3 files changed, 90 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0001-Modfiy-system.conf-DefaultTimeoutStopSec.patch b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0001-Modfiy-system.conf-DefaultTimeoutStopSec.patch
new file mode 100644
index 000000000..5b9f17006
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0001-Modfiy-system.conf-DefaultTimeoutStopSec.patch
@@ -0,0 +1,28 @@
+From e02932693f92d6230b5520f431e127f7b6e2183e Mon Sep 17 00:00:00 2001
+From: James Feist <james.feist@linux.intel.com>
+Date: Tue, 6 Mar 2018 16:06:33 -0800
+Subject: [PATCH 1/1] Modfiy system.conf DefaultTimeoutStopSec
+
+Current time is 5 minutes, change it to 10 seconds.
+
+Signed-off-by: James Feist <james.feist@linux.intel.com>
+---
+ src/core/system.conf.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/system.conf.in b/src/core/system.conf.in
+index 8112125468..f7a35a56bb 100644
+--- a/src/core/system.conf.in
++++ b/src/core/system.conf.in
+@@ -39,7 +39,7 @@
+ #DefaultStandardOutput=journal
+ #DefaultStandardError=inherit
+ #DefaultTimeoutStartSec=90s
+-#DefaultTimeoutStopSec=90s
++DefaultTimeoutStopSec=10s
+ #DefaultTimeoutAbortSec=
+ #DefaultRestartSec=100ms
+ #DefaultStartLimitIntervalSec=10s
+-- 
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0002-Disable-LLMNR-port-5355.patch b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0002-Disable-LLMNR-port-5355.patch
new file mode 100644
index 000000000..8b978e4fb
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/0002-Disable-LLMNR-port-5355.patch
@@ -0,0 +1,26 @@
+From 9fb05323291ccdfbf19ac0d9428e366d6023b408 Mon Sep 17 00:00:00 2001
+From: Karthick Sundarrajan <karthick.sundarrajan@intel.com>
+Date: Fri, 3 Apr 2020 10:23:41 -0700
+Subject: [PATCH] Disable LLMNR (port 5355)
+
+As part of OS hardening process, the port has to be
+disabled.
+
+Signed-off-by: Karthick Sundarrajan <karthick.sundarrajan@intel.com>
+---
+ src/resolve/resolved.conf.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
+index 6898c78..a9125fd 100644
+--- a/src/resolve/resolved.conf.in
++++ b/src/resolve/resolved.conf.in
+@@ -15,7 +15,7 @@
+ #DNS=
+ #FallbackDNS=@DNS_SERVERS@
+ #Domains=
+-#LLMNR=yes
++LLMNR=no
+ #MulticastDNS=yes
+ #DNSSEC=@DEFAULT_DNSSEC_MODE@
+ #DNSOverTLS=@DEFAULT_DNS_OVER_TLS_MODE@
diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/systemd-time-wait-sync.service b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/systemd-time-wait-sync.service
new file mode 100644
index 000000000..f71aea39d
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd/systemd-time-wait-sync.service
@@ -0,0 +1,36 @@
+#  SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Wait Until Kernel Time Synchronized
+Documentation=man:systemd-time-wait-sync.service(8)
+
+# Note that this tool doesn't need CAP_SYS_TIME itself, but it's primary
+# usecase is to run in conjunction with a local NTP service such as
+# systemd-timesyncd.service, which is conditioned this way. There might be
+# niche usecases where running this service independently is desired, but let's
+# make this all "just work" for the general case, and leave it to local
+# modifications to make it work in the remaining cases.
+
+ConditionCapability=CAP_SYS_TIME
+ConditionVirtualization=!container
+
+DefaultDependencies=no
+Before=time-sync.target shutdown.target
+Wants=time-sync.target
+Conflicts=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/lib/systemd/systemd-time-wait-sync
+TimeoutStartSec=10
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target