aboutsummaryrefslogtreecommitdiffstats
path: root/meta-integrity
AgeCommit message (Collapse)Author
2021-03-04ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagicgatesgarthMing Liu
This fixes following systemd boot issues: [ 7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied [ 7.457677] systemd[1]: Failed to allocate manager object: Permission denied [!!!!!!] Failed to allocate manager object. [ 7.459270] systemd[1]: Freezing execution. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wicMing Liu
Or else wic will fail without "--no-fstab-update" option. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04initramfs-framework-ima: let ima_enabled return 0Ming Liu
Otherwise, ima script would not run as intended. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04README.md: update according to the refactoring in ima-evm-rootfs.bbclassMing Liu
Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04meta: refactor IMA/EVM sign rootfsMing Liu
The current logic in ima-evm-rootfs.bbclass does not guarantee ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND by appending to it, for instance, if there are other "_append" being used as it's the case in openembedded-core/meta/classes/image.bbclass: | IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \ | if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \ | and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, | False, d) else ''} reproducible_final_image_task; " and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT since that would impact all recipes but not only image recipes. To fix the above issues, we introduce a ima_evm_sign_handler setting IMA/EVM rootfs signing requirements/dependencies in event bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if IMA/EVM rootfs signing logic should be applied or not. Also add ima-evm-keys to IMAGE_INSTALL. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04initramfs-framework-ima: RDEPENDS on ima-evm-keysMing Liu
Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04ima-evm-keys: add recipeMing Liu
Create a recipe to package IMA/EMV public keys. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04initramfs-framework-ima: fix a wrong pathMing Liu
/etc/ima-policy > /etc/ima/ima-policy. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2021-03-04ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to emptyMing Liu
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid sanity check for ima-evm-utils-native. Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-19meta-security: Add gatesgarth to LAYERSERIES_COMPATArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-10-15layer.conf: use += instead of := to update BBFILESSajjad Ahmed
Updating BBFILES with := isn't the standard way and can break parsing under certain conditions, instead use += which is widely used. Signed-off-by: Sajjad Ahmed <sajjad_ahmed@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-18meta-integrity: add dynamic-layer for strongswanArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-07-18strongswan: Add bbappends for ima changesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-03-27layer.conf: update LAYERSERIES_COMPAT for dunfellMartin Jansa
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2020-01-04meta-integrity: fix issues with yocto-check-layerArmin Kuster
[v2] re-did solutions Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-12-07meta-security: add layer index calloutsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-10-11layer.conf: Update for zeus seriesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com> Acked-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-09-07initramfs-framework-ima: correct IMA_POLICY nameArmin Kuster
it had ima_policy_hashed and did not match the recipe ima-policy-hashed found by yocto-check-layer Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-24integrity-image: IMA_EVM_KEY_DIR has no affect, removeArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-15meta-integrity: remove kernel fragments now in cacheArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-07layer.conf: switch to keyutils from meta-oeDmitry Eremin-Solenikov
As pointer by Martin Jansa, keyutils package is now a part of meta-oe, so switch to using keyutils from that layer. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-07linux: add support for kernel modules signingDmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-08-07kernel-modsign.bbclass: add support for kernel modules signingDmitry Eremin-Solenikov
Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> fixup class to avoid including in every configure task Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-04ima-evm-utils: bump to release 1.2.1Dmitry Eremin-Solenikov
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-04meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASEDmitry Eremin-Solenikov
data/debug-keys will be reused for demo modsign keys, so rename IMA_EVM_BASE to more generic INTEGRITY_BASE. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-08-04ima-evm-utils: refresh xattr patchlumag
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-04ima-evm-utils: bump versionlumag
Currently selected SRCREV (782224f33cd711050cbf6146a12122cd73f9136b) comes after 1.1 ima-evm-utils release, so bump PV accordingly. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-08-04layer.conf: add dependency on meta-securitylumag
ima-evm-utils recipe depends on keyutils recipe which is a part of meta-security layer. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-06-26ima-evm-utils: update to tipArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28image: add image for testingArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28runtime qa: moderize ima testArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28initramfs: clean up to pull in packages.Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28data: remove policiesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28policy: add ima appraise all policyArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28ima_policy_simple: add another sample policyArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28ima-policy-hashed: add new recipeArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28base-files: add appending to automount securityfsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28linux: update bbappendArmin Kuster
remove untested code Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28ima.cfg: update to 5.0 kernelArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28ima-evm-utils: cleanup and update to tipArmin Kuster
update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28README: updateArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28layer.conf: add LAYERSERIES_COMPATArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-28meta-integrity: port over from meta-intel-iot-securityArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-27 22:18:09 +0000