diff options
Diffstat (limited to 'meta-security/meta-integrity/recipes-core')
9 files changed, 135 insertions, 0 deletions
diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc new file mode 100644 index 000000000..7e9e2108d --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -0,0 +1,5 @@ +# Append iversion option for auto types +do_install_append() { + sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" + echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" +} diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..c006f0e62 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)} diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb new file mode 100644 index 000000000..6ed724df2 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -0,0 +1,22 @@ +DESCRIPTION = "An image as an exmaple for Ima support" + +IMAGE_FEATURES += "ssh-server-openssh" + + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-ima-evm-utils \ + os-release" + + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "integrity-image-minimal" + +INHERIT += "ima-evm-rootfs" +IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb new file mode 100644 index 000000000..6057e8daf --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -0,0 +1,28 @@ +# This recipe creates a module for the initramfs-framework in OE-core +# which initializes IMA by loading a policy before transferring +# control to the init process in the rootfs. The advantage over having +# that init process doing the policy loading (which systemd could do) +# is that already the integrity of the init binary itself will be +# checked by the kernel. + +SUMMARY = "IMA module for the modular initramfs system" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " file://ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install -d ${D}/init.d + install ${WORKDIR}/ima ${D}/init.d/20-ima +} + +FILES_${PN} = "/init.d ${sysconfdir}" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima new file mode 100644 index 000000000..8616f9924 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Loads IMA policy into the kernel. + +ima_enabled() { + if [ "$bootparam_no_ima" = "true" ]; then + return 1 + fi +} + +ima_run() { + info "Initializing IMA (can be skipped with no_ima boot parameter)." + if ! grep -w securityfs /proc/mounts >/dev/null; then + if ! mount -t securityfs securityfs /sys/kernel/security; then + fatal "Could not mount securityfs." + fi + fi + if [ ! -d /sys/kernel/security/ima ]; then + fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." + fi + + # Instead of depending on the kernel to load the IMA X.509 certificate, + # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492) + # where the loaded key was not checked sufficiently. We use keyctl here because it is + # slightly smaller than evmctl and is needed anyway. + # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). + for kind in ima evm; do + key=/etc/keys/x509_$kind.der + if [ -s $key ]; then + id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) + if [ "$id" ]; then + id=$(printf "%d" 0x$id) + fi + if [ -z "$id" ]; then + id=`keyctl search @u keyring _$kind 2>/dev/null` + if [ -z "$id" ]; then + id=`keyctl newring _$kind @u` + fi + fi + info "Loading $key into $kind keyring $id" + keyctl padd asymmetric "" $id <$key + fi + done + + # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly + # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when + # checking the write of each line. To minimize the risk of policy loading going wrong we + # also remove comments and blank lines ourselves. + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + fatal "Could not load IMA policy." + fi +} diff --git a/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb new file mode 100644 index 000000000..18acc9dca --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -0,0 +1,9 @@ +SUMMARY = "IMA/EVM userspace tools" +LICENSE = "MIT" + +inherit packagegroup + +# Only one at the moment, but perhaps more will come in the future. +RDEPENDS_${PN} = " \ + ima-evm-utils \ +" diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf new file mode 100644 index 000000000..d6d3240f9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sync diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf new file mode 100644 index 000000000..f4c170bda --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf @@ -0,0 +1,3 @@ +[Service] +ExecStopPost=/bin/sync +ExecStartPost=/bin/sync diff --git a/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 000000000..3b4554162 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://machine-id-commit-sync.conf \ + file://random-seed-sync.conf \ +" + +do_install_append () { + for i in machine-id-commit random-seed; do + install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d + install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d + done +} |