Freezing execution. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wicMing Liu2021-02-231-0/+3
| | | | | | | Or else wic will fail without "--no-fstab-update" option. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: let ima_enabled return 0Ming Liu2021-02-231-0/+1
| | | | | | | Otherwise, ima script would not run as intended. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: update according to the refactoring in ima-evm-rootfs.bbclassMing Liu2021-02-231-1/+3
| | | | | Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta: refactor IMA/EVM sign rootfsMing Liu2021-02-231-18/+12
| | | | | | | | | | | | | | | | | | | | | | | | | The current logic in ima-evm-rootfs.bbclass does not guarantee ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND by appending to it, for instance, if there are other "_append" being used as it's the case in openembedded-core/meta/classes/image.bbclass: | IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \ | if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \ | and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, | False, d) else ''} reproducible_final_image_task; " and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT since that would impact all recipes but not only image recipes. To fix the above issues, we introduce a ima_evm_sign_handler setting IMA/EVM rootfs signing requirements/dependencies in event bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if IMA/EVM rootfs signing logic should be applied or not. Also add ima-evm-keys to IMAGE_INSTALL. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: RDEPENDS on ima-evm-keysMing Liu2021-02-231-1/+1
| | | | | Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: add recipeMing Liu2021-02-231-0/+16
| | | | | | | Create a recipe to package IMA/EMV public keys. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: fix a wrong pathMing Liu2021-02-231-1/+1
| | | | | | | /etc/ima-policy > /etc/ima/ima-policy. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to emptyMing Liu2021-02-231-0/+1
| | | | | | | | 'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid sanity check for ima-evm-utils-native. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Add gatesgarth to LAYERSERIES_COMPATArmin Kuster2020-10-191-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: use += instead of := to update BBFILESSajjad Ahmed2020-10-191-2/+1
| | | | | | | | Updating BBFILES with := isn't the standard way and can break parsing under certain conditions, instead use += which is widely used. Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: add dynamic-layer for strongswanArmin Kuster2020-07-181-0/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Add bbappends for ima changesArmin Kuster2020-07-182-0/+62
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: update LAYERSERIES_COMPAT for dunfellMartin Jansa2020-03-271-1/+1
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: fix issues with yocto-check-layerArmin Kuster2020-01-046-2/+18
| | | | | | | [v2] re-did solutions Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: add layer index calloutsArmin Kuster2019-12-071-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update for zeus seriesArmin Kuster2019-10-111-1/+1
| | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> Acked-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: correct IMA_POLICY nameArmin Kuster2019-09-071-1/+1
| | | | | | | | | it had ima_policy_hashed and did not match the recipe ima-policy-hashed found by yocto-check-layer Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity-image: IMA_EVM_KEY_DIR has no affect, removeArmin Kuster2019-08-241-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: remove kernel fragments now in cacheArmin Kuster2019-08-155-33/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: switch to keyutils from meta-oeDmitry Eremin-Solenikov2019-08-071-2/+2
| | | | | | | | As pointer by Martin Jansa, keyutils package is now a part of meta-oe, so switch to using keyutils from that layer. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux: add support for kernel modules signingDmitry Eremin-Solenikov2019-08-073-0/+12
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
* kernel-modsign.bbclass: add support for kernel modules signingDmitry Eremin-Solenikov2019-08-073-0/+79
| | | | | | | | | | Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> fixup class to avoid including in every configure task Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: bump to release 1.2.1Dmitry Eremin-Solenikov2019-08-045-182/+3
| | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASEDmitry Eremin-Solenikov2019-08-044-11/+11
| | | | | | | data/debug-keys will be reused for demo modsign keys, so rename IMA_EVM_BASE to more generic INTEGRITY_BASE. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-04 11:02:54 +0000