meta-security: subtree update:4c2f7ffd49..e8c9e69c80

Armin Kuster (3):
      meta-security: Add gatesgarth to LAYERSERIES_COMPAT
      gitlab-ci: add meta-hardening build image
      gitlab-ci: add building meta-security-compliance pkgs

Sajjad Ahmed (1):
      layer.conf: use += instead of := to update BBFILES

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Id5439f3fdfc88fe3c987ee3c8cb7d3ed6a5a6a22

10 files changed, 39 insertions, 8 deletions

diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index 50bfe4fa3..3a1687cca 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -136,6 +136,16 @@ qemuarm64-musl:
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
 
+qemux86-harden:
+  extends: .build
+  script:
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME.yml 
+
+qemux86-comp:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
 qemux86-test:
   extends: .build
   allow_failure: true
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 2c3bd9654..8c0254b82 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
 BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "dunfell"
+LAYERSERIES_COMPAT_security = "gatesgarth"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index 6a77af599..ba0e0f81f 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -10,6 +10,7 @@ repos:
       meta-tpm:
       meta-integrity:
       meta-security-compliance:
+      meta-hardening:
 
   poky:
     url: https://git.yoctoproject.org/git/poky
diff --git a/meta-security/kas/qemux86-comp.yml b/meta-security/kas/qemux86-comp.yml
new file mode 100644
index 000000000..14c5dcabf
--- /dev/null
+++ b/meta-security/kas/qemux86-comp.yml
@@ -0,0 +1,11 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-compliance: |
+    IMAGE_INSTALL_append = " lynis"
+    IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide"
+
+machine: qemux86
diff --git a/meta-security/kas/qemux86-harden.yml b/meta-security/kas/qemux86-harden.yml
new file mode 100644
index 000000000..fb59ddab2
--- /dev/null
+++ b/meta-security/kas/qemux86-harden.yml
@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO = "harden"
+
+machine: qemux86
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
index 589621440..22d88749d 100644
--- a/meta-security/meta-hardening/conf/layer.conf
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer"
 BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_harden-layer = "10"
 
-LAYERSERIES_COMPAT_harden-layer = "dunfell"
+LAYERSERIES_COMPAT_harden-layer = "gatesgarth"
 
 LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index f905b0be4..76374eb9b 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -2,8 +2,7 @@
 BBPATH =. "${LAYERDIR}:"
 
 # We have a packages directory, add to BBFILES
-BBFILES := "${BBFILES} \
-            ${LAYERDIR}/recipes-*/*/*.bb \
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
             ${LAYERDIR}/recipes-*/*/*.bbappend"
 
 BBFILE_COLLECTIONS += "integrity"
@@ -21,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
-LAYERSERIES_COMPAT_integrity = "dunfell"
+LAYERSERIES_COMPAT_integrity = "gatesgarth"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
 
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 965c83797..db243f710 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer"
 BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_scanners-layer = "10"
 
-LAYERSERIES_COMPAT_scanners-layer = "dunfell"
+LAYERSERIES_COMPAT_scanners-layer = "gatesgarth"
 
 LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
 
diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf
index 63f990a8b..b8ee1c013 100644
--- a/meta-security/meta-security-isafw/conf/layer.conf
+++ b/meta-security/meta-security-isafw/conf/layer.conf
@@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1"
 
 LAYERDEPENDS_security-isafw = "core"
 
-LAYERSERIES_COMPAT_security-isafw = "dunfell"
+LAYERSERIES_COMPAT_security-isafw = "gatesgarth"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 46d0279cc..cd62fbac2 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_tpm-layer = "10"
 
-LAYERSERIES_COMPAT_tpm-layer = "dunfell"
+LAYERSERIES_COMPAT_tpm-layer = "gatesgarth"
 
 LAYERDEPENDS_tpm-layer = " \
     core \