aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2021-03-09libtpm: update to 0.8.2Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com> -- V2] let include the updated changes
2021-03-02ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagicMing Liu
This fixes following systemd boot issues: [ 7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied [ 7.457677] systemd[1]: Failed to allocate manager object: Permission denied [!!!!!!] Failed to allocate manager object. [ 7.459270] systemd[1]: Freezing execution. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-02python3-fail2ban: update to 0.11.2Armin Kuster
drop hard python3 patch and create it dufing compile. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-02suricata: update to 4.10.0Armin Kuster
This is the last 4.x. Will need rust support to move to 6.x Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-02opendnssec: update to 2.1.8Armin Kuster
refresh libdns_conf_fix.patch Drop fix_fprint.patch includd in update Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-02samhain: update to 4.4.3Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-02python3-scapy: upgrade 2.4.3 -> 2.4.4Armin Kuster
2021-03-02python3-privacyidea: upgrade 3.3 -> 3.5.1Armin Kuster
2021-03-02libseccomp: upgrade 2.5.0 -> 2.5.1Armin Kuster
drop patch merged in update
2021-03-02fscryptctl: upgrade 0.1.0 -> 1.0.0Armin Kuster
2021-03-02ding-libs: upgrade 0.5.0 -> 0.6.1Armin Kuster
2021-03-02checksec: upgrade 2.1.0 -> 2.4.0Armin Kuster
LIC_FILES_CHKSUM update do to yr change
2021-03-02arpwatch: upgrade 3.0 -> 3.1Armin Kuster
LIC_FILES_CHKSUM update do to yr change
2021-03-02kas-security-base.yml: drop DL_DIRArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23kas-security-base.yml: build setting updatesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23nikito: Update common-licenses references to match new namesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23scap-security-guide: Inherit python3targetconfigArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23openscap: Inherit python3targetconfigArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23python3-suricata-update: Inherit python3targetconfigArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23apparmor: Inherit python3targetconfigArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wicMing Liu
Or else wic will fail without "--no-fstab-update" option. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23initramfs-framework-ima: let ima_enabled return 0Ming Liu
Otherwise, ima script would not run as intended. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23README.md: update according to the refactoring in ima-evm-rootfs.bbclassMing Liu
Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23meta: refactor IMA/EVM sign rootfsMing Liu
The current logic in ima-evm-rootfs.bbclass does not guarantee ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND by appending to it, for instance, if there are other "_append" being used as it's the case in openembedded-core/meta/classes/image.bbclass: | IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \ | if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \ | and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, | False, d) else ''} reproducible_final_image_task; " and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT since that would impact all recipes but not only image recipes. To fix the above issues, we introduce a ima_evm_sign_handler setting IMA/EVM rootfs signing requirements/dependencies in event bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if IMA/EVM rootfs signing logic should be applied or not. Also add ima-evm-keys to IMAGE_INSTALL. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23initramfs-framework-ima: RDEPENDS on ima-evm-keysMing Liu
Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23ima-evm-keys: add recipeMing Liu
Create a recipe to package IMA/EMV public keys. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23initramfs-framework-ima: fix a wrong pathMing Liu
/etc/ima-policy > /etc/ima/ima-policy. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to emptyMing Liu
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid sanity check for ima-evm-utils-native. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-23softhsm: drop pkg as meta-oe has itArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-02-14scap-security-guide: Fix openembedded platform tests and buildJate Sujjavanich
Add patches to fix openembedded nodistro tests and openembedded build within ssg metadata. Signed-Off-By: Jate Sujjavanich <jatedev@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-01-23ibmswtpm2: disable camellia algorithmYi Zhao
The openssl in oe-core has disabled several deprecated algorithms including camellia. Disable this algorithm to fix the build error. Fixes: TpmToOsslSym.h:185:42: error: unknown type name 'CAMELLIA_KEY' 185 | #define tpmKeyScheduleCAMELLIA CAMELLIA_KEY | ^~~~~~~~~~~~ Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-12-24tpm2-pkcs11: build and package python toolsAdrian Ratiu
Signed-off-by: Adrian Ratiu <adrian.ratiu@collabora.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-17.gitlab-ci: drop scriptArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-15kas-security-base: Don't create local SSTATE mirrorArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-15scap-security-guide: fix build with Python 3.9Yi Zhao
The getchildren and getiterator functions are deprecated in Python 3.9. Backport 3 patches to fix the build issue. Fixes: File "/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/ssg/build_stig.py", line 41, in add_references index = rule.getchildren().index(ref) AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getchildren' Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-03samhain: update to 4.4.2Armin Kuster
refresh a few patches too Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-03clamav: unify volatiles file nameYi Zhao
Make the volatiles file name starts with digital. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-11-03suricata: unify volatiles file nameYi Zhao
Make the volatiles file name starts with digital. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-19gitlab-ci: add building meta-security-compliance pkgsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-19gitlab-ci: add meta-hardening build imageArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-19meta-security: Add gatesgarth to LAYERSERIES_COMPATArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-19layer.conf: use += instead of := to update BBFILESSajjad Ahmed
Updating BBFILES with := isn't the standard way and can break parsing under certain conditions, instead use += which is widely used. Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15scap-security-guide: add expat-native to DEPENDSMingli Yu
Add expat-native to DEPENDS to fix the below do_configure error: | CMake Error at CMakeLists.txt:165 (message): | xmlwf is required! Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15tpm2-pkcs11: update to 1.4.0Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15tpm2-tools: update to 4.3.0Armin Kuster
LIC_FILES_CHKSUM changes do to added Copyright Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15tpm2-abrmd: update to 2.3.3Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15tpm2-totp: update to 0.2.1Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15tpm2-tss: update to 2.4.3Armin Kuster
includes: CVE-2020-24455 Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15gitlab-ci: add qemux86 and qemuarm64 musl buildsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15kas: fixup alt configsArmin Kuster
add smack Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-28 01:32:48 +0000