diff options
13 files changed, 55 insertions, 30 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3a1687c..1442239 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,7 +19,6 @@ stages: - done - cd $CI_PROJECT_DIR - rm -rf build - - $CI_PROJECT_DIR/scripts/ci-cleanup.sh cache: paths: - layers diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml index ba0e0f8..d6c6964 100644 --- a/kas/kas-security-base.yml +++ b/kas/kas-security-base.yml @@ -14,7 +14,7 @@ repos: poky: url: https://git.yoctoproject.org/git/poky - refspec: master + refspec: gatesgarth layers: meta: meta-poky: @@ -22,7 +22,7 @@ repos: meta-openembedded: url: http://git.openembedded.org/meta-openembedded - refspec: master + refspec: gatesgarth layers: meta-oe: meta-perl: @@ -34,13 +34,19 @@ local_conf_header: CONF_VERSION = "1" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" - SSTATE_DIR = "/home/srv/sstate/master" - DL_DIR = "/home/srv/downloads/master" BB_HASHSERVE = "auto" BB_SIGNATURE_HANDLER = "OEEquivHash" INHERIT += "buildstats buildstats-summary buildhistory" INHERIT += "report-error" INHERIT += "testimage" + INHERIT += "rm_work" + BB_NUMBER_THREADS="24" + BB_NUMBER_PARSE_THREADS="12" + PARALLEL_MAKE="-j 8" + BB_TASK_NICE_LEVEL = '5' + BB_TASK_NICE_LEVEL_task-testimage = '0' + BB_TASK_IONICE_LEVEL = '2.7' + BB_TASK_IONICE_LEVEL_task-testimage = '2.1' TEST_QEMUBOOT_TIMEOUT = "1500" EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 4607948..5048fba 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -73,8 +73,10 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: - INHERIT += "ima-evm-rootfs" + IMAGE_CLASSES += "ima-evm-rootfs" IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" + IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index d6ade3b..0acd6e7 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -28,6 +28,9 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" # the iversion flags (needed by IMA when allowing writing). IMA_EVM_ROOTFS_IVERSION ?= "" +# Avoid re-generating fstab when ima is enabled. +WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} @@ -37,15 +40,6 @@ ima_evm_sign_rootfs () { # reasons (including a change of the signing keys) without also # re-running do_rootfs. - # Copy file(s) which must be on the device. Note that - # evmctl uses x509_evm.der also for "ima_verify", which is probably - # a bug (should default to x509_ima.der). Does not matter for us - # because we use the same key for both. - install -d ./${sysconfdir}/keys - rm -f ./${sysconfdir}/keys/x509_evm.der - install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der - ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der - # Fix /etc/fstab: it must include the "i_version" mount option for # those file systems where writing files is allowed, otherwise # these changes will not get detected at runtime. @@ -80,13 +74,16 @@ ima_evm_sign_rootfs () { } # Signing must run as late as possible in the do_rootfs task. -# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so -# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with -# _append instead of += because _append gets evaluated later. In -# particular, we must run after prelink_image in -# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. +# To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in +# RecipePreFinalise event handler, this ensures it's the last +# function in IMAGE_PREPROCESS_COMMAND. +python ima_evm_sign_handler () { + if not e.data or 'ima' not in e.data.getVar('DISTRO_FEATURES').split(): + return -IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " - -# evmctl must have been installed first. -do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" + e.data.appendVar('IMAGE_PREPROCESS_COMMAND', ' ima_evm_sign_rootfs; ') + e.data.appendVar('IMAGE_INSTALL', ' ima-evm-keys') + e.data.appendVarFlag('do_rootfs', 'depends', ' ima-evm-utils-native:do_populate_sysroot') +} +addhandler ima_evm_sign_handler +ima_evm_sign_handler[eventmask] = "bb.event.RecipePreFinalise" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index dacdc8b..77f6f7c 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -27,5 +27,5 @@ do_install () { FILES_${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index 8616f99..cff26a3 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -6,6 +6,7 @@ ima_enabled() { if [ "$bootparam_no_ima" = "true" ]; then return 1 fi + return 0 } ima_run() { @@ -46,7 +47,7 @@ ima_run() { # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when # checking the write of each line. To minimize the risk of policy loading going wrong we # also remove comments and blank lines ourselves. - if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then fatal "Could not load IMA policy." fi } diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb new file mode 100644 index 0000000..62685bb --- /dev/null +++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "IMA/EMV public keys" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +ALLOW_EMPTY_${PN} = "1" + +do_install () { + if [ -e "${IMA_EVM_X509}" ]; then + install -d ${D}/${sysconfdir}/keys + install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der + lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der + fi +} diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 7f649c2..bd85583 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -26,6 +26,7 @@ S = "${WORKDIR}/git" inherit pkgconfig autotools features_check REQUIRED_DISTRO_FEATURES = "ima" +REQUIRED_DISTRO_FEATURES_class-native = "" EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed index 7f89c8d..4d9e4ca 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed +++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -53,6 +53,9 @@ dont_measure fsmagic=0x43415d53 # CGROUP_SUPER_MAGIC dont_appraise fsmagic=0x27e0eb dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC +dont_appraise fsmagic=0x63677270 +dont_measure fsmagic=0x63677270 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 dont_measure fsmagic=0xde5e81e4 diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index afa576a..812ea9f 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -11,7 +11,7 @@ DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native S = "${WORKDIR}/git" -inherit cmake pkgconfig python3native perlnative +inherit cmake pkgconfig python3native python3targetconfig perlnative PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 32fce0f..d1a9511 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -10,7 +10,7 @@ DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native l S = "${WORKDIR}/git" -inherit cmake pkgconfig python3native +inherit cmake pkgconfig python3native python3targetconfig STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe" diff --git a/recipes-ids/suricata/python3-suricata-update_1.1.1.bb b/recipes-ids/suricata/python3-suricata-update_1.1.1.bb index 0070b5b..732ca9a 100644 --- a/recipes-ids/suricata/python3-suricata-update_1.1.1.bb +++ b/recipes-ids/suricata/python3-suricata-update_1.1.1.bb @@ -10,6 +10,6 @@ SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'" S = "${WORKDIR}/git" -inherit python3native setuptools3 +inherit python3native python3targetconfig setuptools3 RDEPENDS_${PN} = "python3-pyyaml" diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.0.bb index 35e95a0..015205d 100644 --- a/recipes-mac/AppArmor/apparmor_3.0.bb +++ b/recipes-mac/AppArmor/apparmor_3.0.bb @@ -39,7 +39,7 @@ PARALLEL_MAKE = "" COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion +inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion REQUIRED_DISTRO_FEATURES = "apparmor" |