summaryrefslogtreecommitdiffstats
path: root/meta-integrity
Commit message (Collapse)AuthorAgeFilesLines
* layer.conf: Add hardknott to LAYERSERIES_COMPATArmin Kuster2021-03-181-1/+1
| | | | | | Thats codename for 3.3 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: add file-checksums to IMA_EVM_X509Ming Liu2021-03-181-0/+1
| | | | | | | | This ensures when a end user change the IMA_EVM_X509 key file, ima-evm-keys recipe will be rebuilt. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagicMing Liu2021-03-021-0/+3
| | | | | | | | | | | This fixes following systemd boot issues: [ 7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied [ 7.457677] systemd[1]: Failed to allocate manager object: Permission denied [!!!!!!] Failed to allocate manager object. [ 7.459270] systemd[1]: Freezing execution. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wicMing Liu2021-02-231-0/+3
| | | | | | | Or else wic will fail without "--no-fstab-update" option. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: let ima_enabled return 0Ming Liu2021-02-231-0/+1
| | | | | | | Otherwise, ima script would not run as intended. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: update according to the refactoring in ima-evm-rootfs.bbclassMing Liu2021-02-231-1/+3
| | | | | Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta: refactor IMA/EVM sign rootfsMing Liu2021-02-231-18/+12
| | | | | | | | | | | | | | | | | | | | | | | | | The current logic in ima-evm-rootfs.bbclass does not guarantee ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND by appending to it, for instance, if there are other "_append" being used as it's the case in openembedded-core/meta/classes/image.bbclass: | IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \ | if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \ | and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, | False, d) else ''} reproducible_final_image_task; " and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT since that would impact all recipes but not only image recipes. To fix the above issues, we introduce a ima_evm_sign_handler setting IMA/EVM rootfs signing requirements/dependencies in event bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if IMA/EVM rootfs signing logic should be applied or not. Also add ima-evm-keys to IMAGE_INSTALL. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: RDEPENDS on ima-evm-keysMing Liu2021-02-231-1/+1
| | | | | Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: add recipeMing Liu2021-02-231-0/+16
| | | | | | | Create a recipe to package IMA/EMV public keys. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: fix a wrong pathMing Liu2021-02-231-1/+1
| | | | | | | /etc/ima-policy > /etc/ima/ima-policy. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to emptyMing Liu2021-02-231-0/+1
| | | | | | | | 'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid sanity check for ima-evm-utils-native. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Add gatesgarth to LAYERSERIES_COMPATArmin Kuster2020-10-191-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: use += instead of := to update BBFILESSajjad Ahmed2020-10-191-2/+1
| | | | | | | | Updating BBFILES with := isn't the standard way and can break parsing under certain conditions, instead use += which is widely used. Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: add dynamic-layer for strongswanArmin Kuster2020-07-181-0/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* strongswan: Add bbappends for ima changesArmin Kuster2020-07-182-0/+62
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: update LAYERSERIES_COMPAT for dunfellMartin Jansa2020-03-271-1/+1
| | | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: fix issues with yocto-check-layerArmin Kuster2020-01-046-2/+18
| | | | | | | [v2] re-did solutions Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: add layer index calloutsArmin Kuster2019-12-071-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update for zeus seriesArmin Kuster2019-10-111-1/+1
| | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> Acked-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: correct IMA_POLICY nameArmin Kuster2019-09-071-1/+1
| | | | | | | | | it had ima_policy_hashed and did not match the recipe ima-policy-hashed found by yocto-check-layer Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity-image: IMA_EVM_KEY_DIR has no affect, removeArmin Kuster2019-08-241-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: remove kernel fragments now in cacheArmin Kuster2019-08-155-33/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: switch to keyutils from meta-oeDmitry Eremin-Solenikov2019-08-071-2/+2
| | | | | | | | As pointer by Martin Jansa, keyutils package is now a part of meta-oe, so switch to using keyutils from that layer. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux: add support for kernel modules signingDmitry Eremin-Solenikov2019-08-073-0/+12
| | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
* kernel-modsign.bbclass: add support for kernel modules signingDmitry Eremin-Solenikov2019-08-073-0/+79
| | | | | | | | | | Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> fixup class to avoid including in every configure task Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: bump to release 1.2.1Dmitry Eremin-Solenikov2019-08-045-182/+3
| | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASEDmitry Eremin-Solenikov2019-08-044-11/+11
| | | | | | | data/debug-keys will be reused for demo modsign keys, so rename IMA_EVM_BASE to more generic INTEGRITY_BASE. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
* ima-evm-utils: refresh xattr patchlumag2019-08-041-2/+2
| | | | | Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: bump versionlumag2019-08-041-1/+1
| | | | | | | | Currently selected SRCREV (782224f33cd711050cbf6146a12122cd73f9136b) comes after 1.1 ima-evm-utils release, so bump PV accordingly. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: add dependency on meta-securitylumag2019-08-041-0/+2
| | | | | | | | ima-evm-utils recipe depends on keyutils recipe which is a part of meta-security layer. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: update to tipArmin Kuster2019-06-261-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* image: add image for testingArmin Kuster2019-05-281-0/+22
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* runtime qa: moderize ima testArmin Kuster2019-05-283-82/+129
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs: clean up to pull in packages.Armin Kuster2019-05-281-8/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* data: remove policiesArmin Kuster2019-05-283-110/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* policy: add ima appraise all policyArmin Kuster2019-05-282-0/+47
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima_policy_simple: add another sample policyArmin Kuster2019-05-282-0/+22
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-hashed: add new recipeArmin Kuster2019-05-282-0/+97
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* base-files: add appending to automount securityfsArmin Kuster2019-05-282-0/+6
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux: update bbappendArmin Kuster2019-05-281-115/+2
| | | | | | remove untested code Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima.cfg: update to 5.0 kernelArmin Kuster2019-05-282-16/+18
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: cleanup and update to tipArmin Kuster2019-05-286-22/+200
| | | | | | | | update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README: updateArmin Kuster2019-05-281-4/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: add LAYERSERIES_COMPATArmin Kuster2019-05-281-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: port over from meta-intel-iot-securityArmin Kuster2019-05-2830-0/+1402
Signed-off-by: Armin Kuster <akuster808@gmail.com>