summaryrefslogtreecommitdiffstats
path: root/recipes-core
Commit message (Collapse)AuthorAgeFilesLines
* security-test-image: add firejail and aide test suitesArmin Kuster2022-06-231-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add firejailArmin Kuster2022-06-231-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security-test-image: auto include layers if present.Armin Kuster2022-06-181-1/+10
| | | | | | | This is to simplify tesing to build one image and include pkgs depending on the layers included in the BBLAYERS. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop sssdArmin Kuster2022-06-181-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: don't include aprwatch for muslArmin Kuster2022-06-071-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop arpwatch for riscv from pkg grpArmin Kuster2022-06-071-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add arpwatch and chkrootkit to pkg grpArmin Kuster2022-06-071-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: fix suricata inclusionArmin Kuster2022-05-141-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove pkgsArmin Kuster2022-05-141-12/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libest: does not build with openssl 3.xArmin Kuster2021-12-251-1/+0
| | | | | | blacklist for now. Remove from pkg grp Signed-off-by: Armin Kuster <akuster808@gmail.com>
* opendnssec: blacklist do to ldns being blacklistedArmin Kuster2021-10-241-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dmverity: Make use of DATA_BLOCK_SIZE variable in initrdscript.Christer Fletcher2021-09-281-1/+2
| | | | | | | | | DATA_BLOCK_SIZE variable was set in dm-verity-img.bbclass at build time but the initrdscript was not updated to pass the DATA_BLOCK_SIZE to the veritysetup. Now the functionality is complete. Signed-off-by: Paulo Neves <paulo.neves1@inter.ikea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: only include suricat-ptest if rust is includedArmin Kuster2021-08-011-2/+13
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Convert to new override syntaxArmin Kuster2021-08-012-24/+24
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security.bb: fix suricat-ptest inclusionArmin Kuster2021-07-281-2/+1
| | | | | | drop libseccomp ptest Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework: rename files dirArmin Kuster2021-06-292-1/+1
| | | | | | | Fixes: ERROR: initramfs-framework-1.0-r4 do_fetch: Fetcher failure for URL: 'file://dmverity'. Unable to fetch URL from any source. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add sshguardArmin Kuster2021-06-291-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework: fix typo in conditionalArmin Kuster2021-06-291-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop python3-scapyArmin Kuster2021-06-051-2/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework: fix YCL issue.Armin Kuster2021-06-052-16/+17
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* busybox: drop as libsecomp is in coreArmin Kuster2021-06-053-5/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: exclude ossec-hids from muslArmin Kuster2021-06-051-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add clamav-daemonArmin Kuster2021-05-161-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add aide and ossecArmin Kuster2021-05-161-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: fix typo for mipsArmin Kuster2021-05-161-2/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tripwire: Blacklist pkg, upstream seems abandondArmin Kuster2021-05-161-2/+0
| | | | | | | Last update was 2018. Does not build with gcc11. There are other actively maintained IDS options. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: exclude apparmor in mips64Armin Kuster2021-04-191-0/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: drop clamav-cvdArmin Kuster2021-04-021-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove clamav from musl imageArmin Kuster2020-10-101-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: apparmor 3.0 ptest does not buildArmin Kuster2020-10-091-1/+0
| | | | | | for now skip apparmor ptest Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security-test-image: tweak to get more tests to runnArmin Kuster2020-10-091-1/+8
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework/dmverity: add retry loop for slow boot devicesNaveen Saini2020-10-091-27/+37
| | | | | | | | | | | Detection of USB devices by the kernel is slow enough. We need to keep trying for a while (default: 5s seconds, controlled by roottimeout=<seconds>) and sleep between each attempt (default: one second, rootdelay=<seconds>). Fix is based on https://git.yoctoproject.org/cgit.cgi/poky/commit/meta/recipes-core/initrdscripts/initramfs-framework/rootfs?id=ee6a6c3461694ce09789bf4d852cea2e22fc95e4 Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security-ptest: removeArmin Kuster2020-10-011-27/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* security-test-image: simplifyArmin Kuster2020-10-012-24/+16
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security-ptest: remove keyutils-ptestArmin Kuster2020-10-011-1/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add opendnssec to pkg grpArmin Kuster2020-09-291-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add libest packageArmin Kuster2020-09-291-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add softHSMArmin Kuster2020-09-291-0/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: add more pkgs to base groupArmin Kuster2020-09-181-4/+13
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: dont include suricata on riscv or ppcArmin Kuster2020-09-121-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Drop locales from imageniko.mauno@vaisala.com2020-09-121-0/+1
| | | | | | | | | | Since IMAGE_LINGUAS defaults to 'en-us en-gb' and since localization is not needed on this type of purpose-specific initramfs image, reset the variable which helps by shaving off almost 700kB from resulting bundled zImage-initramfs artifact. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Add base-passwd packageniko.mauno@vaisala.com2020-09-121-0/+1
| | | | | | | | | | | | | | | | | | | | | This removes following boot-time complaints from udevd regarding missing group declarations: [ 6.624454] udevd[163]: specified group 'tty' unknown [ 6.625340] udevd[163]: specified group 'dialout' unknown [ 6.625692] udevd[163]: specified group 'kmem' unknown [ 6.626022] udevd[163]: specified group 'input' unknown [ 6.626541] udevd[163]: specified group 'video' unknown [ 6.626977] udevd[163]: specified group 'audio' unknown [ 6.627532] udevd[163]: specified group 'lp' unknown [ 6.628187] udevd[163]: specified group 'disk' unknown [ 6.628558] udevd[163]: specified group 'cdrom' unknown Size impact of this change on resulting bundled zImage-initramfs artifact is less than +1kB which is neglible. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-initramfs-image: Cosmetic improvementsniko.mauno@vaisala.com2020-09-121-9/+11
| | | | | | | | | - revise declaration ordering as suggested by oe-stylize.py - sort PACKAGE_INSTALL entries in alphabetic order - split long command line in deploy_verity_hash() Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Use initramfs-frameworkniko.mauno@vaisala.com2020-09-123-61/+3
| | | | | | | | | | | | | | | Switch from this layer's initramfs-dm-verity recipe to poky-provided initramfs-framework suite to manage veritysetup et al. This commit also removes initramfs-dm-verity recipe which is not referred from elsewhere in this meta layer. Also update the install path of dm-verity.env from /usr/share to /usr/share/misc in order to better comply with FHS3.0, see https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html#usrsharemiscMiscellaneousArchitecture Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework: Add dmverity moduleniko.mauno@vaisala.com2020-09-122-0/+69
| | | | | | | | | | | | Add 'initramfs-module-dmverity' as an extension to poky upstream provided initramfs-framework suite via matchingly named bbappend file. Together with pre-existing 'initramfs-module-udev' this module can be used to facilitate dm-verity rootfs mounting from initramfs context that is bundled with Linux kernel. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-img.bbclass: Stage verity.env fileniko.mauno@vaisala.com2020-09-121-1/+1
| | | | | | | | | | | | | | | | | | | | Introduce new STAGING_VERITY_DIR variable specific to this bbclass which defines the directory where the verity.env file is stored during <DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can consequtively be picked up into associated initramfs rootfs (which facilitates executing 'veritysetup' and related actions). By doing this we mitigate failures that were thus far associated to this facility, such as install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory and install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Bind at do_image insteadniko.mauno@vaisala.com2020-09-121-3/+3
| | | | | | | | | Bind custom actions in this image recipe in do_image() rather than do_rootfs(), which can help shaving even dozens of seconds from duration of 'bitbake <DM_VERITY_IMAGE>' command re-execution. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* dm-verity-image-initramfs: Ensure verity hash syncniko.mauno@vaisala.com2020-09-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In order to ensure that the bundled initramfs always contains the most recently generated DM_VERITY_IMAGE specific root filesystems' root hash, we disable the timestamp for do_rootfs() task here, meaning that the task will be re-executed whenever some task that depends on it executes. Without this change, executing e.g. the following sequence $ bitbake <DM_VERITY_IMAGE> $ bitbake -c clean <DM_VERITY_IMAGE> $ bitbake <DM_VERITY_IMAGE> results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like Mounting /dev/vda over dm-verity as the root filesystem [ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic [ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read Verity device detected corruption after activation. [ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted [ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read ... [ 9.135707] EXT4-fs (dm-0): unable to read superblock [ 9.142897] EXT4-fs (dm-0): unable to read superblock [ 9.145393] EXT4-fs (dm-0): unable to read superblock [ 9.147905] FAT-fs (dm-0): unable to read boot sector mount: /new_root: can't read superblock on /dev/mapper/rootfs. BusyBox v1.32.0 () multi-call binary. Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS] [ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 [ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1 [ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 ... [ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]--- Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: restore riscv64 for libssecompArmin Kuster2020-07-271-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroup-core-security: remove libseccomp for riscv*Armin Kuster2020-07-271-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>