meta-security: subtree update:d6baccc068..4c2f7ffd49

Adrian (1): gitignore added Armin Kuster (31): kas: build with ptest. remove apparmor softHSM: add pkg packagegroup-core-security: add softHSM libest: add recipe packagegroup-core-security: add libest package opendnssec: add recipe packagegroup-core-security: add opendnssec to pkg grp gitlab-ci: allow test to fail libseccomp: fix ptest failures. packagegroup-core-security-ptest: remove keyutils-ptest security-test-image: simplify packagegroup-core-security-ptest: remove apparmor: fix build issue with ptest enabled. security-test-image: tweak to get more tests to runn apparmor: update to 3.0 packagegroup-core-security: apparmor 3.0 ptest does not build suricata: fix compiling on gcc10 qemux86-test: add apparmor back apparmor: fix build for on musl ecryptfs-utils: fix musl build libest: fix musl build. sssd: update to latest ltm 1.16.5 packagegroup-core-security: remove clamav from musl image suricata: update to 4.1.9 kas: fixup alt configs gitlab-ci: add qemux86 and qemuarm64 musl builds tpm2-tss: update to 2.4.3 tpm2-totp: update to 0.2.1 tpm2-abrmd: update to 2.3.3 tpm2-tools: update to 4.3.0 tpm2-pkcs11: update to 1.4.0 Mingli Yu (1): scap-security-guide: add expat-native to DEPENDS Naveen Saini (3): initramfs-framework/dmverity: add retry loop for slow boot devices wic: add wks.in for intel dm-verity linux-%/5.x: Add dm-verity fragment as needed Signed-off-by: Andrew Geissler <geissonator@yahoo.com> Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905
author: Andrew Geissler <geissonator@yahoo.com> 2020-10-16 18:14:32 +0300
committer: Andrew Geissler <geissonator@yahoo.com> 2020-10-16 18:14:41 +0300
commit: d1d22e6713c601a72ff7329133cd86f30ac3d6ce (patch)
tree: ed4f67876b562f45b5e9ca3b3f6406445af535af /meta-security/recipes-core
parent: 5c4154ffa5fc7b63c57a909685a06a90a5b9c82c (diff)
download: openbmc-d1d22e6713c601a72ff7329133cd86f30ac3d6ce.tar.xz
4 files changed, 62 insertions, 78 deletions
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
index c71d7267d..54d89787f 100644
--- a/meta-security/recipes-core/images/security-test-image.bb
+++ b/meta-security/recipes-core/images/security-test-image.bb
@@ -1,33 +1,18 @@
 DESCRIPTION = "A small image for testing meta-security packages"
 
+require security-build-image.bb
+
 IMAGE_FEATURES += "ssh-server-openssh"
 
 TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
 
 INSTALL_CLAMAV_CVD = "1"
 
-IMAGE_INSTALL = "\
-    packagegroup-base \
-    packagegroup-core-boot \
-    packagegroup-core-security-ptest \
-    clamav \
-    tripwire \
-    checksec \
-    suricata \
-    samhain-standalone \
-    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
-    os-release \
-    " 
-
-
-IMAGE_LINGUAS ?= " "
-
-LICENSE = "MIT"
-
-inherit core-image
+IMAGE_OVERHEAD_FACTOR = "1.0"
+IMAGE_ROOTFS_EXTRA_SPACE = "1124288"
 
-export IMAGE_BASENAME = "security-test-image"
+# ptests need more memory than standard to avoid the OOM killer
+# also lttng-tools needs /tmp that has at least 1G
+QB_MEM = "-m 2048"
 
-IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
+PTEST_EXPECT_FAILURE = "1"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
index bb07aab58..888052ccd 100644
--- a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -10,33 +10,43 @@ dmverity_run() {
 
     . /usr/share/misc/dm-verity.env
 
-    case "${bootparam_root}" in
-        ID=*)
-            RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
-            ;;
-        LABEL=*)
-            RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
-            ;;
-        PARTLABEL=*)
-            RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
-            ;;
-        PARTUUID=*)
-            RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
-            ;;
-        PATH=*)
-            RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
-            ;;
-        UUID=*)
-            RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
-            ;;
-        *)
-            RDEV="${bootparam_root}"
-    esac
-
-    if ! [ -b "${RDEV}" ]; then
-        echo "Root device resolution failed"
-        exit 1
-    fi
+    C=0
+    delay=${bootparam_rootdelay:-1}
+    timeout=${bootparam_roottimeout:-5}
+    RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+    while [ ! -b "${RDEV}" ]; do
+        if [ $(( $C * $delay )) -gt $timeout ]; then
+            fatal "Root device resolution failed"
+            exit 1
+        fi
+
+        case "${bootparam_root}" in
+            ID=*)
+                RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+                ;;
+            LABEL=*)
+                RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+                ;;
+            PARTLABEL=*)
+                RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+                ;;
+            PARTUUID=*)
+                RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+                ;;
+            PATH=*)
+                RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+                ;;
+            UUID=*)
+                RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+                ;;
+            *)
+                RDEV="${bootparam_root}"
+        esac
+        debug "Sleeping for $delay second(s) to wait root to settle..."
+        sleep $delay
+        C=$(( $C + 1 ))
+
+    done
 
     veritysetup \
         --data-block-size=1024 \
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
deleted file mode 100644
index cf34ded19..000000000
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-DESCRIPTION = "Security ptest packagegroup"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
-                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-inherit features_check
-
-REQUIRED_DISTRO_FEATURES = "ptest"
-
-PACKAGES = "\
-    ${PN} \
-    "
-
-ALLOW_EMPTY_${PN} = "1"
-
-SUMMARY_${PN} = "Security packages with ptests"
-RDEPENDS_${PN} = " \
-    ptest-runner \
-    samhain-standalone-ptest \
-    keyutils-ptest \
-    libseccomp-ptest \
-    python3-scapy-ptest \
-    suricata-ptest \
-    tripwire-ptest \
-    python3-fail2ban-ptest \
-    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
-    "
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 1d0180052..0a4452eea 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -13,6 +13,7 @@ PACKAGES = "\
     packagegroup-security-hardening \
     packagegroup-security-ids  \
     packagegroup-security-mac  \
+    ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
     "
 
 RDEPENDS_packagegroup-core-security = "\
@@ -22,6 +23,7 @@ RDEPENDS_packagegroup-core-security = "\
     packagegroup-security-hardening \
     packagegroup-security-ids  \
     packagegroup-security-mac  \
+    ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
     "
 
 SUMMARY_packagegroup-security-utils = "Security utilities"
@@ -36,6 +38,9 @@ RDEPENDS_packagegroup-security-utils = "\
     python3-privacyidea \
     python3-fail2ban \
     python3-scapy \
+    softhsm \
+    libest \
+    opendnssec \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
@@ -48,6 +53,7 @@ RDEPENDS_packagegroup-security-scanners = "\
     checksecurity \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
     "
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd"
 
 SUMMARY_packagegroup-security-audit = "Security Audit tools "
 RDEPENDS_packagegroup-security-audit = " \
@@ -73,3 +79,14 @@ RDEPENDS_packagegroup-security-mac = " \
     ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
     "
+
+RDEPENDS_packagegroup-meta-security-ptest-packages = "\
+    ptest-runner \
+    samhain-standalone-ptest \
+    libseccomp-ptest \
+    python3-scapy-ptest \
+    suricata-ptest \
+    tripwire-ptest \
+    python3-fail2ban-ptest \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
+"
author	Andrew Geissler <geissonator@yahoo.com>	2020-10-16 18:14:32 +0300
committer	Andrew Geissler <geissonator@yahoo.com>	2020-10-16 18:14:41 +0300
commit	d1d22e6713c601a72ff7329133cd86f30ac3d6ce (patch)
tree	ed4f67876b562f45b5e9ca3b3f6406445af535af /meta-security/recipes-core
parent	5c4154ffa5fc7b63c57a909685a06a90a5b9c82c (diff)
download	openbmc-d1d22e6713c601a72ff7329133cd86f30ac3d6ce.tar.xz