diff options
author | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-07-30 00:16:52 +0300 |
---|---|---|
committer | Jason M. Bills <jason.m.bills@linux.intel.com> | 2021-07-30 00:16:52 +0300 |
commit | bb6a14e2f317abf60677c6ad8de9c33d5760bf36 (patch) | |
tree | 00457d3677e86437cec25fd7dab6c4513a53b1a4 /meta-security/meta-integrity | |
parent | defdca82c107f46e980c84bffb1b2c1263522fa0 (diff) | |
parent | cf6fd27dbd8e2d1b507f8c3752b85801b2c6ef57 (diff) | |
download | openbmc-bb6a14e2f317abf60677c6ad8de9c33d5760bf36.tar.xz |
Merge tag '0.63' of ssh://git-amr-1.devtools.intel.com:29418/openbmc-openbmc into update
Diffstat (limited to 'meta-security/meta-integrity')
5 files changed, 37 insertions, 6 deletions
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 5048fba1e..8254b0d94 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -1,8 +1,24 @@ This README file contains information on the contents of the integrity layer. -Please see the corresponding sections below for details. +The bbappend files for some recipes (e.g. linux-yocto) in this layer need +to have 'integrity' in DISTRO_FEATURES to have effect. +To enable them, add in configuration file the following line. + + DISTRO_FEATURES_append = " integrity" + +If meta-integrity is included, but integrity is not enabled as a +distro feature a warning is printed at parse time: + + You have included the meta-integritry layer, but + 'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files + and preferred version setting may not take effect. + +If you know what you are doing, this warning can be disabled by setting the following +variable in your configuration: + + SKIP_META_INTEGRITY_SANITY_CHECK = 1 Dependencies ============ diff --git a/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass new file mode 100644 index 000000000..6ba7e3f26 --- /dev/null +++ b/meta-security/meta-integrity/classes/sanity-meta-integrity.bbclass @@ -0,0 +1,10 @@ +addhandler integrity_bbappend_distrocheck +integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" +python integrity_bbappend_distrocheck() { + skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1" + if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: + bb.warn("You have included the meta-integrity layer, but \ +'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ +and preferred version setting may not take effect. See the meta-integrity README \ +for details on enabling integrity support.") +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index ba028da7e..37776f818 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -26,6 +26,10 @@ LAYERDEPENDS_integrity = "core openembedded-layer" BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" +# Sanity check for meta-integrity layer. +# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check. +INHERIT += "sanity-meta-integrity" + BBFILES_DYNAMIC += " \ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ " diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend index f9a48cd05..be60bfeac 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,5 +1 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" - -KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" - -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc new file mode 100644 index 000000000..f9a48cd05 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -0,0 +1,5 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" + +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} |