diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-08-17 00:08:17 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-08-17 00:10:30 +0300 |
| commit | 26bdd44576f25d63bf32632369b0cbdd94c93d7a (patch) | |
| tree | 506ed5dc7d2814cc3462a943f6222e02b4fb4146 /meta-security | |
| parent | 30e7d8427b05d123ed1ca269e3c027b2425bd168 (diff) | |
| download | openbmc-26bdd44576f25d63bf32632369b0cbdd94c93d7a.tar.xz | |
subtree updates
meta-openembedded: 64974b8779..c95842cdca:
Adrian Bunk (46):
modemmanager: Remove the obsolete dependency on dbus-glib
gpsd: Remove the obsolete dependency on dbus-glib
eggdbus: Remove this obsolete package
sanity-meta-gnome: Remove obsolete class
gssdp: Merge inc
vlc: notify switched to GTK+3 some time ago
tremor: Upgrade 20150107 -> 20180319
vlc: Remove the obsolete dependency on dbus-glib
blueman: Enable thunar support by default but don't rdepend on it
gnome-bluetooth: Drop bluez4 support
networkmanager: Drop bluez4 support
packagegroup-meta-networking-connectivity: Correct a DISTRO_FEATURES check
packagegroup-tools-bluetooth: Remove bluez4 support
cpprest: Fix build failure with gcc 8
packagegroup-basic: Remove bluez4 support
packagegroup-meta-oe: Remove bogus bluez4 DISTRO_FEATURES checks
esound: Remove this obsolete package
gpsd: Remove obsolete musl patch
gpsd: Don't build without optimization
zeromq: Upgrade 4.3.1 -> 4.3.2
obex-data-server: Drop bluez4 support
openobex: Drop bluez4 support
gpsd: Drop bluez4 support
libao: Remove the non-default esound PACKAGECONFIG
gpsd: Disable manpage building by config option instead of patching
gpsd: Upgrade 3.18.1 -> 3.19
gnome-desktop3: Fix REQUIRED_DISTRO_FEATURES
meta-gnome: Remove GNOME_COMPRESS_TYPE = "xz" in recipes
jasper: Use the new upstream GitHub location instead of the defunct tarball URL
fluidsynth: Add PACKAGECONFIG for readline
meta-multimedia: Remove GNOME_COMPRESS_TYPE = "xz" in recipes
udisks: Remove this obsolete version
gpsd: Switch from python-scons-native to python3-scons-native
meta-gnome: Inherit gnomebase instead of gnome
meta-oe: Inherit gnomebase instead of gnome
libgsf: Drop the obsolete inherit gconf
gnome-system-monitor: Add DEPENDS on polkit
meta-oe: Change some ftp:// URIs to http(s)://
meta-oe: Use GNU_MIRROR in more recipes
wireshark: Use an upstream URL that stays valid longer
modemmanager: Use a simpler workaround for the clang build
network-manager-applet: Remove obsolete do_configure_append
network-manager-applet: Remove the obsolete DEPENDS on gconf
wv: Remove, abiword was the only user
gtkmathview: Remove, abiword was the last user
t1lib: Remove, gtkmathview was the last user
Alex Kiernan (6):
keyutils: Fix build with usrmerge
iwd: update to 0.18
libzip: Upgrade 1.5.1 -> 1.5.2
zstd: New recipe
zstd: Update 1.4.0 -> 1.4.2
iwd: Upgrade 0.18 -> 0.19
Alexander Kanavin (3):
python-matplotlib: remove the python 2.x version of the recipe
python-oauthlib: remove the 2.x version of the recipe
python-pandas: remove the python 2.x version of the recipe
Alistair Francis (3):
gpsd: Upgrade from 3.17 to 3.18.1
gpsd: Fix the systemd service run paths
python: pypi: Add python3-term
Anatol Belski (1):
gperftools: separate off libtcmalloc-minimal
Andreas Müller (2):
meta-xfce: Make Kai Kang layer maintainer
abiword: remove
Andrej Valek (2):
nodejs: 10.15.3 -> 10.16.0
nodejs: 10.16.0 -> 10.16.2
André Draszik (1):
layer.conf: ignore wireless-regdb->crda dep for siggen purposes
Ankit Navik (1):
safec: Remove aarch64 from COMPATIBLE_HOST
Anuj Mittal (2):
xterm: upgrade 330 -> 347
libsdl: import from OE-Core
Armin Kuster (5):
keyutils: update to 1.6
keyutils: improve ptests
keyutils: fix QA WARNING
keyutils: fix pulling in glibc when musl enabled
keyutils: fix library install path
Arturo Buzarra (1):
lvm2: Fix RDEPEND on lvm2 to lvm2-udevrules
Ayoub Zaki (1):
pegtl: Initial recipe
Bartosz Golaszewski (2):
bats: new package
libgpiod: bump version to v1.4.1
Beniamin Sandu (1):
unbound: create recipe for version 1.9.2
Callaghan, Dan (1):
unixodbc: mysql5 is not required but readline is
Changqing Li (15):
python-pygobject: fix install dir for python2
dlm: upgrade 4.0.7 -> 4.0.9
uthash: remove uthash-ptest dependencies
waf-samba: switch to python3
libtevent: upgrade 0.9.37 -> 0.10.0
libtdb: upgrade 1.3.17 -> 1.4.0
libtalloc: upgrade 2.1.14 -> 2.2.0
samba: upgrade 4.8.12 -> 4.10.5
libldb: upgrade 1.4.1 -> 1.5.4
volume-key: fix "Nothing RPROVIDES" when multilib enabled
isomd5sum: fix "Nothing RPROVIDES" when multilib enabled
satyr: fix "Nothing RPROVIDES" when multilib enabled
libtevent: fix do_package_qa issue
libtdb: fix do_package_qa issue
fio: Delete redundant tag
Chin Huat Ang (1):
opencv: 3.4.5 -> 4.1.0
Denys Dmytriyenko (1):
ufs-tool: add tool to access UFS (Universal Flash Storage) devices
Douglas Royds (2):
grpc: DEPENDS on googletest
packagegroup-meta-oe: RDEPENDS on googletest
Drew Moseley (1):
networkmanager: Use ALTERNATIVES for resolv-conf handling.
Erik Botö (1):
paho-mqtt-c: enable SSL
Fabian Klemp (1):
openvpn: respect pid file in init.d service start
Gianfranco Costamagna (3):
iniparser: add initial recipe
cpprest: update to 2.10.14
cpprest: Do not export Werror from build system instead of adding -Wno-error to the same build command
He Zhe (1):
drbd-utils: Fix netlink failure with nested attributes for kernel v5.2
Hongxu Jia (24):
packagegroup-xfce-extended: conditional runtime recommends on xfce-polkit
xfce-polkit: add required distro feature check to polkit
xfce4-session: optional support polkit
upower: remove polkit dependency
gvfs: add meson option admin and udisks2 to PACKAGECONFIG
mongodb: add to PNBLACKLIST
itstool: use libxml2 to instead of python3-lxml
meta-multimedia: add layer depends on meta-python
itstool: use libxml2 to instead of python3-lxml
python-six: remove duplicated recipe
libauthen-radius-perl: ptest requires meta-networking to be present
xfce4-panel: use lxdm to replace dm-tool
drop lxdm_%.bbappend
python3-pykickstart: 3.18 -> 3.20
python3-blivet: 3.1.2 -> 3.1.4
python-pyparted/python3-pyparted: 3.11.1 -> 3.11.2
libbytesize: 1.4 -> 2.0
libblockdev: 2.20 -> 2.22
network-manager-applet: 1.8.20 -> 1.8.22
thin-provisioning-tools: 0.7.6 -> 0.8.5
libreport: 2.9.7 -> 2.10.0
python3-blivetgui: fix blivet-gui broken
php: remove 5.6.40
lmsensors: support package lmsensors
Jackie Huang (1):
keyutils: add new recipe
Jason Wessel (1):
libbytesize: Add depends for gettext-native
Joshua Lock (3):
python-cffi: add missing RDEPENDS on pycparser
python-attrs: add native BBCLASSEXTEND
python-dateutil: add native BBCLASSEXTEND
Kai Kang (39):
mozjs: fix configure failure on CentOS 7.6
libvncserver: update to latest commit 1354f7f
libxfce4util: 4.13.3 -> 4.13.4
libxfce4ui: 4.13.5 -> 4.13.6
exo: 0.12.5 -> 0.12.6
xfconf: 4.13.7 -> 4.13.8
thunar: 1.8.6 -> 1.8.7
xfce4-session: 4.13.2 -> 4.13.3
xfwm4: 4.13.2 -> 4.13.3
xfdesktop: 4.13.4 -> 4.13.5
xfce4-power-manager: 1.6.2 -> 1.6.3
xfce4-panel: 4.13.5 -> 4.13.6
xfce4-dev-tools: 4.12.0 -> 4.13.0
thunar-volman: 0.9.2 -> 0.9.3
garcon: 0.6.2 -> 0.6.3
xfce4-settings: 4.12.4 -> 4.13.7
xfce4-pulseaudio-plugin: add dependency dbus-glib
xfce4-verve-plugin: 1.1.0 -> 2.0.0
net-snmp: update SRC_URI
xfwm4: fix assertion error
poppler: toggle gobject-introspection support
xfce4-settings: rrecommends xfce4-datetime-setter
xfce4-datetime-setter: add recipe
libxfce4util: 4.13.4 -> 4.14.0
xfconf: 4.13.8 -> 4.14.1
libxfce4ui: 4.13.6 -> 4.14.1
exo: 0.12.6 -> 0.12.8
garcon: 0.6.3 -> 0.6.4
thunar: 1.8.7 -> 1.8.9
thunar-volman: 0.9.3 -> 0.9.5
tumbler: 0.2.0 -> 0.2.7
xfce4-appfinder: 4.13.3 -> 4.14.0
xfce4-dev-tools: 4.13.0 -> 4.14.0
xfce4-panel: 4.13.6 -> 4.14.0
xfce4-power-manager: 1.6.3 -> 1.6.5
xfce4-session: 4.13.3 -> 4.14.0
xfce4-settings: 4.13.7 -> 4.14.0
xfdesktop: 4.13.5 -> 4.14.1
xfwm4: 4.13.3 -> 4.14.0
Khem Raj (44):
wvdial: Fix build with musl
librelp: Pass Wno-error to compiler
recipes: Use BPN instead of PN in SRC_URIs
cli11: Refresh patch to fix fuzz
sthttpd: Use git SRC_URI instead of github archive
arno-iptables-firewall: Switch to git fetcher
firewalld: Update to 0.6.3->0.6.4
python-matplotlib: Use git src_uri
mpv: Switch to using git fetcher
x11vnc: Switch to git fetcher
dumb-init: Switch to git fetcher
pam-plugin-ldapdb: Use git fetcher
libuv: Switch to using git fetcher
usbctl: Switch to git fetcher
pmdk: Fix libdir which is multi-lib aware
kexec-tools-klibc: Refresh patch with no code change
log4cplus: Fix build with gold linker
orage: Fix build with libical3
pegtl: Fix build with clang/libc++
postfix: Fix build failures with glibc 2.30
snort: Fix build with glibc 2.30
opensaf: Add configure time check to detect gettid API in libc
ypbind-mt: Fix build with glibc 2.30
openocd: Fix build with glibc 2.30
netkit-rusers: Add dep on rpcsvc-proto for rpc headers
collectd: Fix build with glibc 2.30
alsa-oss: Drop now not needed patch
klcc-cross: Recognise --unwindlib clang option
libsub-exporter-progressive-perl: Remove unneeded DEPENDS_PN
libedit: Delete
sjf2410-linux-native: Do not include sys/io.h
gradm: Upgrade to 3.1-201903191516 release
pmdk: Fix packaging errors when building on non-x86 host
klibc: Pass -fno-builtin-bcmp with musl/clang combo
graphviz: Fix build error that surfaced with latest pango
graphviz: Do not build tcl support for target
python-grpcio: Use gettid API from glibc 2.30+
grpc: Update to 1.22.0
android-tools: Fix build with glibc 2.30
iperf2: Upgrade to 2.0.13
netkit-rusers: Depend on rpcsvc-proto-native for rpcgen tool
kpatch: Pass ARCH from environment
python3-pillow: Provide python3-imaging
netkit-rusers: Fix cross-build after glibc dropped rpc
Laszlo Toth (1):
networkmanager: fix typo in nonarch_base_libdir
Liwei Song (2):
pm-graph: fix time format parse error
fio: fix first direct IO errored when ioengine is splice
Luca Boccassi (2):
python-pygobject: move python-setuptools from RDEPENDS to DEPENDS
python-pygobject: remove build-dependency on setuptools and add dependency on pkgutil
Luca Ceresoli (4):
fuse-exfat: moved to github
exfat-utils: moved to github
fuse-exfat: update 1.2.3 -> 1.3.0
exfat-utils: update 1.2.3 -> 1.3.0
Luca Palano (1):
Netdata upgrade: 1.8.0 -> 1.16.0
Maciej Pijanowski (8):
python3-websockets: upgrade to 8.0.2
python3-multidict: upgrade to 4.5.2
python-engineio: upgrade to 3.9.3
python-socketio: upgrade to 4.3.1
python-aiohttp.inc: add missing RDEPENDS
python-async-timeout: add asyncio to RDEPENDS
python-socketio.inc: add missing RDEPENDS
python3-aiofiles: add recipe
Mariano Lopez (1):
nftables: 0.9.0 > 0.9.1
Martin Jansa (8):
protobuf: fix build with gold
SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS add lsb and util-linux for phoronix-test-suite
oprofile: drop kernel-vmlinux from RRECOMMENDS
libdbi-perl: prevent native libdbi-perl depending on target perl
redis: backport a fix for stack trace generation on aarch64
ntop: fix missing return from non-void function
python3-twofish: Fix missing return statements in module stubs
kernel-selftest: skip -Werror=format-security and fortify
Max Krummenacher (1):
joe: update to 4.6
Mikko Rapeli (2):
protobuf: fix ptest compilation with hardening flags
stress-ng: delete recipe
Mingli Yu (7):
fio: Upgrade to 3.15
crash: Upgrade to 7.2.6
makedumpfile: Upgrade to 1.6.6
hwloc: Upgrade to 1.11.13
iperf3: Upgrade to 3.7
log4cplus: Upgrade to 2.0.4
log4cplus: remove gold linker setting
Oleksandr Kravchuk (22):
nghttp2: update to 1.39.1
drbd-utils: update to 9.10.0
drbd: update to 9.0.18-1
keepalived: update to 2.0.16
nano: update to 4.3
nuttcp: add systemd unit file
mbedtls: update to 2.16.2
dhcpcd: update to 7.2.2
freediameter: update to 1.2.1
sethdlc: set PV in filename
miniupnpd: update to 2.1.20190210
ipvsadm: update to 1.30
uftp: update to 4.9.11
libnftnl: update to 1.1.3
dhcpcd: update to 7.2.3
blueman: update to 2.1.1
uftp: update to 4.10
htpdate: update to 1.2.1
dhcpcd: update to 8.0.1
chrony: update to 3.5
wolfssl: update to 4.1.0
dhcpcd: update to 8.0.2
Ovidiu Panait (2):
python3-pillow: 5.4.1 -> 6.1
python3-pillow: Add python3-misc/logging/numbers to RDEPENDS
Paolo Valente (1):
s-suite: push SRCREV to version 3.5
Parthiban Nallathambi (1):
python3-matplotlib: add version 3.1.1
Pascal Bach (1):
protobuf: 1.3.1 -> 1.3.2
Paul Eggleton (3):
mraa: update to 2.0.0
upm: update to 2.0.0
picocom: update to 3.1
Pierre-Jean Texier (2):
stunnel: bump to version 5.55
cppzmq: bump to version 4.4.1
Piotr Tworek (1):
itstool: Don't use hardcoded, absolute path to python3 binary.
Qi.Chen@windriver.com (3):
turbostat: set PACKAGE_ARCH as MACHINE_ARCH
esmtp: use alternatives to manage /usr/lib/sendmail
postfix: use alternatives to manage /usr/lib/sendmail
Radovan Scasny (2):
dhcpcd: enable udev by default
dhcpcd: fix building with pkgconfig
Randy MacLeod (2):
poppler: update from 0.75.0 to 0.79.0
rsyslog: update from 8.1903.0 to 8.1907.0
Ricardo Ribalda Delgado (1):
fwts: Update to 19.06.00
Robert Joslyn (1):
cryptsetup: Don't enable udev for native build
Roman Stratiienko (1):
glmark2: Upgrade SRCREV to latest
Ross Burton (2):
gtk+: add (from oe-core)
gnome-themes-standard: add recipe for GTK+ 2 Adwaita
Ruslan Bilovol (2):
libnss-nisplus: Add recipe
kpatch: fix QA build errors for nativesdk
Saravanan Sekar (1):
liblightmodbus: Add version 2.0.2
Scott Ellis (1):
wireguard: Upgrade 20190406 to 20190702
Slater, Joseph (3):
drbd-utils: enable reproducible_build awareness
php: remove host specific info from header file
mozjs: do not expose intl api for mips64
Tim Orling (9):
libencode-perl: upgrade 2.94 -> 3.01; enable ptest
libdbi-perl: fix dependencies
libtest-nowarnings-perl: add recipe for 1.04
libdbd-sqlite-perl: upgrade 1.54 -> 1.62; enable ptest
libsub-uplevel-perl: add recipe for 0.36
libtest-warn-perl: add recipe for 0.36
libcgi-perl: upgrade 4.43 -> 4.44
libnet-ldap-perl: upgrade 0.65 -> 0.66; enable ptest
libunicode-linebreak-perl: upgrade 2017.004 -> 2019.001; enable ptest
Trevor Gamblin (2):
metacity; upgrade from 3.30.1 to 3.32.0
gvfs: upgrade from 1.40.0 to 1.40.2
Vincent Prince (1):
mongodb: add mongo shell as a PACKAGECONF option
William A. Kennington III via Openembedded-devel (5):
gtest: Googletest project is back under github.com/google/googletest
googletest: The gtest and gmock projects were combined under googletest in 2015
libtar: Enable libtar-native build
fmt: Init at 5.3.0
cli11: 1.7.1 -> 1.8.0
Windel Bouwman (3):
python-humanfriendly: Add recipe for the humanfriendly package.
Fix python-humanfriendly recipe for python2.
Add recipe for the coloredlogs python package.
Yi Zhao (7):
strongswan: upgrade 5.7.1 -> 5.8.0
snort: fix compile-host-path QA issue
cryptsetup: set the default luks format to LUKS1
libldb: upgrade 1.5.4 -> 1.5.5
samba: upgrade 4.10.5 -> 4.10.6
snort: upgrade 2.9.13 -> 2.9.14
snort: upgrade 2.9.14 -> 2.9.14.1
Yong, Jonathan (1):
icewm: add recipe
Yongxin Liu (3):
keyutils: move recipe and patches from meta-security to meta-oe
ndctl: v63 -> v65
pmdk: update from 1.4.2 to 1.6
Yuan Chao (9):
python-pycodestyle: upgrade 2.4.0 -> 2.5.0
python-lxml: upgrade 4.3.4 -> 4.4.0
python-configparser: upgrade 3.5.0 -> 3.7.4
protobuf: upgrade 3.9.0 -> 3.9.1
python-markupsafe: upgrade 1.0 -> 1.1.1
hostapd: upgrade 2.8 -> 2.9
python-configparser: upgrade 3.7.4 -> 3.8.1
python-lxml: upgrade 4.4.0 -> 4.4.1
python-pip: upgrade 19.2.1 -> 19.2.2
Zang Ruochen (47):
postgresql: upgrade 11.3 -> 11.4
wireshark: upgrade 3.0.1 -> 3.0.2
python-pygobject: upgrade 3.32.1 -> 3.32.2
python-alembic: upgrade 1.0.10 -> 1.0.11
logwatch: upgrade 7.4.3 -> 7.5.1
tcsh: upgrade 6.20.00 -> 6.21.00
python-cython: upgrade 0.29.10 -> 0.29.11
dialog: upgrade 1.3-20180621 -> 1.3-20190211
php: upgrade 7.3.6 -> 7.3.7
sessreg: upgrade 1.1.1 -> 1.1.2
python-typing: upgrade 3.6.6 -> 3.7.4
python-mako: upgrade 1.0.12 -> 1.0.13
python-pbr: upgrade 5.2.1 -> 5.4.0
python-cython: upgrade 0.29.11 -> 0.29.12
adcli: added new recipe.
python-pyflakes: upgrade 1.6.0 -> 2.1.1
python-protobuf: upgrade 3.8.0 -> 3.9.0
protobuf: upgrade 3.8.0 -> 3.9.0
setxkbmap: upgrade 1.3.1 -> 1.3.2
uftrace: upgrade 0.9.2 -> 0.9.3
wireshark: upgrade 3.0.2 -> 3.0.3
python-pbr: upgrade 5.4.0 -> 5.4.1
dstat: upgrade 0.7.3 -> 0.7.4
python-mako: upgrade 1.0.13 -> 1.0.14
xfsprogs: upgrade 5.0.0 -> 5.1.0
python-beautifulsoup4: upgrade 4.7.1 -> 4.8.0
xterm: upgrade 347 -> 348
python-pip: upgrade 19.1.1 -> 19.2.1
python-paste: upgrade 3.0.8 -> 3.1.0
syslog-ng: append syslog-ng.service
dialog: upgrade 1.3-20190211 -> 1.3-20190728
openldap: upgrade 2.4.47 -> 2.4.48
python-cython: upgrade 0.29.12 -> 0.29.13
libsodium: upgrade 1.0.17 -> 1.0.18
hwdata: upgrade 0.322 -> 0.326
python-jsonpatch: upgrade 1.23 -> 1.24
python-pyasn1: upgrade 0.4.5 -> 0.4.6
python-pyasn1-modules: upgrade 0.2.2 -> 0.2.6
python-pyparsing: upgrade 2.4.0 -> 2.4.2
python-pytest-runner: upgrade 4.2 -> 5.1
python-pytz: upgrade 2019.1 -> 2019.2
itstool: upgrade 2.0.5 -> 2.0.6
opensaf: upgrade 5.19.03 -> 5.19.07
libkcapi: upgrade 1.1.4 -> 1.1.5
mcelog: upgrade 162 -> 164
php: upgrade 7.3.7 -> 7.3.8
kpatch: upgrade 0.61 -> 0.71
Zheng Ruoqin (3):
python-mako: upgrade 1.0.14 -> 1.1.0
python-pbr: upgrade 5.4.1 -> 5.4.2
dnf-plugin-tui: new recipe
wouterlucas (1):
python-jsonref: add recipe
meta-phosphor: fbd01b6e08..fe8cee7488:
Brad Bishop (1):
meta-phosphor: sdk: react to upstream gtest rename
meta-xilinx: 64aa3d35ae..f3c8b1c9a8:
Alejandro Enedino Hernandez Samaniego (7):
opencl-clhpp: Allow empty packages to be built
opencl-headers: Allow empty packages to be built
gcc-8: rebase microblaze patches for gcc 8.2.0
gcc8: update microblaze patches
gcc: update microblaze patches
update gcc-8 patches
gcc: Remove xilinx.ld requirement
Jaewon Lee (6):
zc1254-zynqmp.conf: Add support for zc1254 evaluation board
zc1275-zynqmp.conf: Add support for zc1275 evaluation board
zcu102-zynqmp.conf: Changing qemu boot mode
Adding FPGA_MNGR_RECONFIG_ENABLE to control enabling fpga manager
gcc: Removing already upstreamed patch
Rebasing binutils patches from 2.31 to 2.32
Madhurkiran Harikrishnan (2):
kernel-module-mali: Fix errors associated with kernel upgrade to 4.19
xf86-video-armsoc: Remove the recipe for xf86-video-armsoc
Manjukumar Matha (10):
libmali-xlnx_git.bb: Fix the package arch for libmali
zcu111-zynqmp.conf: Add support for ZCU111 evaluation board
qemu-system-aarch64-multiarch: Enable plm argument in runqemu
arm-trusted-firmware.inc: Add support to build ATF for versal devices
linux-xlnx.inc: Add support to build kernel for versal devices
linux-xlnx.inc: Use KBUILD_DEFCONFIG in externalsrc mode if defined
kernel-simpleimage.bbclass: Use dts for simpleImage generation for Microblaze
kernel-simpleimage.bbclass: Deploy simpleImage unstrip file
kernel-simpleimage.bbclass: Deploy simpleImage strip
binutils%.bbappend: Update Microblaze binutils patches to v2.31
Min Ma (4):
ocl-icd_git.bb: Add recipe for OpenCL ICD loaders
opencl-clhpp_git.bb: Recipe for OpenCL Host API C++ bindings
zocl: Recipe for Xilinx runtime driver module
xrt: Xilinx Runtime User Space Libraries and headers
Sai Hari Chandana Kalluri (1):
xilinx-testimage.bbclass: Include IMAGE_AUTOLOGIN and IMAGE_FSTYPES values for runqemu
Sreeja Vadakattu (1):
machine-xilinx-default.inc: Make u-boot.elf as UBOOT_ELF for zynq
Vineeth Chowdary Karumanchi (1):
tune-zynq.inc: Build zImage in addition to uImage
meta-security: c28b72e91d..ecb526ffab:
Armin Kuster (34):
linux-bbappends: simplify
layers: set warrior only
security-test-image: add a testing image
runtime: clamav test cleanup
packagegroup-core-security: cleanup and remove ptest
test-image: add packagegroup-core-security-ptest
test-image: add a few more packages to image
ima-evm-utils: update to tip
runtime: tpm2 fix names in packagecheck
tpm2 images: create tpm2 image and fix packagegroup
tpm image: split out tpm2
tpm2-pkcs11/tpm2-pkcs11: update to tip
tpm2-tcti-uefi: update to tip
tpm2-tools: update to 3.2.0
tpm2-tss: update to 2.2.3
tpm2-totp: update to offical release v0.1.1
tpm2-tss-engine: update to 1.0.0
libmspack: update SRC_URI and package
clamav: minor recipe cleanup
lynis: update to 2.7.5
meta-security-compliance: update README
openscap_git: update to 1.3.0
openscap: add 1.3.1 recipes for upstream source
scap-security-guide: update to 0.1.44
meta-security-compliance: add meta-python
libldb: remove recipe
waf-cross-answers: remove files
samhain: update to 4.3.3
keyutils: remove from meta-security
linux-%: remove kernel fragments now in cache
meta-integrity: remove kernel fragments now in cache
linux-stable/5.2: add stable bbappend
linux-yocto: use 4.19 kernel cache now
linux-yocto-dev: update to use kernel cache
Dmitry Eremin-Solenikov (11):
packagegroup-security-tpm2: stop including tpm2-tcti-uefi
tpm2-tss: fix compilation when using updated AX_CODE_COVERAGE macro
tpm2-tcti-uefi: add autoconf-archive-native dependency
tpm2-tcti-uefi: fix configure arguments
tpm2-tcti-uefi: stop inserting host directories into build path
tpm2-tcti-uefi: build and install examples
meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE
ima-evm-utils: bump to release 1.2.1
kernel-modsign.bbclass: add support for kernel modules signing
linux: add support for kernel modules signing
layer.conf: switch to keyutils from meta-oe
He Zhe (1):
kernel: Add conditional inclusion of fragments for linux-yocto-dev
Mark Asselstine (1):
openscap/scap-security-guide: use _git instead of versioned filenames
Yi Zhao (5):
openscap: update recipe
scap-security-guide: update recipe
openscap: cleanup DEPENDS
scap-security-guide: fix typo
xmlsec1: upgrade 1.2.27 -> 1.2.28
lumag (3):
layer.conf: add dependency on meta-security
ima-evm-utils: bump version
ima-evm-utils: refresh xattr patch
meta-raspberrypi: 8636b63752..b112816e95:
Andrei Gherzan (46):
rpi-base.inc: Include rpi4 dtb
raspberrypi3.conf: Clarify machine mode
linux-raspberrypi: Include configuration for RaspberryPi3 defconfig
linux-raspberrypi: Update 4.19 kernel to 4.19.56
rpi-base: Rename the rpi0w dtb
firmware: Update to 20190620
raspberrypi4.conf: Add initial machine 32 bit configuration
linux-firmware-rpidistro: Fix WiFi on RaspberryPi 4
rpi-base.inc: Include the "fake" KMS dtbo
raspberrypi4: Use vc4-fkms-v3d
linux-raspberrypi: Bump 4.19 revision to fix RPi 4 arm64 builds
raspberrypi4-64.conf: Introduce RPi arm64 machine
firmware: Rename firmware inc file to raspberrypi-firmware.inc
armstubs: Add support for compiling ARM stubs
rpi-config: Handle ARMSTUB
sdcard_image-rpi.bbclass: Include in the SD card image the armstub file
raspberrypi4-64.conf: Initial machine configuration
raspberrypi-tools: Update to remove Makefile patch
linux-raspberrypi: Fix defconfig for RPi4-64
linux-raspberrypi.inc: Explicitly set defconfig for raspberrypi4-64
sdcard_image-rpi.bbclass: Fix typo
linux-raspberrypi: Bump 4.19 revision to have proper coherent_pool set
raspberrypi4-64.conf: Define a machine feature for armstubs
sdcard_image-rpi.bbclass: Use armstub machine feature
linux-raspberrypi: Bump 4.19.57 revision
raspberrypi4.conf: Define uboot defconfig
raspberrypi4-64.conf: Uboot configuration and drop armstub
u-boot: Use a temporary fork for RPi4 support
raspberrypi-firmware: Update to 20190709
raspberrypi4.conf: The firmware uses kernel7l.img when LPAE is supported
linux-raspberrypi: Bump 4.19 to 4.19.58
linux-raspberrypi: Build dtbs with dtbs make target for all 64bit targets
linux-raspberrypi: Bump 4.19 revision
raspberrypi4-64.conf: Remove memory limitation
u-boot: Replace custom fork by patches
u-boot: Update patches for RPi4
rpi-config: Check for armstub based on machine feature
sdcard_image-rpi: Check for armstub based on machine feature
armstubs: Error out when ARMSTUBS is not defined
raspberrypi*: Define ARMSTUB for all machines
raspberrypi4-64.conf: Limit RAM to 3G
README.md: Use matrix chat room
raspberrypi-firmware.inc: Update to 20190718
linux-raspberrypi: Update 4.19 recipe to 4.19.66
mesa: Add v3d and kmsro driver as well
raspberrypi4-64: Remove the 3G RAM limitation
Carton (2):
bluez5: Fixed typo (RC_URI -> SRC_URI)
rpi-config: Check some config values against "1"
Francesco Giancane (1):
linux-raspberrypi: update to 4.14.114
Khem Raj (8):
linux-raspberrypi: Upgrade to 4.19.57
userland: Upgrade to latest
webkitgtk: Remove -DUSE_GSTREAMER_GL=OFF for vc4graphics
layer.conf: Add meta-networking to dynamic layers
drbd: Disable for rpi machines
packagegroup-rpi-test: Depend on wireless-regdb instead of crda
xorg-xserver: Adapt bbappend to latest OE-core
python-rtimu,python-sense-hat: Convert to py3 modules
Kirill Goncharov (1):
omxplayer: Bump revision
Martin Jansa (1):
sdcard_image-rpi.bbclass: use -v for all mcopy calls and add bbfatal in case mcopy fails
Riyaz (1):
rpi-base.inc: Enabling open-source vc4graphics driver for all RPI platforms
Change-Id: I9e37b5952a2e2e30745275fc89e4dd7c47b851e2
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-security')
93 files changed, 500 insertions, 1670 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 4beac385f..b9a4f254c 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,8 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "thud warrior" +LAYERSERIES_COMPAT_security = "warrior" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" - -DEFAULT_TEST_SUITES_pn-security-build-image = " ping ssh ptest" diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README deleted file mode 100644 index dda45c508..000000000 --- a/meta-security/files/waf-cross-answers/README +++ /dev/null @@ -1,3 +0,0 @@ -The files in this directory are cross answers files -used by waf-samba.bbclass, please see waf-samba.bbclass -for details about how they are used. diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-arm.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-i586.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt deleted file mode 100644 index a5cd9981a..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-i686.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt deleted file mode 100644 index 3e239e727..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt deleted file mode 100644 index 82e694fda..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: OK -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt deleted file mode 100644 index 82e694fda..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: OK -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt deleted file mode 100644 index 3e239e727..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "128" -Checking value of _NSIG: "128" -Checking value of SIGRTMAX: "127" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt deleted file mode 100644 index 27b9378a4..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: NO -Checking for -D_FILE_OFFSET_BITS=64: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: NO -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt deleted file mode 100644 index 7fd3092cb..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt +++ /dev/null @@ -1,40 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: (255, "") -Checking if can we convert from IBM850 to UCS-2LE: (255, "") -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt deleted file mode 100644 index 1023f6aff..000000000 --- a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt +++ /dev/null @@ -1,39 +0,0 @@ -Checking uname sysname type: "Linux" -Checking uname version type: "# Wed May 20 10:34:39 UTC 2015" -Checking simple C program: "hello world" -rpath library support: OK --Wl,--version-script support: OK -Checking getconf LFS_CFLAGS: NO -Checking correct behavior of strtoll: NO -Checking for working strptime: OK -Checking for C99 vsnprintf: "1" -Checking for HAVE_SHARED_MMAP: OK -Checking for HAVE_MREMAP: OK -Checking for HAVE_SECURE_MKSTEMP: OK -Checking for HAVE_IFACE_GETIFADDRS: NO -Checking for HAVE_IFACE_IFCONF: NO -Checking for HAVE_IFACE_IFREQ: NO -Checking for large file support without additional flags: OK -Checking for HAVE_INCOHERENT_MMAP: NO -Checking value of NSIG: "65" -Checking value of _NSIG: "65" -Checking value of SIGRTMAX: "64" -Checking value of SIGRTMIN: "34" -Checking whether the WRFILE -keytab is supported: OK -Checking for kernel change notify support: OK -Checking for Linux kernel oplocks: OK -Checking for kernel share modes: OK -Checking whether POSIX capabilities are available: OK -Checking if can we convert from CP850 to UCS-2LE: OK -Checking if can we convert from UTF-8 to UCS-2LE: OK -vfs_fileid checking for statfs() and struct statfs.f_fsid: OK -Checking whether we can use Linux thread-specific credentials: OK -Checking whether fcntl locking is available: OK -Checking for the maximum value of the 'time_t' type: OK -Checking whether the realpath function allows a NULL argument: OK -Checking for ftruncate extend: OK -getcwd takes a NULL argument: OK -Checking for small off_t: NO -Checking whether blkcnt_t is 32 bit: NO -Checking whether blkcnt_t is 64 bit: OK -Checking whether fcntl lock supports open file description locks: OK diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index d0bc645ae..2808df4dc 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -57,7 +57,7 @@ class ClamavTest(OERuntimeTestCase): 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 1, msg = msg) - @OETestDepends(['clamav.ClamavTest.test_freshclam_download']) + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) def test_freshclam_check_mirrors(self): status, output = self.target.run('freshclam --list-mirrors') match = re.search('Failures: 0', output) diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index 5bef76e8d..460794878 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -74,7 +74,7 @@ compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: INHERIT += "ima-evm-rootfs" - IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -96,7 +96,7 @@ for that are included in the layer. This is also how the # In that shell, create the keys. Several options exist: # 1. Self-signed keys. - $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh + $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh # 2. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. @@ -104,11 +104,11 @@ for that are included in the layer. This is also how the # only creating new certificates does. Most likely the default # attributes for these certificates need to be adapted; modify # the scripts as needed. - # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh - # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh # 3. Keys signed by an existing CA. - # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> + # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> exit When using ``ima-self-signed.sh`` as described above, self-signed keys @@ -169,7 +169,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 8aec388df..d6ade3bf9 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -1,7 +1,7 @@ # No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be # set explicitly in a local.conf before activating ima-evm-rootfs. # To use the insecure (because public) example keys, use -# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +# IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" # Private key for IMA signing. The default is okay when diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass new file mode 100644 index 000000000..09025baa7 --- /dev/null +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -0,0 +1,29 @@ +# No default! Either this or MODSIGN_PRIVKEY/MODSIGN_X509 have to be +# set explicitly in a local.conf before activating kernel-modsign. +# To use the insecure (because public) example keys, use +# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" +MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" + +# Private key for modules signing. The default is okay when +# using the example key directory. +MODSIGN_PRIVKEY ?= "${MODSIGN_KEY_DIR}/privkey_modsign.pem" + +# Public part of certificates used for modules signing. +# The default is okay when using the example key directory. +MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" + +# If this class is enabled, disable stripping signatures from modules +INHIBIT_PACKAGE_STRIP = "1" + +kernel_do_configure_prepend() { + if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then + cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ + > "${B}/modsign_key.pem" + else + bberror "Either modsign key or certificate are invalid" + fi +} + +do_shared_workdir_append() { + cp modsign_key.pem $kerneldir/ +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 2f696cf7c..41989da38 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -13,12 +13,14 @@ BBFILE_PRIORITY_integrity = "6" # Set a variable to get to the top of the metadata location. Needed # for finding scripts (when following the README.md instructions) and # default debug keys (in ima-evm-rootfs.bbclass). -IMA_EVM_BASE := '${LAYERDIR}' +INTEGRITY_BASE := '${LAYERDIR}' # We must not export this path to all shell scripts (as in "export -# IMA_EVM_BASE"), because that causes problems with sstate (becames +# INTEGRITY_BASE"), because that causes problems with sstate (becames # dependent on location of the layer). Exporting it to just the # interactive shell is enough. -OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" +OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" LAYERSERIES_COMPAT_integrity = "warrior" +# ima-evm-utils depends on keyutils from meta-oe +LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem b/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem new file mode 100644 index 000000000..4cac00ae3 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/privkey_modsign.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEWsJjB2pA5Ih6 +EelXvVjwWY1ix1azMciNRNPPQN1AMXF0K/VUkfOYbaPajg1cQYEf9gk3q7OZ5Axk +UY/e5piZORaPcsmj0lV0L+NSlRYydR5M/QxtEz26585FgqRGdAe6umStPmVKdqa2 +d68O4PgQgJJtVuz6ndm+0uNEUDCVLwhkGQSwNB3qBbZAUX9escZ/a8eUiBfMYKaO +k8JRyM+2br9dgpTFg4UfBYexgNSQo8g5TIBGc8KgQiKCuFj1fQEhV5z4RusHthjc +NYXa3RHmdclxyrGeYr5ZRc47HqE1gd5NDR0WeHn4C4YKcfK1rZZz/2+6hfsIRfGx +6cQKk23hAgMBAAECggEAJ0ULiWirPG04SkmYxF5vEiqm1zGMymvTc0VnoxSS60q4 +KQa9mvtRn5OV6JjuXRwQqga30zV4xvdP7yRMxMSTkllThL7tSuE/C+yj5xlABjlc +JQOa35mwh9fibg5xslF0Vkj+55MKCPlv4CBRl4Uwt4QvRMTUwk6dhMeCgmATR1J1 +2/7AipjtfFYreDx7sLbRVvSzUhmZS0iCbNOhtTWPLNW+9YKHTOffKa04HzNtnAXq +OjJ0IRZD/C6LfkBUsnHg2eEiA97QXh/Srsl9nc8DaUK1IXRywEdmYIoNMWMav2Hm +RO8kkU30BqKW+/EO2ZbH2GmkxvwWd0ocBnLC3FRWEQKBgQDu4T8CB3YsOcVjqem4 +iBlaSht/b46YQc7A1SOqZCimehmmXNSxQOkapIG3wlIr5edtXQA+xv09+WrproUB +SjAnqaH6pYeCvbNlY5k344gtYs+Kco2rq5GYa+LumAeX2Sam8F7u4LxvEogCecX7 +e4rnG3lt3AVuuRE7zpCQtaWcJQKBgQDSbUvea9pcYli9pssTl+ijQKkgG9DdaYbA +I5w5bY1TPYZ/Ocysljefv/ssaHFh4DPxE1MQ5JHwZgZRo1EICxxYzGsLjyR/fmjz +1c/NJlTtalCNtLvWaf7b02ag/abnP8neiSpLL5xqHvGo5ikWwgYQD+9HVKGvL3S1 +kI7x/ziADQKBgQCqFbkuMa/jh3LTJp0iZc1fa1qu3vhx0pFq3Zeab9w9xLxUps5O +MwCGltFBzNuDJBwm00wkZrzTjq6gGkHbjD5DT1XkyE13OqjsLQFgOOKyJiPN2Qik +TfHJzC91YMwvQ09xF78QaPXiRBiRYrEkAXACY56PKVS45I6vvcFTN/Ll/QKBgA9m +KDMyuVwhZlUaq6nXaBLqXHYZEwPhARd2g6xANCNvUTRmSnAm3hM2vW7WhdWfzq1J +uL53u6ZYEQZQaVGpXn2xF/RUmVsrKQsPDpH4yCZHrXVxUH20bA4yPkRxy5EIvgEn +EI1IAq5RbWXq0f70W/U49U3HB74GPwg6d/uFreDRAoGAN+v9gMQA6A1vM7LvbYR8 +5CwwyqS/CfI9zKPLn53QstguXC/ObafIYQzVRqGb9lCQgtlmmKw4jMY0B/lDzpcH +zS8rqoyvDj/m7i17NYkqXErJKLRQ0ptXKdLXHlG0u185e7Y5p4O3Z5dk8bACkpHi +hp764y+BtU4qIcVaPsPK4uU= +-----END PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt b/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt new file mode 100644 index 000000000..5fa2a9062 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/x509_modsign.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIUUqmBj5Q8edHMMTXsoGVGEEKdwV4wDQYJKoZIhvcNAQEL +BQAwZzEqMCgGA1UEAxMhbWV0YS1zZWN1cml0eSBtb2R1bGVzIHNpZ25pbmcga2V5 +MRQwEgYDVQQKEwtleGFtcGxlLmNvbTEjMCEGCSqGSIb3DQEJARYUam9obi5kb2VA +ZXhhbXBsZS5jb20wIBcNMTkwNzI3MjIzOTA3WhgPMjExOTA3MjcyMjM5MTVaMGcx +KjAoBgNVBAMTIW1ldGEtc2VjdXJpdHkgbW9kdWxlcyBzaWduaW5nIGtleTEUMBIG +A1UEChMLZXhhbXBsZS5jb20xIzAhBgkqhkiG9w0BCQEWFGpvaG4uZG9lQGV4YW1w +bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFrCYwdqQOSI +ehHpV71Y8FmNYsdWszHIjUTTz0DdQDFxdCv1VJHzmG2j2o4NXEGBH/YJN6uzmeQM +ZFGP3uaYmTkWj3LJo9JVdC/jUpUWMnUeTP0MbRM9uufORYKkRnQHurpkrT5lSnam +tnevDuD4EICSbVbs+p3ZvtLjRFAwlS8IZBkEsDQd6gW2QFF/XrHGf2vHlIgXzGCm +jpPCUcjPtm6/XYKUxYOFHwWHsYDUkKPIOUyARnPCoEIigrhY9X0BIVec+EbrB7YY +3DWF2t0R5nXJccqxnmK+WUXOOx6hNYHeTQ0dFnh5+AuGCnHyta2Wc/9vuoX7CEXx +senECpNt4QIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHgAAw +HQYDVR0OBBYEFDa35X9LnPlrd76inh/cYgeXh6X4MA0GCSqGSIb3DQEBCwUAA4IB +AQBTPTh7zY9BrfZW9Izk9JSZYNigwUDwjrhNBSLr5NKi2A/LmZ0jjdCDkwaCn5io +xrAq5oxPCAkwlzKwY2ootcL3+En4Pq2e5U+n9kRrpDpKKiR5/0S0d9vpgg4eZR0R +kxqE9APCQ5SFU3PgnJ5H5y2SPXzle3bgUsWxNGD81zXFn5clJj4XHvJDWTQ/jG7C +FTQ1o1HXtzda4EmKIzrSU/ayVbpPg5fPEBJjk/hHPT45kfzVZBuxwBLXVbe/YyWi +NTFWCbJwjZwVRKrsQ3HFpYMWvugtcsSHo7vGi06FvUHcS2sUZH5sFn7hulcIGICt +EztTO8Q+yhZujZbmEyJmxqZv +-----END CERTIFICATE----- diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 6ed724df2..e1bc6ffa0 100644 --- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -17,6 +17,6 @@ inherit core-image export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 931854ef8..f9a48cd05 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -1,3 +1,5 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" + +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index b3e47ba37..000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,18 +0,0 @@ -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_NG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -CONFIG_IMA_DEFAULT_HASH_SHA1=y -CONFIG_IMA_DEFAULT_HASH="sha1" -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_SIGNATURE=y -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_LOAD_X509=y -CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" - -#CONFIG_INTEGRITY_SIGNATURE=y -#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg deleted file mode 100644 index 9a454257a..000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ /dev/null @@ -1,3 +0,0 @@ -# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set -CONFIG_EVM_LOAD_X509=y -CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch deleted file mode 100644 index 5ccb73d9b..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:08:43 +0300 -Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL - -There is no need to link to full libssl. evmctl uses functions from -libcrypto, so let's link only against that library. - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - configure.ac | 4 +--- - src/Makefile.am | 9 ++++----- - 2 files changed, 5 insertions(+), 8 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 60f3684..32e8d85 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -24,9 +24,7 @@ LT_INIT - # Checks for header files. - AC_HEADER_STDC - --PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) --AC_SUBST(OPENSSL_CFLAGS) --AC_SUBST(OPENSSL_LIBS) -+PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) - AC_SUBST(KERNEL_HEADERS) - AC_CHECK_HEADER(unistd.h) - AC_CHECK_HEADERS(openssl/conf.h) -diff --git a/src/Makefile.am b/src/Makefile.am -index d74fc6f..b81281a 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -1,11 +1,11 @@ - lib_LTLIBRARIES = libimaevm.la - - libimaevm_la_SOURCES = libimaevm.c --libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) -+libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) - # current[:revision[:age]] - # result: [current-age].age.revision - libimaevm_la_LDFLAGS = -version-info 0:0:0 --libimaevm_la_LIBADD = $(OPENSSL_LIBS) -+libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) - - include_HEADERS = imaevm.h - -@@ -17,12 +17,11 @@ hash_info.h: Makefile - bin_PROGRAMS = evmctl - - evmctl_SOURCES = evmctl.c --evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) -+evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) - evmctl_LDFLAGS = $(LDFLAGS_READLINE) --evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la -+evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la - - INCLUDES = -I$(top_srcdir) -include config.h - - CLEANFILES = hash_info.h - DISTCLEANFILES = @DISTCLEANFILES@ -- --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch deleted file mode 100644 index 8237274ca..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:17:12 +0300 -Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS - -Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning -about deprecated variable usage. - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - src/Makefile.am | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index b81281a..164e7e4 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -1,7 +1,7 @@ - lib_LTLIBRARIES = libimaevm.la - - libimaevm_la_SOURCES = libimaevm.c --libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) -+libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) - # current[:revision[:age]] - # result: [current-age].age.revision - libimaevm_la_LDFLAGS = -version-info 0:0:0 -@@ -17,11 +17,11 @@ hash_info.h: Makefile - bin_PROGRAMS = evmctl - - evmctl_SOURCES = evmctl.c --evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) -+evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) - evmctl_LDFLAGS = $(LDFLAGS_READLINE) - evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la - --INCLUDES = -I$(top_srcdir) -include config.h -+AM_CPPFLAGS = -I$(top_srcdir) -include config.h - - CLEANFILES = hash_info.h - DISTCLEANFILES = @DISTCLEANFILES@ --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch deleted file mode 100644 index 3d250d2fc..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:22:30 +0300 -Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution - -Include hash-info.gen into tarball and call it from the sourcedir to fix -out-of-tree build (and thus 'make distcheck'). - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - src/Makefile.am | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/Makefile.am b/src/Makefile.am -index 164e7e4..9c037e2 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h - - nodist_libimaevm_la_SOURCES = hash_info.h - BUILT_SOURCES = hash_info.h -+EXTRA_DIST = hash_info.gen - hash_info.h: Makefile -- ./hash_info.gen $(KERNEL_HEADERS) >$@ -+ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ - - bin_PROGRAMS = evmctl - --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch deleted file mode 100644 index 4ada1a271..000000000 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 -From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> -Date: Wed, 6 Mar 2019 01:24:04 +0300 -Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files - -Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> ---- - .gitignore | 1 + - src/.gitignore | 1 + - 2 files changed, 2 insertions(+) - create mode 100644 src/.gitignore - -diff --git a/.gitignore b/.gitignore -index ca7a06e..cb82166 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -45,6 +45,7 @@ cscope.* - ncscope.* - - # Generated documentation -+*.1 - *.8 - *.5 - manpage.links -diff --git a/src/.gitignore b/src/.gitignore -new file mode 100644 -index 0000000..38e8e3c ---- /dev/null -+++ b/src/.gitignore -@@ -0,0 +1 @@ -+hash_info.h --- -2.17.1 - diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch index c0bdd9b49..ffa65dfb0 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -23,9 +23,9 @@ diff --git a/src/evmctl.c b/src/evmctl.c index c54efbb..23cf54c 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -56,6 +56,18 @@ - #include <ctype.h> +@@ -57,6 +57,18 @@ #include <termios.h> + #include <assert.h> +/* + * linux/xattr.h might be old to have this. Allow compilation on older diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index 929d85348..92c24c902 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -6,9 +6,9 @@ DEPENDS += "openssl attr keyutils" DEPENDS_class-native += "openssl-native keyutils-native" -PV = "1.0+git${SRCPV}" -SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" -SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" +PV = "1.2.1+git${SRCPV}" +SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y" # Documentation depends on asciidoc, which we do not have, so # do not build documentation. @@ -21,12 +21,6 @@ SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" # Required for xargs with more than one path as argument (better for performance). SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" -SRC_URI += "\ - file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ - file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ - file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ - file://0004-ima-evm-utils-update-.gitignore-files.patch \ -" S = "${WORKDIR}/git" inherit pkgconfig autotools diff --git a/meta-security/meta-security-compliance/README b/meta-security/meta-security-compliance/README index b29c143b7..320f85676 100644 --- a/meta-security/meta-security-compliance/README +++ b/meta-security/meta-security-compliance/README @@ -28,9 +28,9 @@ Maintenance Send pull requests, patches, comments or questions to yocto@yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH' -Layer Maintainer: Armin Kuster <akuster@mvista.com> +Layer Maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index d48feb97a..9ccadab8b 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,8 +8,6 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "thud warrior" +LAYERSERIES_COMPAT_scanners-layer = "warrior" -LAYERDEPENDS_scanners-layer = " \ - core \ -" +LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 3ba82f9e4..21e451794 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.2.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "3422cee3b12fc33338fcde003d65e234" -SRC_URI[sha256sum] = "fde6ccf8d6ec0ae1e9c9f4a6d640cddcde4bf7a92f8437d47d16a5477e21bfda" +SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" +SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" S = "${WORKDIR}/${BPN}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch deleted file mode 100644 index 2d70855ab..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -360,25 +360,13 @@ case "${with_crypto}" in - AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.]) - ;; - gcrypt) -- SAVE_LIBS=$LIBS -- AC_CHECK_LIB([gcrypt], [gcry_check_version], -- [crapi_CFLAGS=`libgcrypt-config --cflags`; -- crapi_LIBS=`libgcrypt-config --libs`; -- crapi_libname="GCrypt";], -- [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])], -- []) -- AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.]) -- AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG], -- [ac_cv_gcryctl_set_enforced_fips_flag], -- [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include<gcrypt.h>], -- [return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])], -- [ac_cv_gcryctl_set_enforced_fips_flag=yes], -- [ac_cv_gcryctl_set_enforced_fips_flag=no])]) -+ PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[], -+ AC_MSG_FAILURE([libgcrypt devel support is missing])) - -- if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then -- AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.]) -- fi -- LIBS=$SAVE_LIBS -+ crapi_libname="libgcrypt" -+ crapi_CFLAGS=$libgcrypt_CFLAGS -+ crapi_LIBS=$libgcrypt_LIBS -+ AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.]) - ;; - *) - AC_MSG_ERROR([unknown crypto backend]) diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe6026f..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3c9..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e9589b6bd..53309e8ad 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -1,2 +1,55 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1" + +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ + -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ + " + STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +do_configure_append_class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h +} + +do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}" + +do_install_append_class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + +FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" + +RDEPENDS_${PN} += "libxml2 python3 libgcc" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb deleted file mode 100644 index e2a4fa2e6..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "NIST Certified SCAP 1.2 toolkit" -HOME_URL = "https://www.open-scap.org/tools/openscap-base/" -LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" -LICENSE = "LGPL-2.1" - -DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \ - libxslt libcap swig swig-native" - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" - -SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed" -SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \ - file://crypto_pkgconfig.patch \ - file://run-ptest \ -" - -inherit autotools-brokensep pkgconfig python3native perlnative ptest - -S = "${WORKDIR}/git" - -PACKAGECONFIG ?= "nss3 pcre rpm" -PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre" -PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt " -PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3" -PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl" -PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm" - -export LDFLAGS += " -ldl" - -EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \ - --enable-probes-solaris --enable-probes-unix --disable-util-oscap-docker\ - --enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \ -" - -EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \ - --disable-probes-solaris --disable-probes-unix \ - --enable-util-oscap \ -" - -do_configure_prepend () { - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am - sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am - sed -i 's:python2:python:' ${S}/utils/scap-as-rpm -} - - -include openscap.inc - -do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h -} - -do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" - -do_install_append_class-native () { - oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} - install -d $oscapdir - cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir -} - -TESTDIR = "tests" - -do_compile_ptest() { - sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py - echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile - oe_runmake -C ${TESTDIR} buildtest-TESTS -} - -do_install_ptest() { - # install the tests - cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH} -} - -FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" - -RDEPENDS_${PN} += "libxml2 python libgcc" -RDEPENDS_${PN}-ptest = "bash perl python" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 000000000..ad29efdad --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,9 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb new file mode 100644 index 000000000..963d3dec9 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -0,0 +1,12 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" + +include openscap.inc + +SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" +SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ +" + +PV = "1.3.1+git${SRCPV}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc new file mode 100644 index 000000000..341721a06 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -0,0 +1,31 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" +LICENSE = "LGPL-2.1" + +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +RDEPENDS_${PN} = "openscap" + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native + +#PARALLEL_MAKE = "" + +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" + +B = "${S}/build" + +do_configure_prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt + sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt +} + +FILES_${PN} += "${datadir}/xml" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb deleted file mode 100644 index 27d3d869a..000000000 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMARRY = "SCAP content for various platforms" -HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" -LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52" -LICENSE = "LGPL-2.1" - -DEPENDS = "openscap-native" - -SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;" - -inherit cmake - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" - -OECMAKE_GENERATOR = "Unix Makefiles" - -EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_JRE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENSUSE:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_OSP7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL5:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL6:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL7:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEV3:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE11:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE12:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WRLINUX:BOOL=OFF" -EXTRA_OECMAKE += "-DSSG_PRODUCT_WEBMIN:BOOL=OFF" - -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt - sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${B} - make openembedded -} - -do_install () { - cd ${B} - make DESTDIR=${D} install -} -FILES_${PN} += "${datadir}/xml" -RDEPNEDS_${PN} = "openscap" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb new file mode 100644 index 000000000..d80ecd7ed --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.44.bb @@ -0,0 +1,8 @@ +SUMARRY = "SCAP content for various platforms, upstream version" + +SRCREV = "8cb2d0f351faff5440742258782281164953b0a6" +SRC_URI = "git://github.com/ComplianceAsCode/content.git" + +DEFAULT_PREFERENCE = "-1" + +require scap-security-guide.inc diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb new file mode 100644 index 000000000..d9238c03f --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -0,0 +1,9 @@ +SUMARRY = "SCAP content for various platforms, OE changes" + +SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" +PV = "0.1.44+git${SRCPV}" + +require scap-security-guide.inc + +EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index bf9a76ea6..cdccc553e 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "thud warrior" +LAYERSERIES_COMPAT_tpm-layer = "warrior" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index 240a9b3ba..c6f9d9224 100644 --- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py +++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py @@ -16,9 +16,9 @@ class Tpm2Test(OERuntimeTestCase): if expected_endlines: self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines)) - @OEHasPackage(['tpm2.0-tss']) + @OEHasPackage(['tpm2-tss']) @OEHasPackage(['tpm2-abrmd']) - @OEHasPackage(['tpm2.0-tools']) + @OEHasPackage(['tpm2-tools']) @OEHasPackage(['ibmswtpm2']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_tpm2_sim(self): diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb index a337076dc..dbdd309c0 100644 --- a/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb @@ -1,14 +1,13 @@ -DESCRIPTION = "A small image for building meta-security packages" +DESCRIPTION = "A small image for building a tpm image for testing" IMAGE_FEATURES += "ssh-server-openssh" IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \ - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \ + packagegroup-security-tpm \ os-release \ - ${CORE_IMAGE_EXTRA_INSTALL}" +" IMAGE_LINGUAS ?= " " diff --git a/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb new file mode 100644 index 000000000..7e047d127 --- /dev/null +++ b/meta-security/meta-tpm/recipes-core/images/security-tpm2-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for building a tpm2 image for testing" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-security-tpm2 \ + os-release \ +" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-tpm2-image" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 5ded3a2cc..8f5c537b9 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -5,19 +5,19 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda inherit packagegroup -PACKAGES = "packagegroup-security-tpm2" +PACKAGES = "${PN}" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ trousers \ + tpm2-tss \ libtss2 \ + libtss2-mu \ libtss2-tcti-device \ libtss2-tcti-mssim \ tpm2-abrmd \ tpm2-pkcs11 \ + ibmswtpm2 \ cryptsetup-tpm-incubator \ " - -RDEPENDS_packagegroup-security-tpm2_append_x86 = " tpm2-tcti-uefi" -RDEPENDS_packagegroup-security-tpm2_append_x86-64 = " tpm2-tcti-uefi" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb index 9031e63e4..222bb6d0e 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb @@ -2,7 +2,7 @@ SUMMARY = "A PKCS#11 interface for TPM2 hardware" DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." SECTION = "security/tpm" LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b748af41ef1300c98e105b3b7ec4ecc1" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ file://bootstrap_fixup.patch \ " -SRCREV = "3107d89b406ecd9c007884613733c9a344ef6d39" +SRCREV = "9eed9df823a960da481327468a73d477241befdb" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch new file mode 100644 index 000000000..3b54dddf7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi/0001-configure.ac-stop-inserting-host-directories-into-co.patch @@ -0,0 +1,27 @@ +From b74837184cfdefb45e48f3fdc974fc67691fc861 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +Date: Wed, 3 Jul 2019 19:16:35 +0300 +Subject: [PATCH] configure.ac: stop inserting host directories into compile + path + +Do not insert /usr/lib and /usr/lib64 into library search path. + +Upstream-Status: OE specific +Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: git/configure.ac +=================================================================== +--- git.orig/configure.ac ++++ git/configure.ac +@@ -81,7 +81,7 @@ AC_ARG_WITH([efi-lds], + AS_HELP_STRING([--with-efi-lds=LDS_PATH],[Path to gnu-efi lds file.]), + [], + [with_efi_lds="/usr/lib/elf_${ARCH}_efi.lds"]) +-EXTRA_LDFLAGS="-L /usr/lib -L /usr/lib64 -Wl,--script=${with_efi_lds}" ++EXTRA_LDFLAGS="-Wl,--script=${with_efi_lds}" + + # path to object file from gnu-efi + AC_ARG_WITH([efi-crt0], diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 815691dfe..e822e2974 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -2,17 +2,38 @@ SUMMARY = "TCTI module for use with TSS2 libraries in UEFI environment" SECTION = "security/tpm" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig" +DEPENDS = "libtss2-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native" SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ + file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ " -SRCREV = "131889d12d2c7d8974711d2ebd1032cd32577b7f" +SRCREV = "7baf1eebfeb56a896bdd5d677fb24377d619eb9d" S = "${WORKDIR}/git" inherit autotools pkgconfig +EFIDIR ?= "/EFI/BOOT" + +do_compile_append() { + oe_runmake example +} + +do_install_append() { + install -d "${D}${EFIDIR}" + install -m 0755 "${B}"/example/*.efi "${D}${EFIDIR}" +} + +EFI_ARCH_x86 = "ia32" +EFI_ARCH_x86-64 = "x86_64" + COMPATIBLE_HOST = "(i.86|x86_64).*-linux" -EXTRA_OECONF_append = " --with-efi-includedir=${STAGING_INCDIR}/efi --with-efi-lds=${STAGING_LIBDIR_NATIVE}/" +EXTRA_OECONF_append = "\ + --with-efi-includedir=${STAGING_INCDIR}/efi \ + --with-efi-crt0=${STAGING_LIBDIR_NATIVE}/crt0-efi-${EFI_ARCH}.o \ + --with-efi-lds=${STAGING_LIBDIR_NATIVE}/elf_${EFI_ARCH}_efi.lds \ +" RDEPENDS_${PN} = "gnu-efi" + +FILES_${PN} += "${EFIDIR}" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb index 1f1f5c606..b6f1be0d9 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.1.3.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_3.2.0.bb @@ -6,7 +6,7 @@ SECTION = "tpm" DEPENDS = "pkgconfig tpm2-tss openssl curl autoconf-archive" -SRCREV = "74ba065e5914bc5d713ca3709d62a5751b097369" +SRCREV = "a17daa948fc67685651bf3b7a589ed341080ddd3" SRC_URI = "git://github.com/tpm2-software/tpm2-tools.git;branch=3.X" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb new file mode 100644 index 000000000..d47b7560d --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb @@ -0,0 +1,18 @@ +SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +PE = "1" + +SRCREV = "2807a509a9da383e14dc0f759e71fd676db04ab1" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.1.x \ + file://litpm2_totp_build_fix.patch " + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb deleted file mode 100644 index bc94ab711..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." -DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" - -SECTION = "security/tpm" - -DEPENDS = "autoconf-archive libtss2-dev qrencode" - -SRCREV = "44fcb6819f79302d5a088b3def648616e3551d4a" -SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git \ - file://litpm2_totp_build_fix.patch " - -inherit autotools-brokensep pkgconfig - -S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb index 36530be2c..0a8d54f62 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.0.bb @@ -8,7 +8,7 @@ SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "bef89ec79cbb4c99963b0e336d9184827c545782" +SRCREV = "a81d44a8610e28e5987af64f8aae16e4a2d09eaa" SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch new file mode 100644 index 000000000..86b2cb6dd --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch @@ -0,0 +1,84 @@ +From ec08ab41495ac40641475707c46e844503ada5b3 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabonas@gmx.de> +Date: Mon, 7 Jan 2019 22:15:06 +0100 +Subject: [PATCH] build: update for ax_code_coverage.m4 version 2019.01.06 + +@CODE_COVERAGE_RULES@ doesn't exist any more and needs to be replaced. +Also includes a compatibility switch for older versions of the file. + +Signed-off-by: Jonas Witschel <diabonas@gmx.de> +--- + .gitignore | 1 + + .travis.yml | 10 +++++----- + Makefile.am | 6 ++++++ + configure.ac | 3 +++ + 4 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/.gitignore b/.gitignore +index 7c6a7b62e6c1..aa1a7efdff71 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -26,6 +26,7 @@ + AUTHORS + tags + aclocal.m4 ++aminclude_static.am + autom4te.cache/ + [Bb]uild/ + [Dd]ebug/ +diff --git a/.travis.yml b/.travis.yml +index 55f88e22999b..a668e2953dc2 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -44,11 +44,11 @@ addons: + + install: + # Autoconf archive +- - wget https://download.01.org/tpm2/autoconf-archive-2017.09.28.tar.xz +- - sha256sum autoconf-archive-2017.09.28.tar.xz | grep -q 5c9fb5845b38b28982a3ef12836f76b35f46799ef4a2e46b48e2bd3c6182fa01 || travis_terminate 1 +- - tar xJf autoconf-archive-2017.09.28.tar.xz +- - cp autoconf-archive-2017.09.28/m4/ax_code_coverage.m4 m4/ +- - cp autoconf-archive-2017.09.28/m4/ax_prog_doxygen.m4 m4/ ++ - wget http://ftpmirror.gnu.org/autoconf-archive/autoconf-archive-2019.01.06.tar.xz ++ - sha256sum autoconf-archive-2019.01.06.tar.xz | grep -q 17195c833098da79de5778ee90948f4c5d90ed1a0cf8391b4ab348e2ec511e3f || travis_terminate 1 ++ - tar xJf autoconf-archive-2019.01.06.tar.xz ++ - cp autoconf-archive-2019.01.06/m4/ax_code_coverage.m4 m4/ ++ - cp autoconf-archive-2019.01.06/m4/ax_prog_doxygen.m4 m4/ + # IBM-TPM + - wget https://download.01.org/tpm2/ibmtpm974.tar.gz + # OpenSSL 1.0.2 +diff --git a/Makefile.am b/Makefile.am +index 1b792d89a392..8e62e9c77c7d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -19,7 +19,13 @@ noinst_PROGRAMS = + + ### Add ax_* rules ### + # ax_code_coverage ++if AUTOCONF_CODE_COVERAGE_2019_01_06 ++include $(top_srcdir)/aminclude_static.am ++clean-local: code-coverage-clean ++dist-clean-local: code-coverage-dist-clean ++else + @CODE_COVERAGE_RULES@ ++endif + + # ax_doxygen + @DX_RULES@ +diff --git a/configure.ac b/configure.ac +index 6c7b0fd96399..22b79c50c015 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -312,6 +312,9 @@ AS_IF([test "x$enable_doxygen_doc" != xno], + [ERROR_IF_NO_PROG([doxygen])]) + + AX_CODE_COVERAGE ++m4_ifdef([_AX_CODE_COVERAGE_RULES], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [true])], ++ [AM_CONDITIONAL(AUTOCONF_CODE_COVERAGE_2019_01_06, [false])]) + + AC_OUTPUT + +-- +2.20.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb index 78bdeebe0..ffbd3f4e4 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.2.3.bb @@ -6,9 +6,10 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "eb69e13559f20a0b49002a685c6f4a39be9503e2" +SRCREV = "36b1539c82bf675265d6f6a6cd808a189b6971f4" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.2.x \ + file://0001-build-update-for-ax_code_coverage.m4-version-2019.01.patch" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch deleted file mode 100644 index 7f80a5c61..000000000 --- a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 15 Jan 2016 00:48:58 -0500 -Subject: [PATCH] Enable obfuscating binaries natively. - -Enable obfuscating binaries natively. - -The samhain build process involves an obfuscation step that attempts to -defeat decompilation or other binary analysis techniques which might reveal -secret information that should be known only to the system administrator. -The obfuscation step builds several applications which run on the build host -and then generate target code, which is then built into target binaries. - -This patch creates a basic infrastructure that supports building the -obfuscation binaries natively then cross-compiling the target code by adding -a special configure option. In the absence of this option the old behaviour -is preserved. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 684e92b..fb090e2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ - top_builddir = . - - INSTALL = @INSTALL@ --INSTALL_PROGRAM = @INSTALL@ -s -m 700 -+INSTALL_PROGRAM = @INSTALL@ -m 700 - INSTALL_SHELL = @INSTALL@ -m 700 - INSTALL_DATA = @INSTALL@ -m 600 - INSTALL_MAN = @INSTALL@ -m 644 -@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip - echo " $(INSTALL_PROGRAM) $$p $$target"; \ - $(INSTALL_PROGRAM) $$p $$target; \ - chmod 0700 $$target; \ -- echo " ./sstrip $$target"; \ -- ./sstrip $$target; \ - else \ - echo " $(INSTALL_SHELL) $$p $$target"; \ - $(INSTALL_SHELL) $$p $$target; \ --- -1.9.1 - diff --git a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-client.bb index 0f53a8cde..0f53a8cde 100644 --- a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-client.bb diff --git a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-server.bb index d304912e7..d304912e7 100644 --- a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-server.bb diff --git a/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-standalone.bb index 4fed9e9e9..4fed9e9e9 100644 --- a/meta-security/recipes-ids/samhain/samhain-standalone_4.3.2.bb +++ b/meta-security/recipes-ids/samhain/samhain-standalone.bb diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 1b9af39ce..16222ba10 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -3,9 +3,9 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" +PV = "4.3.3" SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ - file://samhain-cross-compile.patch \ file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ file://samhain-samhainrc.patch \ file://samhain-samhainrc-fix-files-dirs-path.patch \ @@ -19,8 +19,8 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b" -SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc" +SRC_URI[md5sum] = "7be46ae7d03f53ba21afafd41cff8926" +SRC_URI[sha256sum] = "33ad4bc3dad4699694553bd9635a6b5827939f965d1f0f05fce0b4e9cdadf21b" UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" diff --git a/meta-security/recipes-kernel/linux/linux-stable_5.2.bbappend b/meta-security/recipes-kernel/linux/linux-stable_5.2.bbappend new file mode 100644 index 000000000..76b5df55b --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-stable_5.2.bbappend @@ -0,0 +1,4 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" + diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg deleted file mode 100644 index ae6cdcdf0..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg +++ /dev/null @@ -1,9 +0,0 @@ -CONFIG_AUDIT=y -CONFIG_SECURITY_PATH=y -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg deleted file mode 100644 index fc3574015..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg deleted file mode 100644 index b5c48454e..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg deleted file mode 100644 index 0d5fc645c..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg +++ /dev/null @@ -1,7 +0,0 @@ -CONFIG_NETLABEL=y -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_SMACK=y -CONFIG_SECURITY_SMACK_BRINGUP=y -CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y -CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend new file mode 100644 index 000000000..239e30e70 --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -0,0 +1,2 @@ +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" ++KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg deleted file mode 100644 index b5f9bb2a6..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg +++ /dev/null @@ -1,15 +0,0 @@ -CONFIG_AUDIT=y -# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set -CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set -CONFIG_SECURITY_PATH=y -# CONFIG_SECURITY_SELINUX is not set -CONFIG_SECURITY_APPARMOR=y -CONFIG_SECURITY_APPARMOR_HASH=y -CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y -# CONFIG_SECURITY_APPARMOR_DEBUG is not set -CONFIG_INTEGRITY_AUDIT=y -CONFIG_DEFAULT_SECURITY_APPARMOR=y -# CONFIG_DEFAULT_SECURITY_DAC is not set -CONFIG_DEFAULT_SECURITY="apparmor" -CONFIG_AUDIT_GENERIC=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg b/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg deleted file mode 100644 index fc3574015..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/apparmor_on_boot.cfg +++ /dev/null @@ -1 +0,0 @@ -CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 diff --git a/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg deleted file mode 100644 index b5c48454e..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg +++ /dev/null @@ -1,2 +0,0 @@ -CONFIG_DEFAULT_SECURITY="smack" -CONFIG_DEFAULT_SECURITY_SMACK=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg deleted file mode 100644 index 62f465a45..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg +++ /dev/null @@ -1,8 +0,0 @@ -CONFIG_IP_NF_SECURITY=m -CONFIG_IP6_NF_SECURITY=m -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_SECURITY=y -CONFIG_SECURITY_SMACK=y -CONFIG_TMPFS_XATTR=y diff --git a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend index 321392c0b..39d4e6f50 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -1,11 +1,2 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend deleted file mode 100644 index f810e2112..000000000 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.0.%.bbappend +++ /dev/null @@ -1,11 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-5.0:" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor_on_boot.cfg', '', d)} \ -" - -SRC_URI += "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \ -" diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 7d8767e2f..7f0433777 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -66,14 +66,12 @@ EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" EXTRA_OECONF_class-target += "--with-user=${UID} --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}" do_configure () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} install -d ${S}/clamav_db } do_configure_class-native () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} + ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} } diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb new file mode 100644 index 000000000..c71d7267d --- /dev/null +++ b/meta-security/recipes-security/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch deleted file mode 100644 index 938fe2eb5..000000000 --- a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Tue, 26 Sep 2017 07:59:51 +0000 -Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> -{rebased for 1.6] -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: keyutils-1.6/Makefile -=================================================================== ---- keyutils-1.6.orig/Makefile -+++ keyutils-1.6/Makefile -@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - sed \ - -e 's,@VERSION\@,$(VERSION),g' \ - -e 's,@prefix\@,$(PREFIX),g' \ diff --git a/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch b/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch deleted file mode 100644 index acd91c01c..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch +++ /dev/null @@ -1,42 +0,0 @@ -fix keyutils test error report - -Upstream-Status: Pending - -"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED. -"Required key not available" may be the reason of EKEYREVOKED. -EXPIRED and REVOKED are 2 status of kernel security keys features. -But the userspace keyutils lib will output the error message, which may -have several reasons. - -Signed-off-by: Han Chao <chan@windriver.com> - -diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh -index bbca00a..739e9d0 100644 ---- a/tests/toolbox.inc.sh -+++ b/tests/toolbox.inc.sh -@@ -227,11 +227,12 @@ function expect_error () - ;; - EKEYEXPIRED) - my_err="Key has expired" -- alt_err="Unknown error 127" -+ alt_err="Permission denied" - ;; - EKEYREVOKED) - my_err="Key has been revoked" -- alt_err="Unknown error 128" -+ alt_err="Permission denied" -+ alt2_err="Required key not available" - ;; - EKEYREJECTED) - my_err="Key has been rejected" -@@ -249,6 +250,9 @@ function expect_error () - elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null - then - : -+ elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null -+ then -+ : - elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null - then - : - diff --git a/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch b/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch deleted file mode 100644 index a4ffd50ce..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 15 May 2017 14:52:00 +0800 -Subject: [PATCH] keyutils: fix output format - -keyutils ptest output format is incorrect, according to yocto -Development Manual -(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest) -5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake: -<result>: <testname> -where the result can be PASS, FAIL, or SKIP, and the testname can be any -identifying string. -So we should change the test result format to match yocto ptest rules. - -Upstream-Status: Inappropriate [OE ptest specific] - -Signed-off-by: Li Wang <li.wang@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - tests/runtest.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/runtest.sh b/tests/runtest.sh -index b6eaa7c..84263fb 100644 ---- a/tests/runtest.sh -+++ b/tests/runtest.sh -@@ -21,6 +21,11 @@ for i in ${TESTS}; do - echo "### RUNNING TEST $i" - if [[ $AUTOMATED != 0 ]] ; then - bash ./runtest.sh -+ if [ $? != 0 ]; then -+ echo "FAIL: $i" -+ else -+ echo "PASS: $i" -+ fi - else - bash ./runtest.sh || exit 1 - fi --- -2.11.0 - diff --git a/meta-security/recipes-security/keyutils/files/run-ptest b/meta-security/recipes-security/keyutils/files/run-ptest deleted file mode 100755 index 305707f65..000000000 --- a/meta-security/recipes-security/keyutils/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -export AUTOMATED=1 -make -C tests run diff --git a/meta-security/recipes-security/keyutils/keyutils_1.6.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb deleted file mode 100644 index 4d3a96f29..000000000 --- a/meta-security/recipes-security/keyutils/keyutils_1.6.bb +++ /dev/null @@ -1,53 +0,0 @@ -SUMMARY = "Linux Key Management Utilities" -DESCRIPTION = "\ - Utilities to control the kernel key management facility and to provide \ - a mechanism by which the kernel call back to userspace to get a key \ - instantiated. \ - " -HOMEPAGE = "http://people.redhat.com/dhowells/keyutils" -SECTION = "base" - -LICENSE = "LGPLv2.1+ & GPLv2.0+" - -LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ - file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - -inherit siteinfo autotools-brokensep ptest - -SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-test-fix-output-format.patch \ - file://keyutils-fix-error-report-by-adding-default-message.patch \ - file://run-ptest \ - file://fix_library_install_path.patch \ - " - -SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" -SRC_URI[sha256sum] = "d3aef20cec0005c0fa6b4be40079885567473185b1a57b629b030e67942c7115" - -EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ - NO_ARLIB=1 \ - BINDIR=${base_bindir} \ - SBINDIR=${base_sbindir} \ - LIBDIR=${libdir} \ - USRLIBDIR=${libdir} \ - INCLUDEDIR=${includedir} \ - BUILDFOR=${SITEINFO_BITS}-bit \ - NO_GLIBC_KEYERR=1 \ - " - -do_install () { - install -d ${D}/${libdir}/pkgconfig - oe_runmake DESTDIR=${D} install -} - -do_install_ptest () { - cp -r ${S}/tests ${D}${PTEST_PATH}/ - sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh -} - - -RDEPENDS_${PN}-ptest += "lsb" -RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" -RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-security/libmspack/libmspack_0.10.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb index b46159f20..8c288beeb 100644 --- a/meta-security/recipes-security/libmspack/libmspack_0.10.1.bb +++ b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb @@ -6,11 +6,11 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.xz" - -SRC_URI[md5sum] = "d894d91eba4d2c6f76695fc9566d5387" -SRC_URI[sha256sum] = "850c57442b850bf1bc0fc4ea8880903ebf2bed063c3c80782ee4626fbcb0e67d" +SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" +SRC_URI = "git://github.com/kyz/libmspack.git" inherit autotools -S = "${WORKDIR}/${BP}alpha" +S = "${WORKDIR}/git/${BPN}" + +inherit autotools diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 000000000..493488918 --- /dev/null +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + xmlsec1-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index b8ab27df1..9165eef9f 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -12,7 +12,6 @@ PACKAGES = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -21,7 +20,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-ids \ packagegroup-security-mac \ ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -34,6 +32,7 @@ RDEPENDS_packagegroup-security-utils = "\ xmlsec1 \ keyutils \ libseccomp \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -42,6 +41,8 @@ RDEPENDS_packagegroup-security-scanners = "\ nikto \ checksecurity \ clamav \ + clamav-freshclam \ + clamav-cvd \ " SUMMARY_packagegroup-security-audit = "Security Audit tools " @@ -68,18 +69,3 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " - -SUMMARY_packagegroup-security-ptest = "Security packages with ptests" -RDEPENDS_packagegroup-security-ptest = " \ - samhain-standalone-ptest \ - xmlsec1-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - ptest-runner \ - " diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb index eac8d6bd4..0a4c56aa0 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.28.bb @@ -20,8 +20,8 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://run-ptest \ " -SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e" -SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6" +SRC_URI[md5sum] = "69b8d95c009a404462e19f335e650241" +SRC_URI[sha256sum] = "13eec4811ea30e3f0e16a734d1dbf7f9d246a71d540b48d143a07b489f6222d4" inherit autotools-brokensep ptest pkgconfig diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch deleted file mode 100644 index 8ab094fa7..000000000 --- a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/wscript 2015-11-18 12:43:33.000000000 +0100 -+++ b/wscript 2015-11-18 12:46:25.000000000 +0100 -@@ -58,9 +58,7 @@ - if conf.env.standalone_ldb: - conf.CHECK_XSLTPROC_MANPAGES() - -- # we need this for the ldap backend -- if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): -- conf.env.ENABLE_LDAP_BACKEND = True -+ conf.env.ENABLE_LDAP_BACKEND = False - - # we don't want any libraries or modules to rely on runtime - # resolution of symbols diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch deleted file mode 100755 index fdd312c0a..000000000 --- a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch +++ /dev/null @@ -1,58 +0,0 @@ -Some modules such as dynamic library maybe cann't be imported while cross compile, -we just check whether does the module exist. - -Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> - -Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -=================================================================== ---- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py -+++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py -@@ -2,6 +2,7 @@ - - import sys - import Build, Options, Logs -+import imp, os - from Configure import conf - from samba_utils import TO_LIST - -@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li - # versions - minversion = minimum_library_version(conf, libname, minversion) - -- try: -- m = __import__(modulename) -- except ImportError: -- found = False -- else: -+ # Find module in PYTHONPATH -+ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) -+ if stuff: - try: -- version = m.__version__ -- except AttributeError: -+ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) -+ except ImportError: - found = False -+ -+ if conf.env.CROSS_COMPILE: -+ # Some modules such as dynamic library maybe cann't be imported -+ # while cross compile, we just check whether the module exist -+ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) -+ found = True - else: -- found = tuplize_version(version) >= tuplize_version(minversion) -+ try: -+ version = m.__version__ -+ except AttributeError: -+ found = False -+ else: -+ found = tuplize_version(version) >= tuplize_version(minversion) -+ finally: -+ if stuff[0]: -+ stuff[0].close() -+ else: -+ found = False -+ - if not found and not conf.LIB_MAY_BE_BUNDLED(libname): - Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) - sys.exit(1) diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch deleted file mode 100644 index ffe253b63..000000000 --- a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch +++ /dev/null @@ -1,193 +0,0 @@ -From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Wed, 21 Sep 2016 10:06:39 +0800 -Subject: [PATCH 1/1] ldb: Add configure options for packages - -Add configure options for the following packages: - - acl - - attr - - libaio - - libbsd - - libcap - - valgrind - -Upstream-Status: Inappropriate [oe deterministic build specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - lib/replace/system/wscript_configure | 6 ++- - lib/replace/wscript | 94 +++++++++++++++++++++++++++--------- - wscript | 7 +++ - 3 files changed, 83 insertions(+), 24 deletions(-) - -diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure -index 2035474..10f9ae7 100644 ---- a/lib/replace/system/wscript_configure -+++ b/lib/replace/system/wscript_configure -@@ -1,6 +1,10 @@ - #!/usr/bin/env python - --conf.CHECK_HEADERS('sys/capability.h') -+import Options -+ -+if Options.options.enable_libcap: -+ conf.CHECK_HEADERS('sys/capability.h') -+ - conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r') - - # solaris varients of getXXent_r -diff --git a/lib/replace/wscript b/lib/replace/wscript -index 2f94d49..68b2d3a 100644 ---- a/lib/replace/wscript -+++ b/lib/replace/wscript -@@ -23,6 +23,41 @@ def set_options(opt): - opt.PRIVATE_EXTENSION_DEFAULT('') - opt.RECURSE('buildtools/wafsamba') - -+ opt.add_option('--with-acl', -+ help=("Enable use of acl"), -+ action="store_true", dest='enable_acl') -+ opt.add_option('--without-acl', -+ help=("Disable use of acl"), -+ action="store_false", dest='enable_acl', default=False) -+ -+ opt.add_option('--with-attr', -+ help=("Enable use of attr"), -+ action="store_true", dest='enable_attr') -+ opt.add_option('--without-attr', -+ help=("Disable use of attr"), -+ action="store_false", dest='enable_attr', default=False) -+ -+ opt.add_option('--with-libaio', -+ help=("Enable use of libaio"), -+ action="store_true", dest='enable_libaio') -+ opt.add_option('--without-libaio', -+ help=("Disable use of libaio"), -+ action="store_false", dest='enable_libaio', default=False) -+ -+ opt.add_option('--with-libbsd', -+ help=("Enable use of libbsd"), -+ action="store_true", dest='enable_libbsd') -+ opt.add_option('--without-libbsd', -+ help=("Disable use of libbsd"), -+ action="store_false", dest='enable_libbsd', default=False) -+ -+ opt.add_option('--with-libcap', -+ help=("Enable use of libcap"), -+ action="store_true", dest='enable_libcap') -+ opt.add_option('--without-libcap', -+ help=("Disable use of libcap"), -+ action="store_false", dest='enable_libcap', default=False) -+ - @Utils.run_once - def configure(conf): - conf.RECURSE('buildtools/wafsamba') -@@ -32,12 +67,25 @@ def configure(conf): - conf.DEFINE('HAVE_LIBREPLACE', 1) - conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1) - -- conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h') -- conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h') -+ conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h') -+ conf.CHECK_HEADERS('compat.h ctype.h dustat.h') - conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h') -- conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h') -- conf.CHECK_HEADERS('shadow.h sys/acl.h') -- conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h') -+ conf.CHECK_HEADERS('locale.h ndir.h pwd.h') -+ conf.CHECK_HEADERS('shadow.h') -+ conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h') -+ -+ if Options.options.enable_acl: -+ conf.CHECK_HEADERS('acl/libacl.h sys/acl.h') -+ -+ if Options.options.enable_attr: -+ conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h') -+ -+ if Options.options.enable_libaio: -+ conf.CHECK_HEADERS('libaio.h') -+ -+ if Options.options.enable_libcap: -+ conf.CHECK_HEADERS('sys/capability.h') -+ - conf.CHECK_HEADERS('port.h') - conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h') - conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h') -@@ -73,7 +121,9 @@ def configure(conf): - - conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') - -- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') -+ if Options.options.enable_valgrind: -+ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') -+ - conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') - conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h') - conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h') -@@ -266,22 +316,20 @@ def configure(conf): - - conf.CHECK_FUNCS('prctl dirname basename') - -- strlcpy_in_bsd = False -- -- # libbsd on some platforms provides strlcpy and strlcat -- if not conf.CHECK_FUNCS('strlcpy strlcat'): -- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', -- checklibc=True): -- strlcpy_in_bsd = True -- if not conf.CHECK_FUNCS('getpeereid'): -- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') -- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): -- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') -- if not conf.CHECK_FUNCS('setproctitle_init'): -- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') -- -- if not conf.CHECK_FUNCS('closefrom'): -- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') -+ if Options.options.enable_libbsd: -+ # libbsd on some platforms provides strlcpy and strlcat -+ if not conf.CHECK_FUNCS('strlcpy strlcat'): -+ conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', -+ checklibc=True) -+ if not conf.CHECK_FUNCS('getpeereid'): -+ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') -+ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): -+ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') -+ if not conf.CHECK_FUNCS('setproctitle_init'): -+ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') -+ -+ if not conf.CHECK_FUNCS('closefrom'): -+ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') - - conf.CHECK_CODE(''' - struct ucred cred; -@@ -632,7 +680,7 @@ removeea setea - # look for a method of finding the list of network interfaces - for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']: - bsd_for_strlcpy = '' -- if strlcpy_in_bsd: -+ if Options.options.enable_libbsd: - bsd_for_strlcpy = ' bsd' - if conf.CHECK_CODE(''' - #define %s 1 -diff --git a/wscript b/wscript -index 8ae5be3..a178cc4 100644 ---- a/wscript -+++ b/wscript -@@ -31,6 +31,13 @@ def set_options(opt): - opt.RECURSE('lib/replace') - opt.tool_options('python') # options for disabling pyc or pyo compilation - -+ opt.add_option('--with-valgrind', -+ help=("enable use of valgrind"), -+ action="store_true", dest='enable_valgrind') -+ opt.add_option('--without-valgrind', -+ help=("disable use of valgrind"), -+ action="store_false", dest='enable_valgrind', default=False) -+ - def configure(conf): - conf.RECURSE('lib/tdb') - conf.RECURSE('lib/tevent') --- -2.16.2 - diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb deleted file mode 100644 index c644b20b0..000000000 --- a/meta-security/recipes-support/libldb/libldb_1.3.1.bb +++ /dev/null @@ -1,64 +0,0 @@ -SUMMARY = "Hierarchical, reference counted memory pool system with destructors" -HOMEPAGE = "http://ldb.samba.org" -SECTION = "libs" -LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+" - -DEPENDS += "libtdb libtalloc libtevent popt" -RDEPENDS_pyldb += "python" - -SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \ - file://do-not-import-target-module-while-cross-compile.patch \ - file://options-1.3.1.patch \ - " - -PACKAGECONFIG ??= "\ - ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \ -" -PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl" -PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr" -PACKAGECONFIG[ldap] = ",,openldap" -PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio" -PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd" -PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap" -PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind" - -SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}" - -LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \ - file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ - file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" - -SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983" -SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2" - -CROSS_METHOD="exec" -inherit waf-samba - -S = "${WORKDIR}/ldb-${PV}" - -EXTRA_OECONF += "--disable-rpath \ - --disable-rpath-install \ - --bundled-libraries=cmocka \ - --builtin-libraries=replace \ - --with-modulesdir=${libdir}/ldb/modules \ - --with-privatelibdir=${libdir}/ldb \ - --with-libiconv=${STAGING_DIR_HOST}${prefix}\ - " - -PACKAGES =+ "pyldb pyldb-dbg pyldb-dev" - -NOAUTOPACKAGEDEBUG = "1" - -FILES_${PN} += "${libdir}/ldb/*" -FILES_${PN}-dbg += "${bindir}/.debug/* \ - ${libdir}/.debug/* \ - ${libdir}/ldb/.debug/* \ - ${libdir}/ldb/modules/ldb/.debug/*" - -FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ - ${libdir}/libpyldb-util.so.* \ - " -FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \ - ${libdir}/.debug/libpyldb-util.so.*" -FILES_pyldb-dev = "${libdir}/libpyldb-util.so" |