diff options
author | Andrew Geissler <geissonator@yahoo.com> | 2021-04-15 23:52:46 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-04-19 16:32:18 +0300 |
commit | f1e440673465aa768f31e78c0c201002f9f767b7 (patch) | |
tree | 44dffb1d845b35c3f4bf0629a622d8ae04abda41 /meta-security/recipes-kernel | |
parent | 636aaa195862ab9a5442c3178e38266debab3bff (diff) | |
download | openbmc-f1e440673465aa768f31e78c0c201002f9f767b7.tar.xz |
meta-security: subtree update:775870980b..ca9264b1e1
Anton Antonov (4):
Use libest "main" branch instead of "master".
Add meta-parsec layer into meta-security.
Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
Clearly define clang toolchain in Parsec recipes
Armin Kuster (16):
packagegroup-core-security: drop clamav-cvd
clamav: upgrade 104.0
python3-privacyidea: upgrade 3.5.1 -> 3.5.2
clamav: fix systemd service install
swtpm: now need python-cryptography, pull in layer
swtpm: file pip3 issue
swtpm: fix check for tscd deamon on host
python3-suricata-update: update to 1.2.1
suricata: update to 6.0.2
layer.conf: add dynamic-layer for rust pkg
README: cleanup
.gitlab-ci.yml: reorder to speed up builds
kas-security-base.yml: tweek build vars
gitlab-ci: fine tune order
clamav: remove rest of mirror.dat ref
lkrg-module: Add Linux Kernel Runtime Guard
Ming Liu (2):
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9
Diffstat (limited to 'meta-security/recipes-kernel')
-rw-r--r-- | meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch | 73 | ||||
-rw-r--r-- | meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb | 33 |
2 files changed, 106 insertions, 0 deletions
diff --git a/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch new file mode 100644 index 000000000..106dc3f1e --- /dev/null +++ b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch @@ -0,0 +1,73 @@ +Upstream-Status: Pending + +This needs more work. Its my starting point. + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: lkrg-0.9.0/Makefile +=================================================================== +--- lkrg-0.9.0.orig/Makefile ++++ lkrg-0.9.0/Makefile +@@ -4,28 +4,10 @@ + # Author: + # - Adam 'pi3' Zabrocki (http://pi3.com.pl) + ## +- +-P_OUTPUT = output + P_PWD ?= $(shell pwd) +-P_KVER ?= $(shell uname -r) +-P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh +-TARGET := p_lkrg +-ifneq ($(KERNELRELEASE),) +- KERNEL := /lib/modules/$(KERNELRELEASE)/build +-else +- ## KERNELRELEASE not set. +- KERNEL := /lib/modules/$(P_KVER)/build +-endif +- +-# +-# Uncomment for debug compilation +-# +-# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions +-# ccflags-y := ${ccflags-m} +-# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o + +-obj-m += $(TARGET).o +-$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \ ++obj-m := p_lkrg.o ++p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \ + src/modules/hashing/p_lkrg_fast_hash.o \ + src/modules/comm_channel/p_comm_channel.o \ + src/modules/integrity_timer/p_integrity_timer.o \ +@@ -91,23 +73,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re + src/p_lkrg_main.o + + +-all: +-# $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y +- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules +- mkdir -p $(P_OUTPUT) +- cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT) +- +-install: +- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install +- depmod -a +- $(P_PWD)/$(P_BOOTUP_SCRIPT) install + +-uninstall: +- $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall ++modules: ++ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules ++ ++modules_install: ++ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install + + clean: +- $(MAKE) -C $(KERNEL) M=$(P_PWD) clean +- $(RM) Module.markers modules.order +- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers +- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order +- $(RM) -rf $(P_OUTPUT) ++ rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c ++ rm -f Module.markers Module.symvers modules.order ++ rm -rf .tmp_versions Modules.symvers diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb new file mode 100644 index 000000000..dbc195d35 --- /dev/null +++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb @@ -0,0 +1,33 @@ +SUMMARY = "Linux Kernel Runtime Guard" +DESCRIPTION="LKRG performs runtime integrity checking of the Linux \ +kernel and detection of security vulnerability exploits against the kernel." +SECTION = "security" +HOMEPAGE = "https://www.openwall.com/lkrg/" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9" + +DEPENDS = "virtual/kernel elfutils" + +SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \ + file://makefile_cleanup.patch " + +SRC_URI[sha256sum] = "a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf" + +S = "${WORKDIR}/lkrg-${PV}" + +inherit module kernel-module-split + +MAKE_TARGETS = "modules" + +MODULE_NAME = "p_lkrg" + +module_do_install() { + install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} + install -m 0644 ${MODULE_NAME}.ko \ + ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko +} + +RPROVIDES_${PN} += "kernel-module-lkrg" + +COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" |