From 9de807705b27b05bbf84e9f16502fe6cdaa8928f Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Fri, 28 Apr 2023 08:23:16 -0400 Subject: ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch Signed-off-by: Stefan Berger Signed-off-by: Armin Kuster --- ...generation-using-ioctl-when-evm_portable-.patch | 35 ++++++++++++++++++++++ .../ima-evm-utils/ima-evm-utils_1.4.bb | 25 ---------------- .../ima-evm-utils/ima-evm-utils_1.5.bb | 30 +++++++++++++++++++ 3 files changed, 65 insertions(+), 25 deletions(-) create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb (limited to 'meta-integrity') diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch new file mode 100644 index 0000000..3624576 --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch @@ -0,0 +1,35 @@ +From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 +From: Stefan Berger +Date: Tue, 18 Apr 2023 11:43:55 -0400 +Subject: [PATCH] Do not get generation using ioctl when evm_portable is true + +If a signatures is detected as being portable do not attempt to read the +generation with the ioctl since in some cases this may not be supported +by the filesystem and is also not needed for computing a portable +signature. + +This avoids the current work-around of passing --generation 0 when the +ioctl is not supported by the filesystem. + +Signed-off-by: Stefan Berger +--- + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 6d2bb67..c35a28c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + if (mode_str) + st.st_mode = strtoul(mode_str, NULL, 10); + +- if (!evm_immutable) { ++ if (!evm_immutable && !evm_portable) { + if (S_ISREG(st.st_mode) && !generation_str) { + int fd = open(file, 0); + +--- +2.39.2 + + diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb deleted file mode 100644 index 873aeeb..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb +++ /dev/null @@ -1,25 +0,0 @@ -DESCRIPTION = "IMA/EVM control utility" -LICENSE = "GPL-2.0-with-OpenSSL-exception" -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -DEPENDS += "openssl attr keyutils" - -DEPENDS:class-native += "openssl-native keyutils-native" - -SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" -SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" - -inherit pkgconfig autotools features_check - -REQUIRED_DISTRO_FEATURES = "ima" -REQUIRED_DISTRO_FEATURES:class-native = "" - -EXTRA_OECONF += "MANPAGE_DOCBOOK_XSL=0" -EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" - -# blkid is called by evmctl when creating evm checksums. -# This is less useful when signing files on the build host, -# so disable it when compiling on the host. -RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb new file mode 100644 index 0000000..8ac080c --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb @@ -0,0 +1,30 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS:class-native += "openssl-native keyutils-native" + +FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" + +SRC_URI = " \ + https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ +" +SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" + +inherit pkgconfig autotools features_check + +REQUIRED_DISTRO_FEATURES = "ima" +REQUIRED_DISTRO_FEATURES:class-native = "" + +EXTRA_OECONF += "MANPAGE_DOCBOOK_XSL=0" +EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3-54-g00ecf