diff options
Diffstat (limited to 'meta-security/meta-integrity')
38 files changed, 1595 insertions, 0 deletions
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md new file mode 100644 index 000000000..5bef76e8d --- /dev/null +++ b/meta-security/meta-integrity/README.md @@ -0,0 +1,250 @@ +This README file contains information on the contents of the +integrity layer. + +Please see the corresponding sections below for details. + + +Dependencies +============ + +This layer depends on: + + URI: git://git.openembedded.org/bitbake + branch: master + + URI: git://git.openembedded.org/openembedded-core + layers: meta + branch: master + + URI: git://github.com/01org/meta-security/meta-integrate + layers: security-framework + branch: master + + +Patches +======= + +For discussion or patch submission via email, use the +yocto@yoctoproject.org mailing list. When submitting patches that way, +make sure to copy the maintainer and add a "[meta-integrity]" +prefix to the subject of the mails. + +Maintainer: Armin Kuster <akuster808@gmail.com> + + +Table of Contents +================= + +1. Adding the integrity layer to your build +2. Usage +3. Known Issues + + +1. Adding the integrity layer to your build +=========================================== + +In order to use this layer, you need to make the build system aware of +it. + +Assuming the security repository exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the integrity layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ + /path/to/yocto/meta \ + /path/to/yocto/meta-yocto \ + /path/to/yocto/meta-yocto-bsp \ + /path/to/yocto/meta-security/meta-integrity \ + " + +It has some dependencies on a suitable BSP; in particular the kernel +must have a recent enough IMA/EVM subsystem. The layer was tested with +Linux 3.19 and uses some features (like loading X509 certificates +directly from the kernel) which were added in that release. Your +mileage may vary with older kernels. + +The necessary kernel configuration parameters are added to all kernel +versions by this layer. Watch out for QA warnings about unused kernel +configuration parameters: those indicate that the kernel used by the BSP +does not have the necessary IMA/EVM features. + +Adding the layer only enables IMA (see below regarding EVM) during +compilation of the Linux kernel. To also activate it when building +the image, enable image signing in the local.conf like this: + + INHERIT += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +This uses the default keys provided in the "data" directory of the layer. +Because everyone has access to these private keys, such an image +should never be used in production! + +For that, create your own keys first. All tools and scripts required +for that are included in the layer. This is also how the +``debug-keys`` were generated: + + # Choose a directory for storing keys. Preserve this + # across builds and keep its private keys secret! + export IMA_EVM_KEY_DIR=/tmp/imaevm + mkdir -p $IMA_EVM_KEY_DIR + # Build the required tools. + bitbake openssl-native + # Set up shell for use of the tools. + bitbake -c devshell openssl-native + cd $IMA_EVM_KEY_DIR + # In that shell, create the keys. Several options exist: + + # 1. Self-signed keys. + $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh + + # 2. Keys signed by a new CA. + # When asked for a PEM passphrase, that will be for the root CA. + # Signing images then will not require entering that passphrase, + # only creating new certificates does. Most likely the default + # attributes for these certificates need to be adapted; modify + # the scripts as needed. + # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh + # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh + + # 3. Keys signed by an existing CA. + # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> + exit + +When using ``ima-self-signed.sh`` as described above, self-signed keys +are created. Alternatively, one can also use keys signed by a CA. The +``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then +supports adding tha CA's public key to the kernel's system keyring by +compiling it directly into the kernel. Because it is unknown whether +that is necessary (for example, the CA might also get added to the +system key ring via UEFI Secure Boot), one has to enable compilation +into the kernel explicitly in a local.conf with: + + IMA_EVM_ROOT_CA = "<path to .x509 file, for example the ima-local-ca.x509 created by ima-gen-local-ca.sh>" + + + + +To use the personal keys, override the default IMA_EVM_KEY_DIR in your +local.conf and/or override the individual variables from +ima-evm-rootfs.bbclass: + + IMA_EVM_KEY_DIR = "<full path>" + IMA_EVM_PRIVKEY = "<some other path/privkey_ima.pem>" + +By default, the entire file system gets signed. When using a policy which +does not require that, the set of files to be labelled can be chosen +by overriding the default "find" expression, for example like this: + + IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f" + + +2. Usage +======== + +After creating an image with IMA/EVM enabled, one needs to enable +the built-in policies before IMA/EVM is active at runtime. To do this, +add one or both of these boot parameters: + + ima_tcb # measures all files read as root and all files executed + ima_appraise_tcb # appraises all files owned by root, beware of + # the known issue mentioned below + +Instead of booting with default policies, one can also activate custom +policies in different ways. First, boot without any IMA policy and +then cat a policy file into +`/sys/kernel/security/ima/policy`. This can only be done once +after booting and is useful for debugging. + +In production, the long term goal is to load a verified policy +directly from the kernel, using a patch which still needs to be +included upstream ("ima: load policy from the kernel", +<https://lwn.net/Articles/595759/>). + +Loading via systemd also works with systemd, but is considered less +secure (policy file is not checked before activating it). Beware that +IMA policy loading became broken in systemd 2.18. The modified systemd +2.19 in meta-security-smack has a patch reverting the broken +changes. To activate policy loading via systemd, place a policy file +in `/etc/ima/ima-policy`, for example with: + + IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple" + +To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` + +To check that appraisal works, try modifying executables and ensure +that executing them fails: + + echo "foobar" >>/usr/bin/rpm + evmctl ima_verify /usr/bin/rpm + rpm --version + +Depending on the current appraisal policy, the `echo` command may +already fail because writing is not allowed. If the file was modified +and the current appraisal policy allows reading, then `evmctl` will +report (the errno value seems to be printed always and is unrelated to +the actual verification failure here): + + Verification failed: 35 + errno: No such file or directory (2) + +After enabling a suitable IMA appraisal policy, reading and/or +executing the file is no longer allowed: + + # evmctl ima_verify /usr/bin/rpm + Failed to open: /usr/bin/rpm + errno: Permission denied (13) + # rpm --version + -sh: /usr/bin/rpm: Permission denied + +Enabling the audit kernel subsystem may help to debug appraisal +issues. Enable it by adding the meta-security-framework layer and +changing your local.conf: + SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + CORE_IMAGE_EXTRA_INSTALL += "auditd" + +Then boot with "ima_appraise=log ima_appraise_tcb". + +Adding auditd is not strictly necessary but helps to capture a +more complete set of events in /var/log/audit/ and search in +them with ausearch. + + +3. Known Issues +=============== + +EVM is not enabled, for multiple reasons: +* Signing files in advance with a X509 certificate and then not having + any confidential keys on the device would be the most useful mode, + but is not supported by EVM [1]. +* EVM signing in advance would only work on the final file system and thus + will require further integration work with image creation. The content + of the files can be signed for IMA in the rootfs, with the extended + attributes remaining valid when copying the files to the final image. + But for EVM that copy operation changes relevant parameters (for example, + inode) and thus invalidates the EVM hash. +* On device creation of EVM hashes depends on secure key handling on the + device (TPM) and booting at least once in a special mode (file system + writable, evm=fix as boot parameter, reboot after opening all files); + such a mode is too device specific to be implemented in a generic way. + +IMA appraisal with "ima_appraise_tcb" enables rules which are too strict +for most distros. For example, systemd needs to write certain files +as root, which is prevented by the ima_appraise_tcb appraise rules. As +a result, the system fails to boot: + + [FAILED] Failed to start Commit a transient machine-id on disk. + See "systemctl status systemd-machine-id-commit.service" for details. + ... + [FAILED] Failed to start Network Service. + See "systemctl status systemd-networkd.service" for details. + [FAILED] Failed to start Login Service. + See "systemctl status systemd-logind.service" for details. + +No package manager is integrated with IMA/EVM. When updating packages, +files will end up getting installed without correct IMA/EVM attributes +and thus will not be usable when appraisal is turned on. + +[1] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6281 +[2] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6275 diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass new file mode 100644 index 000000000..8aec388df --- /dev/null +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -0,0 +1,92 @@ +# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be +# set explicitly in a local.conf before activating ima-evm-rootfs. +# To use the insecure (because public) example keys, use +# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" +IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" + +# Private key for IMA signing. The default is okay when +# using the example key directory. +IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + +# Public part of certificates (used for both IMA and EVM). +# The default is okay when using the example key directory. +IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" + +# Root CA to be compiled into the kernel, none by default. +# Must be the absolute path to a der-encoded x509 CA certificate +# with a .x509 suffix. See linux-%.bbappend for details. +# +# ima-local-ca.x509 is what ima-gen-local-ca.sh creates. +IMA_EVM_ROOT_CA ?= "" + +# Sign all regular files by default. +IMA_EVM_ROOTFS_SIGNED ?= ". -type f" +# Hash nothing by default. +IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" + +# Mount these file systems (identified via their mount point) with +# the iversion flags (needed by IMA when allowing writing). +IMA_EVM_ROOTFS_IVERSION ?= "" + +ima_evm_sign_rootfs () { + cd ${IMAGE_ROOTFS} + + # Beware that all operations below must also work when + # ima_evm_sign_rootfs was already called earlier for the same + # rootfs. That's because do_image might again run for various + # reasons (including a change of the signing keys) without also + # re-running do_rootfs. + + # Copy file(s) which must be on the device. Note that + # evmctl uses x509_evm.der also for "ima_verify", which is probably + # a bug (should default to x509_ima.der). Does not matter for us + # because we use the same key for both. + install -d ./${sysconfdir}/keys + rm -f ./${sysconfdir}/keys/x509_evm.der + install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der + ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der + + # Fix /etc/fstab: it must include the "i_version" mount option for + # those file systems where writing files is allowed, otherwise + # these changes will not get detected at runtime. + # + # Note that "i_version" is documented in "man mount" only for ext4, + # whereas "iversion" is said to be filesystem-independent. In practice, + # there is only one MS_I_VERSION flag in the syscall and ext2/ext3/ext4 + # all support it. + # + # coreutils translates "iversion" into MS_I_VERSION. busybox rejects + # "iversion" and only understands "i_version". systemd only understands + # "iversion". We pick "iversion" here for systemd, whereas rootflags + # for initramfs must use "i_version" for busybox. + # + # Deduplicates iversion in case that this gets called more than once. + if [ -f etc/fstab ]; then + perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab + fi + + # Sign file with private IMA key. EVM not supported at the moment. + bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" + find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} + bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" + find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + + # Optionally install custom policy for loading by systemd. + if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + install -d ./${sysconfdir}/ima + rm -f ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + fi +} + +# Signing must run as late as possible in the do_rootfs task. +# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so +# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with +# _append instead of += because _append gets evaluated later. In +# particular, we must run after prelink_image in +# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables. + +IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; " + +# evmctl must have been installed first. +do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf new file mode 100644 index 000000000..2f696cf7c --- /dev/null +++ b/meta-security/meta-integrity/conf/layer.conf @@ -0,0 +1,24 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have a packages directory, add to BBFILES +BBFILES := "${BBFILES} \ + ${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "integrity" +BBFILE_PATTERN_integrity := "^${LAYERDIR}/" +BBFILE_PRIORITY_integrity = "6" + +# Set a variable to get to the top of the metadata location. Needed +# for finding scripts (when following the README.md instructions) and +# default debug keys (in ima-evm-rootfs.bbclass). +IMA_EVM_BASE := '${LAYERDIR}' + +# We must not export this path to all shell scripts (as in "export +# IMA_EVM_BASE"), because that causes problems with sstate (becames +# dependent on location of the layer). Exporting it to just the +# interactive shell is enough. +OE_TERMINAL_EXPORTS += "IMA_EVM_BASE" + +LAYERSERIES_COMPAT_integrity = "warrior" diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem new file mode 100644 index 000000000..502a0b68d --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU +Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 +IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p +OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 +lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW +HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV +aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA +TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue +WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb +SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 +xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ +CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q +1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ +3vVaxg2EfqB1 +-----END PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der Binary files differnew file mode 100644 index 000000000..087ca6bea --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/x509_ima.der diff --git a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py new file mode 100644 index 000000000..0c8617a56 --- /dev/null +++ b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -0,0 +1,129 @@ +#!/usr/bin/env python +# +# Authors: Cristina Moraru <cristina.moraru@intel.com> +# Alexandru Cornea <alexandru.cornea@intel.com> + +import string +from time import sleep +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature +from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar +import bb +blacklist = ["/usr/bin/uz", "/bin/su.shadow"] + +class IMACheck(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + locations = ["/bin", "/usr/bin"] + cls.binaries = [] + for l in locations: + status, output = cls.tc.target.run("find %s -type f" % l) + cls.binaries.extend(output.split("\n")) + + cls.total = len(cls.binaries) + + + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_ima_enabled(self): + ''' Test if IMA policy is loaded before systemd starts''' + + ima_search = "ima: " + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + + + @skipIfNotFeature('systemd', + 'Test requires systemd to be in DISTRO_FEATURES') + @skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd', + 'systemd is not the init manager for this image') + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_before_systemd(self): + ''' Test if IMA policy is loaded before systemd starts''' + ima_search = "ima: " + systemd_search = "systemd .* running" + status, output = self.target.run("dmesg | grep -n '%s'" % ima_search) + self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search) + ima_id = int(output.split(":")[0]) + status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search) + self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search) + init_id = int(output.split(":")[0]) + if ima_id > init_id: + self.fail("IMA does not start before systemd") + + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_hash(self): + ''' Test if IMA stores correct file hash ''' + filename = "/etc/filetest" + ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" + status, output = self.target.run("echo test > %s" % filename) + self.assertEqual(status, 0, "Cannot create file %s on target" % filename) + + # wait for the IMA system to update the entry + maximum_tries = 30 + tries = 0 + status, output = self.target.run("sha1sum %s" %filename) + sleep(2) + current_hash = output.split()[0] + ima_hash = "" + + while tries < maximum_tries: + status, output = self.target.run("cat %s | grep %s" \ + % (ima_measure_file, filename)) + # get last entry, 4th field + if status == 0: + tokens = output.split("\n")[-1].split()[3] + ima_hash = tokens.split(":")[1] + if ima_hash == current_hash: + break + + tries += 1 + sleep(1) + + # clean target + self.target.run("rm %s" % filename) + if ima_hash != current_hash: + self.fail("Hash stored by IMA does not match actual hash") + + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_signature(self): + ''' Test if IMA stores correct signature for system binaries''' + passed = 0 + failed = 0 + for b in self.binaries: + if b in blacklist: + continue + status, output = self.target.run("evmctl ima_verify %s" % b) + if status != 0: + failed += 1 + else: + passed += 1 + + if failed == self.total: + self.fail("Signature verifications failed (%s)" % self.total) + + #bb.warn("pass: %s, fail: %s, Total: %s" % (passed, failed, total)) + + @OETestDepends(['ima.IMACheck.test_ima_enabled']) + def test_ima_overwrite(self): + ''' Test if IMA prevents overwriting signed files ''' + passed = 0 + failed = 0 + for b in self.binaries: + if b in blacklist: + continue + self.target.run("echo 'foo' >> %s" % b ) + status, output = self.target.run("evmctl ima_verify %s" % b) + + if status != 0: + failed += 1 + else: + passed += 1 + + if failed == self.total: + self.fail("Overwritting verifications failed (%s)" % self.total) diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc new file mode 100644 index 000000000..7e9e2108d --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -0,0 +1,5 @@ +# Append iversion option for auto types +do_install_append() { + sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" + echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" +} diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..c006f0e62 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)} diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb new file mode 100644 index 000000000..6ed724df2 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -0,0 +1,22 @@ +DESCRIPTION = "An image as an exmaple for Ima support" + +IMAGE_FEATURES += "ssh-server-openssh" + + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-ima-evm-utils \ + os-release" + + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "integrity-image-minimal" + +INHERIT += "ima-evm-rootfs" +IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys" + +QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb new file mode 100644 index 000000000..6057e8daf --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -0,0 +1,28 @@ +# This recipe creates a module for the initramfs-framework in OE-core +# which initializes IMA by loading a policy before transferring +# control to the init process in the rootfs. The advantage over having +# that init process doing the policy loading (which systemd could do) +# is that already the integrity of the init binary itself will be +# checked by the kernel. + +SUMMARY = "IMA module for the modular initramfs system" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " file://ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install -d ${D}/init.d + install ${WORKDIR}/ima ${D}/init.d/20-ima +} + +FILES_${PN} = "/init.d ${sysconfdir}" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima new file mode 100644 index 000000000..8616f9924 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima @@ -0,0 +1,52 @@ +#!/bin/sh +# +# Loads IMA policy into the kernel. + +ima_enabled() { + if [ "$bootparam_no_ima" = "true" ]; then + return 1 + fi +} + +ima_run() { + info "Initializing IMA (can be skipped with no_ima boot parameter)." + if ! grep -w securityfs /proc/mounts >/dev/null; then + if ! mount -t securityfs securityfs /sys/kernel/security; then + fatal "Could not mount securityfs." + fi + fi + if [ ! -d /sys/kernel/security/ima ]; then + fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel." + fi + + # Instead of depending on the kernel to load the IMA X.509 certificate, + # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492) + # where the loaded key was not checked sufficiently. We use keyctl here because it is + # slightly smaller than evmctl and is needed anyway. + # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349). + for kind in ima evm; do + key=/etc/keys/x509_$kind.der + if [ -s $key ]; then + id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1) + if [ "$id" ]; then + id=$(printf "%d" 0x$id) + fi + if [ -z "$id" ]; then + id=`keyctl search @u keyring _$kind 2>/dev/null` + if [ -z "$id" ]; then + id=`keyctl newring _$kind @u` + fi + fi + info "Loading $key into $kind keyring $id" + keyctl padd asymmetric "" $id <$key + fi + done + + # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly + # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when + # checking the write of each line. To minimize the risk of policy loading going wrong we + # also remove comments and blank lines ourselves. + if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then + fatal "Could not load IMA policy." + fi +} diff --git a/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb new file mode 100644 index 000000000..18acc9dca --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -0,0 +1,9 @@ +SUMMARY = "IMA/EVM userspace tools" +LICENSE = "MIT" + +inherit packagegroup + +# Only one at the moment, but perhaps more will come in the future. +RDEPENDS_${PN} = " \ + ima-evm-utils \ +" diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf new file mode 100644 index 000000000..d6d3240f9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf @@ -0,0 +1,2 @@ +[Service] +ExecStartPost=/bin/sync diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf new file mode 100644 index 000000000..f4c170bda --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf @@ -0,0 +1,3 @@ +[Service] +ExecStopPost=/bin/sync +ExecStartPost=/bin/sync diff --git a/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 000000000..3b4554162 --- /dev/null +++ b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,13 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += " \ + file://machine-id-commit-sync.conf \ + file://random-seed-sync.conf \ +" + +do_install_append () { + for i in machine-id-commit random-seed; do + install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d + install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d + done +} diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend new file mode 100644 index 000000000..931854ef8 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" + +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch new file mode 100644 index 000000000..64016dd3e --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch @@ -0,0 +1,51 @@ +From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Tue, 8 Mar 2016 16:43:55 -0500 +Subject: [PATCH] ima: fix ima_inode_post_setattr + +Changing file metadata (eg. uid, guid) could result in having to +re-appraise a file's integrity, but does not change the "new file" +status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and +IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch +only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. + +With this patch, changing the file timestamp will not remove the +file signature on new files. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] + +Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +--- + security/integrity/ima/ima_appraise.c | 2 +- + security/integrity/integrity.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..a384ba1 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) + if (iint) { + iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | +- IMA_ACTION_FLAGS); ++ IMA_ACTION_RULE_FLAGS); + if (must_appraise) + iint->flags |= IMA_APPRAISE; + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 0fc9519..f9decae 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -28,6 +28,7 @@ + + /* iint cache flags */ + #define IMA_ACTION_FLAGS 0xff000000 ++#define IMA_ACTION_RULE_FLAGS 0x06000000 + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 +-- +2.5.0 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch new file mode 100644 index 000000000..6ab7ce277 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch @@ -0,0 +1,138 @@ +From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Thu, 10 Mar 2016 18:19:20 +0200 +Subject: [PATCH] ima: add support for creating files using the mknodat + syscall + +Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" +stopped identifying empty files as new files. However new empty files +can be created using the mknodat syscall. On systems with IMA-appraisal +enabled, these empty files are not labeled with security.ima extended +attributes properly, preventing them from subsequently being opened in +order to write the file data contents. This patch marks these empty +files, created using mknodat, as new in order to allow the file data +contents to be written. + +Files with security.ima xattrs containing a file signature are considered +"immutable" and can not be modified. The file contents need to be +written, before signing the file. This patch relaxes this requirement +for new files, allowing the file signature to be written before the file +contents. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] + +Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> +--- + fs/namei.c | 2 ++ + include/linux/ima.h | 7 ++++++- + security/integrity/ima/ima_appraise.c | 3 +++ + security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index ccd7f98..19502da 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3526,6 +3526,8 @@ retry: + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(path.dentry->d_inode,dentry,mode,true); ++ if (!error) ++ ima_post_path_mknod(dentry); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(path.dentry->d_inode,dentry,mode, +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 120ccc5..7f51971 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); + extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_module_check(struct file *file); + extern int ima_fw_from_file(struct file *file, char *buf, size_t size); +- ++extern void ima_post_path_mknod(struct dentry *dentry); + #else + static inline int ima_bprm_check(struct linux_binprm *bprm) + { +@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) + return 0; + } + ++static inline void ima_post_path_mknod(struct dentry *dentry) ++{ ++ return; ++} ++ + #endif /* CONFIG_IMA */ + + #ifdef CONFIG_IMA_APPRAISE +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..20806ea 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -274,6 +274,11 @@ out: + xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + if (!ima_fix_xattr(dentry, iint)) + status = INTEGRITY_PASS; ++ } else if ((inode->i_size == 0) && ++ (iint->flags & IMA_NEW_FILE) && ++ (xattr_value && ++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { ++ status = INTEGRITY_PASS; + } + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index eeee00dc..705bf78 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, + ima_audit_measurement(iint, pathname); + + out_digsig: +- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) ++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && ++ !(iint->flags & IMA_NEW_FILE)) + rc = -EACCES; + kfree(xattr_value); + out_free: +@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) + EXPORT_SYMBOL_GPL(ima_file_check); + + /** ++ * ima_post_path_mknod - mark as a new inode ++ * @dentry: newly created dentry ++ * ++ * Mark files created via the mknodat syscall as new, so that the ++ * file data can be written later. ++ */ ++void ima_post_path_mknod(struct dentry *dentry) ++{ ++ struct integrity_iint_cache *iint; ++ struct inode *inode; ++ int must_appraise; ++ ++ if (!dentry || !dentry->d_inode) ++ return; ++ ++ inode = dentry->d_inode; ++ if (inode->i_size != 0) ++ return; ++ ++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); ++ if (!must_appraise) ++ return; ++ ++ iint = integrity_inode_get(inode); ++ if (iint) ++ iint->flags |= IMA_NEW_FILE; ++} ++ ++/** + * ima_module_check - based on policy, collect/store/appraise measurement. + * @file: pointer to the file to be measured/appraised + * +-- +2.5.0 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch new file mode 100644 index 000000000..157c007ba --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch @@ -0,0 +1,60 @@ +From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Tue, 15 Nov 2016 10:10:23 +0100 +Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log + modes" + +This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. + +The original motivation was security hardening ("File hashes are +automatically set and updated and should not be manually set.") + +However, that hardening ignores and breaks some valid use cases: +- File hashes might not be set because the file is currently + outside of the policy and therefore have to be set by the + creator. Examples: + - Booting into an initramfs with an IMA-enabled kernel but + without setting an IMA policy, then installing + the OS onto the target partition by unpacking a rootfs archive + which has the file hashes pre-computed. + - Unpacking a file into a staging area with meta data (like owner) + that leaves the file outside of the current policy, then changing + the meta data such that it becomes part of the current policy. +- "should not be set manually" implies that the creator is aware + of IMA semantic, the current system's configuration, and then + skips setting file hashes in security.ima if (and only if) the + kernel would prevent it. That's not the case for standard, unmodified + tools. Example: unpacking an archive with security.ima xattrs with + bsdtar or GNU tar. + +Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + security/integrity/ima/ima_appraise.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4b9b4a4..b8b2dd9 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 000000000..b3e47ba37 --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,18 @@ +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg new file mode 100644 index 000000000..9a454257a --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch new file mode 100644 index 000000000..5ccb73d9b --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch @@ -0,0 +1,65 @@ +From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:08:43 +0300 +Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL + +There is no need to link to full libssl. evmctl uses functions from +libcrypto, so let's link only against that library. + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + configure.ac | 4 +--- + src/Makefile.am | 9 ++++----- + 2 files changed, 5 insertions(+), 8 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 60f3684..32e8d85 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -24,9 +24,7 @@ LT_INIT + # Checks for header files. + AC_HEADER_STDC + +-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) +-AC_SUBST(OPENSSL_CFLAGS) +-AC_SUBST(OPENSSL_LIBS) ++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ]) + AC_SUBST(KERNEL_HEADERS) + AC_CHECK_HEADER(unistd.h) + AC_CHECK_HEADERS(openssl/conf.h) +diff --git a/src/Makefile.am b/src/Makefile.am +index d74fc6f..b81281a 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,11 +1,11 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS) ++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +-libimaevm_la_LIBADD = $(OPENSSL_LIBS) ++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS) + + include_HEADERS = imaevm.h + +@@ -17,12 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) ++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) +-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la ++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + + INCLUDES = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +- +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch new file mode 100644 index 000000000..8237274ca --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch @@ -0,0 +1,43 @@ +From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:17:12 +0300 +Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS + +Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning +about deprecated variable usage. + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + src/Makefile.am | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index b81281a..164e7e4 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -1,7 +1,7 @@ + lib_LTLIBRARIES = libimaevm.la + + libimaevm_la_SOURCES = libimaevm.c +-libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + # current[:revision[:age]] + # result: [current-age].age.revision + libimaevm_la_LDFLAGS = -version-info 0:0:0 +@@ -17,11 +17,11 @@ hash_info.h: Makefile + bin_PROGRAMS = evmctl + + evmctl_SOURCES = evmctl.c +-evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS) ++evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) + evmctl_LDFLAGS = $(LDFLAGS_READLINE) + evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la + +-INCLUDES = -I$(top_srcdir) -include config.h ++AM_CPPFLAGS = -I$(top_srcdir) -include config.h + + CLEANFILES = hash_info.h + DISTCLEANFILES = @DISTCLEANFILES@ +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch new file mode 100644 index 000000000..3d250d2fc --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch @@ -0,0 +1,31 @@ +From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:22:30 +0300 +Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution + +Include hash-info.gen into tarball and call it from the sourcedir to fix +out-of-tree build (and thus 'make distcheck'). + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + src/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index 164e7e4..9c037e2 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h + + nodist_libimaevm_la_SOURCES = hash_info.h + BUILT_SOURCES = hash_info.h ++EXTRA_DIST = hash_info.gen + hash_info.h: Makefile +- ./hash_info.gen $(KERNEL_HEADERS) >$@ ++ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ + + bin_PROGRAMS = evmctl + +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch new file mode 100644 index 000000000..4ada1a271 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch @@ -0,0 +1,34 @@ +From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +Date: Wed, 6 Mar 2019 01:24:04 +0300 +Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files + +Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> +--- + .gitignore | 1 + + src/.gitignore | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 src/.gitignore + +diff --git a/.gitignore b/.gitignore +index ca7a06e..cb82166 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -45,6 +45,7 @@ cscope.* + ncscope.* + + # Generated documentation ++*.1 + *.8 + *.5 + manpage.links +diff --git a/src/.gitignore b/src/.gitignore +new file mode 100644 +index 0000000..38e8e3c +--- /dev/null ++++ b/src/.gitignore +@@ -0,0 +1 @@ ++hash_info.h +-- +2.17.1 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch new file mode 100644 index 000000000..35c316270 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch @@ -0,0 +1,68 @@ +From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Fri, 30 Sep 2016 10:22:16 +0200 +Subject: [PATCH] command line: apply operation to all paths + +Previously, invocations like "evmctl ima_hash foo bar" silently +ignored all parameters after the first path name ("foo" in this +example). + +Now evmctl iterates over all specified paths. It aborts with an +error as soon as the selected operation fails for a path. + +Supporting more than one parameter is useful in combination with +"find" and "xargs" because it is noticably faster than invoking +evmutil separately for each file, in particular when run under pseudo +(a fakeroot environment used by the OpenEmbedded build system). + +This complements the recursive mode and can be used when more control +over file selection is needed. + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + src/evmctl.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 23cf54c..2072034 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type) + static int do_cmd(struct command *cmd, find_cb_t func) + { + char *path = g_argv[optind++]; +- int err, dts = REG_MASK; /* only regular files by default */ ++ int err = 0, dts = REG_MASK; /* only regular files by default */ + + if (!path) { + log_err("Parameters missing\n"); +@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func) + return -1; + } + +- if (recursive) { +- if (search_type) { +- dts = get_file_type(path, search_type); +- if (dts < 0) +- return dts; ++ while (path && !err) { ++ if (recursive) { ++ if (search_type) { ++ dts = get_file_type(path, search_type); ++ if (dts < 0) ++ return dts; ++ } ++ err = find(path, dts, func); ++ } else { ++ err = func(path); + } +- err = find(path, dts, func); +- } else { +- err = func(path); ++ path = g_argv[optind++]; + } + + return err; +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch new file mode 100644 index 000000000..75076f52f --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch @@ -0,0 +1,50 @@ +From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 13 May 2015 03:41:02 -0700 +Subject: [PATCH] Makefile.am: disable man page creation + +Depends on asciidoc, which is not available. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + Makefile.am | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 06ebf59..4ddd52c 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,5 +1,5 @@ + SUBDIRS = src +-dist_man_MANS = evmctl.1 ++# dist_man_MANS = evmctl.1 + + doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh + EXTRA_DIST = autogen.sh $(doc_DATA) +@@ -39,4 +39,21 @@ rmman: + + doc: evmctl.1.html rmman evmctl.1 + ++# requires asciidoc, xslproc, docbook-xsl ++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org ++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++# ++#evmctl.1.html: README ++# @asciidoc -o $@ $< ++# ++#evmctl.1: ++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README ++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl ++# rm -f evmctl.1.xsl ++# ++#rmman: ++# rm -f evmctl.1 ++# ++#doc: evmctl.1.html rmman evmctl.1 ++ + .PHONY: $(tarname) +-- +1.8.4.5 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch new file mode 100644 index 000000000..c0bdd9b49 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch @@ -0,0 +1,47 @@ +From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001 +From: Patrick Ohly <patrick.ohly@intel.com> +Date: Wed, 17 Jun 2015 14:28:18 +0200 +Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines + +Compilation on older Linux distros (like Ubuntu 12.04) fails +because linux/xattr.h does not yet have the IMA defines. Compiling +there makes sense when only the tools are needed, for example when +signing an image in cross-compile mode. + +To support this, add fallbacks for the two defines which are needed. +Their value is part of the Linux ABI and thus fixed. + +Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + +--- + src/evmctl.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..23cf54c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -56,6 +56,18 @@ + #include <ctype.h> + #include <termios.h> + ++/* ++ * linux/xattr.h might be old to have this. Allow compilation on older ++ * Linux distros (like Ubuntu 12.04) by falling back to our own ++ * definition. ++ */ ++#ifndef XATTR_IMA_SUFFIX ++# define XATTR_IMA_SUFFIX "ima" ++#endif ++#ifndef XATTR_NAME_IMA ++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX ++#endif ++ + #include <openssl/sha.h> + #include <openssl/pem.h> + #include <openssl/hmac.h> +-- +2.1.4 + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb new file mode 100644 index 000000000..929d85348 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -0,0 +1,41 @@ +DESCRIPTION = "IMA/EVM control utility" +LICENSE = "GPL-2.0-with-OpenSSL-exception" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +DEPENDS += "openssl attr keyutils" + +DEPENDS_class-native += "openssl-native keyutils-native" + +PV = "1.0+git${SRCPV}" +SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167" +SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils" + +# Documentation depends on asciidoc, which we do not have, so +# do not build documentation. +SRC_URI += "file://disable-doc-creation.patch" + +# Workaround for upstream incompatibility with older Linux distros. +# Relevant for us when compiling ima-evm-utils-native. +SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch" + +# Required for xargs with more than one path as argument (better for performance). +SRC_URI += "file://command-line-apply-operation-to-all-paths.patch" + +SRC_URI += "\ + file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \ + file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \ + file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \ + file://0004-ima-evm-utils-update-.gitignore-files.patch \ +" +S = "${WORKDIR}/git" + +inherit pkgconfig autotools + +EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" + +# blkid is called by evmctl when creating evm checksums. +# This is less useful when signing files on the build host, +# so disable it when compiling on the host. +RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all new file mode 100644 index 000000000..36e71a7d6 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -0,0 +1,29 @@ +# +# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything) +# +# Do not measure anything, but appraise everything +# +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 + +appraise diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb new file mode 100644 index 000000000..b58d3fed9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple appraise policy " +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_appraise_all" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed new file mode 100644 index 000000000..7f89c8d98 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed @@ -0,0 +1,77 @@ +# With this policy, all files on regular partitions are +# appraised. Files with signed IMA hash and normal hash are +# accepted. Signed files cannot be modified while hashed files can be +# (which will also update the hash). However, signed files can +# be deleted, so in practice it is still possible to replace them +# with a modified version. +# +# Without EVM, this is obviously not very secure, so this policy is +# just an example and/or basis for further improvements. For that +# purpose, some comments show what could be added to make the policy +# more secure. +# +# With EVM the situation might be different because access +# to the EVM key can be restricted. +# +# Files which are appraised are also measured. This allows +# debugging whether a file is in policy by looking at +# /sys/kernel/security/ima/ascii_runtime_measurements + +# PROC_SUPER_MAGIC +dont_appraise fsmagic=0x9fa0 +dont_measure fsmagic=0x9fa0 +# SYSFS_MAGIC +dont_appraise fsmagic=0x62656572 +dont_measure fsmagic=0x62656572 +# DEBUGFS_MAGIC +dont_appraise fsmagic=0x64626720 +dont_measure fsmagic=0x64626720 +# TMPFS_MAGIC +dont_appraise fsmagic=0x01021994 +dont_measure fsmagic=0x01021994 +# RAMFS_MAGIC +dont_appraise fsmagic=0x858458f6 +dont_measure fsmagic=0x858458f6 +# DEVPTS_SUPER_MAGIC +dont_appraise fsmagic=0x1cd1 +dont_measure fsmagic=0x1cd1 +# BIFMT +dont_appraise fsmagic=0x42494e4d +dont_measure fsmagic=0x42494e4d +# SECURITYFS_MAGIC +dont_appraise fsmagic=0x73636673 +dont_measure fsmagic=0x73636673 +# SELINUXFS_MAGIC +dont_appraise fsmagic=0xf97cff8c +dont_measure fsmagic=0xf97cff8c +# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel) +dont_appraise fsmagic=0x6e736673 +dont_measure fsmagic=0x6e736673 +# SMACK_MAGIC +dont_appraise fsmagic=0x43415d53 +dont_measure fsmagic=0x43415d53 +# CGROUP_SUPER_MAGIC +dont_appraise fsmagic=0x27e0eb +dont_measure fsmagic=0x27e0eb +# EFIVARFS_MAGIC +dont_appraise fsmagic=0xde5e81e4 +dont_measure fsmagic=0xde5e81e4 + +# Special partition, no checking done. +# dont_measure fsuuid=a11234... +# dont_appraise fsuuid=a11243... + +# Special immutable group. +# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200 + +# All executables must be signed - too strict, we need to +# allow installing executables on the device. +# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC +# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC + +# Default rule. Would be needed also when other rules were added that +# determine what to do in case of reading (mask=MAY_READ or +# mask=MAY_EXEC) because otherwise writing does not update the file +# hash. +appraise +measure diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb new file mode 100644 index 000000000..3352daa03 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "IMA sample hash policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_hashed" + +SRC_URI = " \ + file://${IMA_POLICY} \ +" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple new file mode 100644 index 000000000..38ca8f53d --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple @@ -0,0 +1,4 @@ +# Very simple policy demonstrating the systemd policy loading bug +# (policy with one line works, two lines don't). +dont_appraise fsmagic=0x9fa0 +dont_appraise fsmagic=0x62656572 diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb new file mode 100644 index 000000000..17132aa22 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -0,0 +1,18 @@ +SUMMARY = "IMA sample simple policy" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima_policy_simple" + +SRC_URI = " file://${IMA_POLICY}" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy +} + +FILES_${PN} = "${sysconfdir}/ima" +RDEPENDS_${PN} = "ima-evm-utils" diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh new file mode 100755 index 000000000..5f3a728fa --- /dev/null +++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -0,0 +1,48 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima.genkey +CA=${1:-ima-local-ca.pem} +CAKEY=${2:-ima-local-ca.priv} + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA $CA -CAkey $CAKEY -CAcreateserial \ + -outform DER -out x509_ima.der diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh new file mode 100755 index 000000000..b6007614a --- /dev/null +++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh @@ -0,0 +1,42 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example certificate signing key +emailAddress = john.doe@example.com + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +# keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh new file mode 100755 index 000000000..5ee876c05 --- /dev/null +++ b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config $GENKEY \ + -outform DER -out x509_ima.der -keyout privkey_ima.pem |