diff options
Diffstat (limited to 'meta-security')
-rw-r--r-- | meta-security/classes/dm-verity-img.bbclass | 4 | ||||
-rw-r--r-- | meta-security/classes/sanity-meta-security.bbclass | 2 | ||||
-rw-r--r-- | meta-security/conf/layer.conf | 4 | ||||
-rw-r--r-- | meta-security/kas/kas-security-base.yml | 13 | ||||
-rw-r--r-- | meta-security/kas/kas-security-dm.yml | 1 | ||||
-rw-r--r-- | meta-security/kas/kas-security-parsec.yml | 4 | ||||
-rw-r--r-- | meta-security/meta-hardening/README | 6 | ||||
-rw-r--r-- | meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb | 11 | ||||
-rw-r--r-- | meta-security/meta-integrity/classes/kernel-modsign.bbclass | 2 | ||||
-rw-r--r-- | meta-security/meta-parsec/conf/layer.conf | 2 | ||||
-rw-r--r-- | meta-security/meta-tpm/README | 8 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/files/fixup.patch (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/files/run-ptest (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/files/suricata.service (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/files/suricata.yaml (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/files/tmpfiles.suricata (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/files/volatiles.03_suricata (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/libhtp_0.5.38.bb (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/suricata.inc (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc) | 0 | ||||
-rw-r--r-- | meta-security/recipes-ids/suricata/suricata_6.0.3.bb (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb) | 0 | ||||
-rw-r--r-- | meta-security/recipes-security/cryfs/cryfs_0.10.3.bb | 10 | ||||
-rw-r--r-- | meta-security/recipes-security/krill/files/panic_workaround.patch (renamed from meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch) | 0 | ||||
-rw-r--r-- | meta-security/recipes-security/krill/krill.inc (renamed from meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc) | 0 | ||||
-rw-r--r-- | meta-security/recipes-security/krill/krill_0.9.1.bb (renamed from meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb) | 0 |
24 files changed, 32 insertions, 35 deletions
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 16d395b55..a0950dabd 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -63,8 +63,8 @@ verity_setup() { VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" IMAGE_TYPES += "${VERITY_TYPES}" CONVERSIONTYPES += "verity" -CONVERSION_CMD_verity = "verity_setup ${type}" -CONVERSION_DEPENDS_verity = "cryptsetup-native" +CONVERSION_CMD:verity = "verity_setup ${type}" +CONVERSION_DEPENDS:verity = "cryptsetup-native" python __anonymous() { verity_image = d.getVar('DM_VERITY_IMAGE') diff --git a/meta-security/classes/sanity-meta-security.bbclass b/meta-security/classes/sanity-meta-security.bbclass index b6c6b9cb5..f9e26984f 100644 --- a/meta-security/classes/sanity-meta-security.bbclass +++ b/meta-security/classes/sanity-meta-security.bbclass @@ -1,7 +1,7 @@ addhandler security_bbappend_distrocheck security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" python security_bbappend_distrocheck() { - skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1" + skip_check = e.data.getVar('SKIP_META_SECURITY_SANITY_CHECK') == "1" if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: bb.warn("You have included the meta-security layer, but \ 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index cdcfaeec7..ad9da560f 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -16,7 +16,3 @@ LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer met # Sanity check for meta-security layer. # Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. INHERIT += "sanity-meta-security" - -BBFILES_DYNAMIC += " \ -rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ -" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index b9ce493be..3bf46dbf0 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -1,5 +1,5 @@ header: - version: 8 + version: 9 distro: poky @@ -30,15 +30,9 @@ repos: meta-networking: meta-filesystems: - meta-rust: - url: https://github.com/meta-rust/meta-rust.git - refspec: master - - - local_conf_header: base: | - CONF_VERSION = "1" + CONF_VERSION = "2" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" BB_HASHSERVE = "auto" @@ -57,7 +51,7 @@ local_conf_header: EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" - DISTRO_FEATURES:append = " pam apparmor smack ima" + DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" MACHINE_FEATURES:append = " tpm tpm2" diskmon: | @@ -73,7 +67,6 @@ local_conf_header: bblayers_conf_header: base: | - POKY_BBLAYERS_CONF_VERSION = "2" BBPATH = "${TOPDIR}" BBFILES ?= "" diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml index 7ce0e9d72..c03b3361e 100644 --- a/meta-security/kas/kas-security-dm.yml +++ b/meta-security/kas/kas-security-dm.yml @@ -5,6 +5,7 @@ header: local_conf_header: dm-verify: | + DISTRO_FEATURES:append = " integrity" DM_VERITY_IMAGE = "core-image-minimal" DM_VERITY_IMAGE_TYPE = "ext4" IMAGE_CLASSES += "dm-verity-img" diff --git a/meta-security/kas/kas-security-parsec.yml b/meta-security/kas/kas-security-parsec.yml index 22ef5dd82..9a009be14 100644 --- a/meta-security/kas/kas-security-parsec.yml +++ b/meta-security/kas/kas-security-parsec.yml @@ -8,10 +8,6 @@ repos: layers: meta-parsec: - meta-rust: - url: https://github.com/meta-rust/meta-rust.git - refspec: master - meta-clang: url: https://github.com/kraj/meta-clang.git refspec: master diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README index 37a0b7ec8..191253c66 100644 --- a/meta-security/meta-hardening/README +++ b/meta-security/meta-hardening/README @@ -64,14 +64,14 @@ layers: meta-oe Maintenance ----------- -Send pull requests, patches, comments or questions to yocto@yoctoproject.org +Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-hardening][PATCH' These values can be set as defaults for this repository: -$ git config sendemail.to yocto@yoctoproject.org +$ git config sendemail.to yocto@lists.yoctoproject.org $ git config format.subjectPrefix meta-hardening][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb index c35c2577e..38771cdfb 100644 --- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -10,7 +10,8 @@ LICENSE = "MIT" IMAGE_ROOTFS_SIZE ?= "8192" -inherit core-image extrausers +inherit core-image +IMAGE_CLASSES:append = " extrausers" ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" DEFAULT_ADMIN_ACCOUNT ?= "myadmin" @@ -19,7 +20,7 @@ DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" -EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" -EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" -EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" -EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass index cf5d3ebe2..093c3585e 100644 --- a/meta-security/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -2,7 +2,7 @@ # set explicitly in a local.conf before activating kernel-modsign. # To use the insecure (because public) example keys, use # MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" -MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" +MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET" # Private key for modules signing. The default is okay when # using the example key directory. diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 86d41b22b..2eeb71b0f 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -10,5 +10,5 @@ BBFILE_PRIORITY_parsec-layer = "5" LAYERSERIES_COMPAT_parsec-layer = "honister" -LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer" +LAYERDEPENDS_parsec-layer = "core clang-layer tpm-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index 4441dd293..5722a92ab 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'tpm' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line. - DISTRO_FEATURES:append = " tmp" + DISTRO_FEATURES:append = " tpm" If meta-tpm is included, but tpm is not enabled as a distro feature a warning is printed at parse time: @@ -57,14 +57,14 @@ other layers needed. e.g.: Maintenance ----------- -Send pull requests, patches, comments or questions to yocto@yoctoproject.org +Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH' These values can be set as defaults for this repository: -$ git config sendemail.to yocto@yoctoproject.org +$ git config sendemail.to yocto@lists.yoctoproject.org $ git config format.subjectPrefix meta-security][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/meta-security/recipes-ids/suricata/files/fixup.patch index fc44ce68f..fc44ce68f 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch +++ b/meta-security/recipes-ids/suricata/files/fixup.patch diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/meta-security/recipes-ids/suricata/files/run-ptest index 666ba9c95..666ba9c95 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest +++ b/meta-security/recipes-ids/suricata/files/run-ptest diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/meta-security/recipes-ids/suricata/files/suricata.service index a99a76ef8..a99a76ef8 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service +++ b/meta-security/recipes-ids/suricata/files/suricata.service diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/meta-security/recipes-ids/suricata/files/suricata.yaml index 8d06a2744..8d06a2744 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml +++ b/meta-security/recipes-ids/suricata/files/suricata.yaml diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata index fbf37848e..fbf37848e 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata +++ b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata index 4627bd3b0..4627bd3b0 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata +++ b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb index 2a0c93ccc..2a0c93ccc 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index 5754617fb..5754617fb 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb b/meta-security/recipes-ids/suricata/suricata_6.0.3.bb index ca9e03e32..ca9e03e32 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb +++ b/meta-security/recipes-ids/suricata/suricata_6.0.3.bb diff --git a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb new file mode 100644 index 000000000..74f32a495 --- /dev/null +++ b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb @@ -0,0 +1,10 @@ +SUMMARY = "CryFS encrypts your files, so you can safely store them anywhere." +HOMEDIR = "https://www.cryfs.org" + +LICENSE = "LGPL-3.0" +FILE_CHK_SUM = "file://;md5=12345" + +SRC_URI = "https://github.com/${BPN}/${BPN}.git" +SRCREV = "0f83a1ab7e5ca9f37f97bc57b20d3fab0f351d11" + +inherit cmake diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch b/meta-security/recipes-security/krill/files/panic_workaround.patch index 9b08cb5ce..9b08cb5ce 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch +++ b/meta-security/recipes-security/krill/files/panic_workaround.patch diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc b/meta-security/recipes-security/krill/krill.inc index f86468b96..f86468b96 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc +++ b/meta-security/recipes-security/krill/krill.inc diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb b/meta-security/recipes-security/krill/krill_0.9.1.bb index 4dc61cfb3..4dc61cfb3 100644 --- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb +++ b/meta-security/recipes-security/krill/krill_0.9.1.bb |