diff options
Diffstat (limited to 'recipes-core')
-rw-r--r-- | recipes-core/busybox/busybox/head.cfg | 1 | ||||
-rw-r--r-- | recipes-core/busybox/busybox_%.bbappend | 1 | ||||
-rw-r--r-- | recipes-core/busybox/busybox_libsecomp.inc | 3 | ||||
-rw-r--r-- | recipes-core/images/dm-verity-image-initramfs.bb | 43 | ||||
-rw-r--r-- | recipes-core/images/security-build-image.bb | 25 | ||||
-rw-r--r-- | recipes-core/images/security-client-image.bb | 16 | ||||
-rw-r--r-- | recipes-core/images/security-server-image.bb | 19 | ||||
-rw-r--r-- | recipes-core/images/security-test-image.bb | 27 | ||||
-rw-r--r-- | recipes-core/initrdscripts/initramfs-framework-dm/dmverity | 93 | ||||
-rw-r--r-- | recipes-core/initrdscripts/initramfs-framework.inc | 16 | ||||
-rw-r--r-- | recipes-core/initrdscripts/initramfs-framework_1.0.bbappend | 1 | ||||
-rw-r--r-- | recipes-core/packagegroup/packagegroup-core-security.bb | 115 |
12 files changed, 355 insertions, 5 deletions
diff --git a/recipes-core/busybox/busybox/head.cfg b/recipes-core/busybox/busybox/head.cfg deleted file mode 100644 index 16017ea..0000000 --- a/recipes-core/busybox/busybox/head.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_FEATURE_FANCY_HEAD=y diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_%.bbappend deleted file mode 100644 index 27a2482..0000000 --- a/recipes-core/busybox/busybox_%.bbappend +++ /dev/null @@ -1 +0,0 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'busybox_libsecomp.inc', '', d)} diff --git a/recipes-core/busybox/busybox_libsecomp.inc b/recipes-core/busybox/busybox_libsecomp.inc deleted file mode 100644 index 4af22ce..0000000 --- a/recipes-core/busybox/busybox_libsecomp.inc +++ /dev/null @@ -1,3 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/busybox:" - -SRC_URI_append = " file://head.cfg" diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb new file mode 100644 index 0000000..4256e19 --- /dev/null +++ b/recipes-core/images/dm-verity-image-initramfs.bb @@ -0,0 +1,43 @@ +DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." + +inherit core-image + +PACKAGE_INSTALL = " \ + base-files \ + base-passwd \ + busybox \ + cryptsetup \ + initramfs-module-dmverity \ + initramfs-module-udev \ + lvm2-udevrules \ + udev \ + util-linux-mount \ +" + +# We want a clean, minimal image. +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + +IMAGE_NAME_SUFFIX ?= "" + +# Can we somehow inspect reverse dependencies to avoid these variables? +python __anonymous() { + verity_image = d.getVar('DM_VERITY_IMAGE') + verity_type = d.getVar('DM_VERITY_IMAGE_TYPE') + + if verity_image and verity_type: + dep = ' %s:do_image_%s' % (verity_image, verity_type.replace('-', '_')) + d.appendVarFlag('do_image', 'depends', dep) +} + +# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE +do_image[nostamp] = "1" + +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" + +deploy_verity_hash() { + install -D -m 0644 \ + ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ + ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env +} +IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/recipes-core/images/security-build-image.bb b/recipes-core/images/security-build-image.bb new file mode 100644 index 0000000..9c82049 --- /dev/null +++ b/recipes-core/images/security-build-image.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "A small image for building meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security \ + os-release" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-build-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" + +QB_KERNEL_CMDLINE_APPEND = " ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor=1 security=apparmor', '', d)}" + +# We need more mem to run many apps in this layer +QB_MEM = "-m 2048" diff --git a/recipes-core/images/security-client-image.bb b/recipes-core/images/security-client-image.bb new file mode 100644 index 0000000..f4ebc69 --- /dev/null +++ b/recipes-core/images/security-client-image.bb @@ -0,0 +1,16 @@ +DESCRIPTION = "A Client side Security example" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + os-release \ + samhain-client \ + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-client-image" diff --git a/recipes-core/images/security-server-image.bb b/recipes-core/images/security-server-image.bb new file mode 100644 index 0000000..4927e0e --- /dev/null +++ b/recipes-core/images/security-server-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A Serve side image for Security example " + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + samhain-server \ + os-release " + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-server-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb new file mode 100644 index 0000000..81f69dd --- /dev/null +++ b/recipes-core/images/security-test-image.bb @@ -0,0 +1,27 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +require security-build-image.bb + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL:append = "\ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \ + ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \ +" + +TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail" +TEST_SUITES:append = " parsec tpm2 swtpm ima" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_OVERHEAD_FACTOR = "1.0" +IMAGE_ROOTFS_EXTRA_SPACE = "1124288" + +# ptests need more memory than standard to avoid the OOM killer +# also lttng-tools needs /tmp that has at least 1G +QB_MEM = "-m 2048" + +PTEST_EXPECT_FAILURE = "1" diff --git a/recipes-core/initrdscripts/initramfs-framework-dm/dmverity b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity new file mode 100644 index 0000000..1923490 --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework-dm/dmverity @@ -0,0 +1,93 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + DATA_BLOCK_SIZE="__not_set__" + ROOT_HASH="__not_set__" + SEPARATE_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + + # we know exactly what we are looking for; don't need the wide hunt below + if [ "${SEPARATE_HASH}" -eq "1" ]; then + while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device (data) resolution failed" + exit 1 + fi + debug "Sleeping for $delay second(s) to wait for root data to settle..." + sleep $delay + C=$(( $C + 1 )) + done + + veritysetup \ + --data-block-size=${DATA_BLOCK_SIZE} \ + create rootfs \ + /dev/disk/by-partuuid/${ROOT_UUID} \ + /dev/disk/by-partuuid/${RHASH_UUID} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 + + return + fi + + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=} 2>/dev/null)" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=} 2>/dev/null)" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=} 2>/dev/null)" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=} 2>/dev/null)" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=} 2>/dev/null)" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done + + veritysetup \ + --data-block-size=${DATA_BLOCK_SIZE} \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/recipes-core/initrdscripts/initramfs-framework.inc b/recipes-core/initrdscripts/initramfs-framework.inc new file mode 100644 index 0000000..1a724d6 --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework.inc @@ -0,0 +1,16 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/initramfs-framework-dm:" + +SRC_URI:append = "\ + file://dmverity \ +" + +do_install:append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES:append = " initramfs-module-dmverity" + +SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS:initramfs-module-dmverity = "${PN}-base" +FILES:initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 0000000..f5d476e --- /dev/null +++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)} diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb new file mode 100644 index 0000000..3ef77e5 --- /dev/null +++ b/recipes-core/packagegroup/packagegroup-core-security.bb @@ -0,0 +1,115 @@ +DESCRIPTION = "Security packagegroup for Poky" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit packagegroup + +PACKAGES = "\ + packagegroup-core-security \ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-ids \ + packagegroup-security-mac \ + packagegroup-security-compliance \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ + " + +RDEPENDS:packagegroup-core-security = "\ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-ids \ + packagegroup-security-mac \ + packagegroup-security-compliance \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ + " + +SUMMARY:packagegroup-security-utils = "Security utilities" +RDEPENDS:packagegroup-security-utils = "\ + bubblewrap \ + checksec \ + cryptmount \ + ding-libs \ + ecryptfs-utils \ + fscryptctl \ + glome \ + keyutils \ + nmap \ + pinentry \ + softhsm \ + sshguard \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ + " + +have_krill = "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}" +RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}" +RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail chipsec ${have_krill}" +RDEPENDS:packagegroup-security-utils:append:aarch64 = " firejail ${have_krill}" +RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill" + +SUMMARY:packagegroup-security-scanners = "Security scanners" +RDEPENDS:packagegroup-security-scanners = "\ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \ + chkrootkit \ + isic \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \ + " +RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam" +RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "arpwatch" + +SUMMARY:packagegroup-security-audit = "Security Audit tools " +RDEPENDS:packagegroup-security-audit = " \ + buck-security \ + redhat-security \ + " + +SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems" +RDEPENDS:packagegroup-security-ids = " \ + samhain-standalone \ + suricata \ + ossec-hids \ + aide \ + " + +RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata" +RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata" +RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids" + +SUMMARY:packagegroup-security-mac = "Security Mandatory Access Control systems" +RDEPENDS:packagegroup-security-mac = " \ + ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ + " + +RDEPENDS:packagegroup-security-mac:remove:mipsarch = "apparmor" + +SUMMARY:packagegroup-security-compliance = "Security Compliance applications" +RDEPENDS:packagegroup-security-compliance = " \ + lynis \ + openscap \ + scap-security-guide \ + os-release \ + " + +RDEPENDS:packagegroup-security-compliance:remove:libc-musl = "openscap scap-security-guide" + +RDEPENDS:packagegroup-meta-security-ptest-packages = "\ + ptest-runner \ + samhain-standalone-ptest \ + ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ +" + +RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64le = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64 = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:riscv32 = "suricata-ptest" +RDEPENDS:packagegroup-security-ptest-packages:remove:riscv64 = "suricata-ptest" |