diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2021-03-06 00:22:30 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-03-15 14:02:06 +0300 |
| commit | 8b1392834def7d17263b45bd1aab35759235fb3e (patch) | |
| tree | 8c15f7cbef2b020a8f41839f56be0c02f57ac39c /meta-security/meta-integrity | |
| parent | 3e34fba3f6b8389074f64203299fa60ec0fc18e1 (diff) | |
| download | openbmc-8b1392834def7d17263b45bd1aab35759235fb3e.tar.xz | |
meta-security: subtree update:6053e8b8e2..9504d02694
Armin Kuster (19):
softhsm: drop pkg as meta-oe has it
apparmor: Inherit python3targetconfig
python3-suricata-update: Inherit python3targetconfig
openscap: Inherit python3targetconfig
scap-security-guide: Inherit python3targetconfig
nikito: Update common-licenses references to match new names
kas-security-base.yml: build setting updates
kas-security-base.yml: drop DL_DIR
arpwatch: upgrade 3.0 -> 3.1
checksec: upgrade 2.1.0 -> 2.4.0
ding-libs: upgrade 0.5.0 -> 0.6.1
fscryptctl: upgrade 0.1.0 -> 1.0.0
libseccomp: upgrade 2.5.0 -> 2.5.1
python3-privacyidea: upgrade 3.3 -> 3.5.1
python3-scapy: upgrade 2.4.3 -> 2.4.4
samhain: update to 4.4.3
opendnssec: update to 2.1.8
suricata: update to 4.10.0
python3-fail2ban: update to 0.11.2
Jate Sujjavanich (1):
scap-security-guide: Fix openembedded platform tests and build
Ming Liu (9):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
Yi Zhao (1):
ibmswtpm2: disable camellia algorithm
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ic7dc6f5425a1493ac0534e10ed682662d109e60c
Diffstat (limited to 'meta-security/meta-integrity')
7 files changed, 41 insertions, 21 deletions
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 460794878..5048fba1e 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -73,8 +73,10 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: - INHERIT += "ima-evm-rootfs" + IMAGE_CLASSES += "ima-evm-rootfs" IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" + IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index d6ade3bf9..0acd6e7aa 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -28,6 +28,9 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" # the iversion flags (needed by IMA when allowing writing). IMA_EVM_ROOTFS_IVERSION ?= "" +# Avoid re-generating fstab when ima is enabled. +WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} @@ -37,15 +40,6 @@ ima_evm_sign_rootfs () { # reasons (including a change of the signing keys) without also # re-running do_rootfs. - # Copy file(s) which must be on the device. Note that - # evmctl uses x509_evm.der also for "ima_verify", which is probably - # a bug (should default to x509_ima.der). Does not matter for us - # because we use the same key for both. - install -d ./${sysconfdir}/keys - rm -f ./${sysconfdir}/keys/x509_evm.der - install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der - ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der - # Fix /etc/fstab: it must include the "i_version" mount option for # those file systems where writing files is allowed, otherwise # these changes will not get detected at runtime. @@ -80,13 +74,16 @@ ima_evm_sign_rootfs () { } # Signing must run as late as possible in the do_rootfs task. -# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so -# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with -# _append instead of += because _append gets evaluated later. In -# particular, we must run after prelink_image in -# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. +# To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in +# RecipePreFinalise event handler, this ensures it's the last +# function in IMAGE_PREPROCESS_COMMAND. +python ima_evm_sign_handler () { + if not e.data or 'ima' not in e.data.getVar('DISTRO_FEATURES').split(): + return -IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " - -# evmctl must have been installed first. -do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" + e.data.appendVar('IMAGE_PREPROCESS_COMMAND', ' ima_evm_sign_rootfs; ') + e.data.appendVar('IMAGE_INSTALL', ' ima-evm-keys') + e.data.appendVarFlag('do_rootfs', 'depends', ' ima-evm-utils-native:do_populate_sysroot') +} +addhandler ima_evm_sign_handler +ima_evm_sign_handler[eventmask] = "bb.event.RecipePreFinalise" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index dacdc8bf0..77f6f7cff 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -27,5 +27,5 @@ do_install () { FILES_${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima index 8616f9924..cff26a335 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -6,6 +6,7 @@ ima_enabled() { if [ "$bootparam_no_ima" = "true" ]; then return 1 fi + return 0 } ima_run() { @@ -46,7 +47,7 @@ ima_run() { # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when # checking the write of each line. To minimize the risk of policy loading going wrong we # also remove comments and blank lines ourselves. - if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then fatal "Could not load IMA policy." fi } diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb new file mode 100644 index 000000000..62685bbb0 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb @@ -0,0 +1,16 @@ +SUMMARY = "IMA/EMV public keys" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +ALLOW_EMPTY_${PN} = "1" + +do_install () { + if [ -e "${IMA_EVM_X509}" ]; then + install -d ${D}/${sysconfdir}/keys + install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der + lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der + fi +} diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 7f649c2d6..bd8558303 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -26,6 +26,7 @@ S = "${WORKDIR}/git" inherit pkgconfig autotools features_check REQUIRED_DISTRO_FEATURES = "ima" +REQUIRED_DISTRO_FEATURES_class-native = "" EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed index 7f89c8d98..4d9e4ca50 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -53,6 +53,9 @@ dont_measure fsmagic=0x43415d53 # CGROUP_SUPER_MAGIC dont_appraise fsmagic=0x27e0eb dont_measure fsmagic=0x27e0eb +# CGROUP2_SUPER_MAGIC +dont_appraise fsmagic=0x63677270 +dont_measure fsmagic=0x63677270 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 dont_measure fsmagic=0xde5e81e4 |