meta-security: subtree update:775870980b..ca9264b1e1

Anton Antonov (4): Use libest "main" branch instead of "master". Add meta-parsec layer into meta-security. Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI Clearly define clang toolchain in Parsec recipes Armin Kuster (16): packagegroup-core-security: drop clamav-cvd clamav: upgrade 104.0 python3-privacyidea: upgrade 3.5.1 -> 3.5.2 clamav: fix systemd service install swtpm: now need python-cryptography, pull in layer swtpm: file pip3 issue swtpm: fix check for tscd deamon on host python3-suricata-update: update to 1.2.1 suricata: update to 6.0.2 layer.conf: add dynamic-layer for rust pkg README: cleanup .gitlab-ci.yml: reorder to speed up builds kas-security-base.yml: tweek build vars gitlab-ci: fine tune order clamav: remove rest of mirror.dat ref lkrg-module: Add Linux Kernel Runtime Guard Ming Liu (2): meta: drop IMA_POLICY from policy recipes initramfs-framework-ima: introduce IMA_FORCE Signed-off-by: Andrew Geissler <geissonator@yahoo.com> Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9
author: Andrew Geissler <geissonator@yahoo.com> 2021-04-15 23:52:46 +0300
committer: Brad Bishop <bradleyb@fuzziesquirrel.com> 2021-04-19 16:32:18 +0300
commit: f1e440673465aa768f31e78c0c201002f9f767b7 (patch)
tree: 44dffb1d845b35c3f4bf0629a622d8ae04abda41 /meta-security/meta-integrity
parent: 636aaa195862ab9a5442c3178e38266debab3bff (diff)
download: openbmc-f1e440673465aa768f31e78c0c201002f9f767b7.tar.xz
5 files changed, 18 insertions, 23 deletions
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 77f6f7cff..6471c532c 100644
--- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -14,6 +14,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 # to this recipe can just point towards one of its own files.
 IMA_POLICY ?= "ima-policy-hashed"
 
+# Force proceed IMA procedure even 'no_ima' boot parameter is available.
+IMA_FORCE ?= "false"
+
 SRC_URI = " file://ima"
 
 inherit features_check
@@ -23,6 +26,8 @@ do_install () {
     install -d ${D}/${sysconfdir}/ima
     install -d ${D}/init.d
     install ${WORKDIR}/ima  ${D}/init.d/20-ima
+
+    sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
 }
 
 FILES_${PN} = "/init.d ${sysconfdir}"
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
index cff26a335..897149494 100644
--- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -2,11 +2,16 @@
 #
 # Loads IMA policy into the kernel.
 
+force_ima=@@FORCE_IMA@@
+
 ima_enabled() {
-    if [ "$bootparam_no_ima" = "true" ]; then
+    if [ "$force_ima" = "true" ]; then
+        return 0
+    elif [ "$bootparam_no_ima" = "true" ]; then
         return 1
+    else
+        return 0
     fi
-    return 0
 }
 
 ima_run() {
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
index da62a4cf8..84ea16120 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple appraise policy "
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-# This policy file will get installed as /etc/ima/ima-policy.
-# It is located via the normal file search path, so a .bbappend
-# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_appraise_all"
-
-SRC_URI = " file://${IMA_POLICY}"
+SRC_URI = " file://ima_policy_appraise_all"
 
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "ima"
 
 do_install () {
     install -d ${D}/${sysconfdir}/ima
-    install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+    install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy
 }
 
 FILES_${PN} = "${sysconfdir}/ima"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
index ebb042646..ff7169ef5 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -2,13 +2,8 @@ SUMMARY = "IMA sample hash policy"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-# This policy file will get installed as /etc/ima/ima-policy.
-# It is located via the normal file search path, so a .bbappend
-# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_hashed"
-
 SRC_URI = " \
-    file://${IMA_POLICY} \
+    file://ima_policy_hashed \
 "
 
 inherit features_check
@@ -16,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "ima"
 
 do_install () {
     install -d ${D}/${sysconfdir}/ima
-    install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+    install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
 }
 
 FILES_${PN} = "${sysconfdir}/ima"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
index cb4b6b8ab..0e56aec51 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -2,19 +2,14 @@ SUMMARY = "IMA sample simple policy"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-# This policy file will get installed as /etc/ima/ima-policy.
-# It is located via the normal file search path, so a .bbappend
-# to this recipe can just point towards one of its own files.
-IMA_POLICY ?= "ima_policy_simple"
-
-SRC_URI = " file://${IMA_POLICY}"
+SRC_URI = " file://ima_policy_simple"
 
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "ima"
 
 do_install () {
     install -d ${D}/${sysconfdir}/ima
-    install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+    install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
 }
 
 FILES_${PN} = "${sysconfdir}/ima"
author	Andrew Geissler <geissonator@yahoo.com>	2021-04-15 23:52:46 +0300
committer	Brad Bishop <bradleyb@fuzziesquirrel.com>	2021-04-19 16:32:18 +0300
commit	f1e440673465aa768f31e78c0c201002f9f767b7 (patch)
tree	44dffb1d845b35c3f4bf0629a622d8ae04abda41 /meta-security/meta-integrity
parent	636aaa195862ab9a5442c3178e38266debab3bff (diff)
download	openbmc-f1e440673465aa768f31e78c0c201002f9f767b7.tar.xz