diff options
Diffstat (limited to 'meta-security')
133 files changed, 2680 insertions, 562 deletions
diff --git a/meta-security/.gitignore b/meta-security/.gitignore new file mode 100644 index 000000000..c01df45ec --- /dev/null +++ b/meta-security/.gitignore @@ -0,0 +1,7 @@ +*.pyc +*.pyo +/*.patch +*.swp +*.orig +*.rej +*~ diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml new file mode 100644 index 000000000..3a1687cca --- /dev/null +++ b/meta-security/.gitlab-ci.yml @@ -0,0 +1,154 @@ +stages: + - build + +.build: + stage: build + image: crops/poky + before_script: + - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + - export PATH=~/.local/bin:$PATH + - wget https://bootstrap.pypa.io/get-pip.py + - python3 get-pip.py + - python3 -m pip install kas + after_script: + - cd $CI_PROJECT_DIR/poky + - . ./oe-init-build-env $CI_PROJECT_DIR/build + - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do + - send-error-report -y tmp/log/error-report/$x + - done + - cd $CI_PROJECT_DIR + - rm -rf build + - $CI_PROJECT_DIR/scripts/ci-cleanup.sh + cache: + paths: + - layers + +qemux86: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuppc: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuriscv64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-tpm: + extends: .build + script: + - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml + +qemux86-64-tpm2: + extends: .build + script: + - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + +qemuarm64-tpm2: + extends: .build + script: + - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + +qemux86-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemuarm64-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-dm-verify: + extends: .build + script: + - kas build --target core-image-minimal kas/qemux86-64.yml + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml + + +qemuarm64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-musl: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-musl: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-harden: + extends: .build + script: + - kas build --target harden-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-comp: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-test: + extends: .build + allow_failure: true + script: + - kas build --target security-test-image kas/$CI_JOB_NAME.yml + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 1c0e29b6e..16d395b55 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -18,12 +18,18 @@ # The resulting image can then be used to implement the device mapper block # integrity checking on the target device. +# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash +# is stored where it can be installed into associated initramfs rootfs. +STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity" + # Process the output from veritysetup and generate the corresponding .env # file. The output from veritysetup is not very machine-friendly so we need to # convert it to some better format. Let's drop the first line (doesn't contain # any useful info) and feed the rest to a script. process_verity() { - local ENV="$OUTPUT.env" + local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env" + install -d ${STAGING_VERITY_DIR} + rm -f $ENV # Each line contains a key and a value string delimited by ':'. Read the # two parts into separate variables and process them separately. For the @@ -32,15 +38,13 @@ process_verity() { # just trim all white-spaces. IFS=":" while read KEY VAL; do - echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV - echo -ne "=" >> $ENV - echo "$VAL" | tr -d " \t" >> $ENV + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV done # Add partition size echo "DATA_SIZE=$SIZE" >> $ENV - - ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env } verity_setup() { @@ -68,13 +72,13 @@ python __anonymous() { image_fstypes = d.getVar('IMAGE_FSTYPES') pn = d.getVar('PN') - if verity_image != pn: - return # This doesn't concern this image - if not verity_image or not verity_type: bb.warn('dm-verity-img class inherited but not used') return + if verity_image != pn: + return # This doesn't concern this image + if len(verity_type.split()) is not 1: bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 2c3bd9654..8c0254b82 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "dunfell" +LAYERSERIES_COMPAT_security = "gatesgarth" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml new file mode 100644 index 000000000..309acaa03 --- /dev/null +++ b/meta-security/kas/kas-security-alt.yml @@ -0,0 +1,8 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam smack systemd" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml new file mode 100644 index 000000000..ba0e0f81f --- /dev/null +++ b/meta-security/kas/kas-security-base.yml @@ -0,0 +1,65 @@ +header: + version: 8 + +distro: poky + +repos: + meta-security: + layers: + ../meta-security: + meta-tpm: + meta-integrity: + meta-security-compliance: + meta-hardening: + + poky: + url: https://git.yoctoproject.org/git/poky + refspec: master + layers: + meta: + meta-poky: + meta-yocto-bsp: + + meta-openembedded: + url: http://git.openembedded.org/meta-openembedded + refspec: master + layers: + meta-oe: + meta-perl: + meta-python: + meta-networking: + +local_conf_header: + base: | + CONF_VERSION = "1" + SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" + SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" + SSTATE_DIR = "/home/srv/sstate/master" + DL_DIR = "/home/srv/downloads/master" + BB_HASHSERVE = "auto" + BB_SIGNATURE_HANDLER = "OEEquivHash" + INHERIT += "buildstats buildstats-summary buildhistory" + INHERIT += "report-error" + INHERIT += "testimage" + TEST_QEMUBOOT_TIMEOUT = "1500" + EXTRA_IMAGE_FEATURES ?= "debug-tweaks" + PACKAGE_CLASSES = "package_ipk" + + + diskmon: | + BB_DISKMON_DIRS = "\ + STOPTASKS,${TMPDIR},1G,100K \ + STOPTASKS,${DL_DIR},1G,100K \ + STOPTASKS,${SSTATE_DIR},1G,100K \ + STOPTASKS,/tmp,100M,100K \ + ABORT,${TMPDIR},100M,1K \ + ABORT,${DL_DIR},100M,1K \ + ABORT,${SSTATE_DIR},100M,1K \ + ABORT,/tmp,10M,1K" + +bblayers_conf_header: + base: | + POKY_BBLAYERS_CONF_VERSION = "2" + BBPATH = "${TOPDIR}" + BBFILES ?= "" + diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml new file mode 100644 index 000000000..7ce0e9d72 --- /dev/null +++ b/meta-security/kas/kas-security-dm.yml @@ -0,0 +1,13 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + dm-verify: | + DM_VERITY_IMAGE = "core-image-minimal" + DM_VERITY_IMAGE_TYPE = "ext4" + IMAGE_CLASSES += "dm-verity-img" + INITRAMFS_IMAGE_BUNDLE = "1" + INITRAMFS_IMAGE = "dm-verity-image-initramfs" + diff --git a/meta-security/kas/qemuarm.yml b/meta-security/kas/qemuarm.yml new file mode 100644 index 000000000..f51abacf0 --- /dev/null +++ b/meta-security/kas/qemuarm.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuarm diff --git a/meta-security/kas/qemuarm64-alt.yml b/meta-security/kas/qemuarm64-alt.yml new file mode 100644 index 000000000..48e688c2a --- /dev/null +++ b/meta-security/kas/qemuarm64-alt.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-alt.yml + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-ima.yml b/meta-security/kas/qemuarm64-ima.yml new file mode 100644 index 000000000..b4784729b --- /dev/null +++ b/meta-security/kas/qemuarm64-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-multi.yml b/meta-security/kas/qemuarm64-multi.yml new file mode 100644 index 000000000..d79142c37 --- /dev/null +++ b/meta-security/kas/qemuarm64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-musl.yml b/meta-security/kas/qemuarm64-musl.yml new file mode 100644 index 000000000..b353eb4f1 --- /dev/null +++ b/meta-security/kas/qemuarm64-musl.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + musl: | + TCLIBC = "musl" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml new file mode 100644 index 000000000..3a8d8fc0d --- /dev/null +++ b/meta-security/kas/qemuarm64-tpm2.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm2" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64.yml b/meta-security/kas/qemuarm64.yml new file mode 100644 index 000000000..a0c2d1abb --- /dev/null +++ b/meta-security/kas/qemuarm64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml new file mode 100644 index 000000000..923c21370 --- /dev/null +++ b/meta-security/kas/qemumips64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " pam systmed" + +machine: qemumips64 diff --git a/meta-security/kas/qemumips64-multi.yml b/meta-security/kas/qemumips64-multi.yml new file mode 100644 index 000000000..c8cf94b71 --- /dev/null +++ b/meta-security/kas/qemumips64-multi.yml @@ -0,0 +1,14 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib64 multilib:lib32" + DEFAULTTUNE = "mips64-n32" + DEFAULTTUNE_virtclass-multilib-lib64 = "mips64" + DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2" + +machine: qemumips64 diff --git a/meta-security/kas/qemumips64.yml b/meta-security/kas/qemumips64.yml new file mode 100644 index 000000000..64e52f77b --- /dev/null +++ b/meta-security/kas/qemumips64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemumips64 diff --git a/meta-security/kas/qemuppc.yml b/meta-security/kas/qemuppc.yml new file mode 100644 index 000000000..3dad81c27 --- /dev/null +++ b/meta-security/kas/qemuppc.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuppc diff --git a/meta-security/kas/qemuriscv64.yml b/meta-security/kas/qemuriscv64.yml new file mode 100644 index 000000000..e1b1e4947 --- /dev/null +++ b/meta-security/kas/qemuriscv64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuriscv64 diff --git a/meta-security/kas/qemux86-64-alt.yml b/meta-security/kas/qemux86-64-alt.yml new file mode 100644 index 000000000..f0d6b27d0 --- /dev/null +++ b/meta-security/kas/qemux86-64-alt.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-alt.yml + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-dm-verify.yml b/meta-security/kas/qemux86-64-dm-verify.yml new file mode 100644 index 000000000..1f2600887 --- /dev/null +++ b/meta-security/kas/qemux86-64-dm-verify.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-dm.yml + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-ima.yml b/meta-security/kas/qemux86-64-ima.yml new file mode 100644 index 000000000..e64931c17 --- /dev/null +++ b/meta-security/kas/qemux86-64-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-multi.yml b/meta-security/kas/qemux86-64-multi.yml new file mode 100644 index 000000000..711ce2863 --- /dev/null +++ b/meta-security/kas/qemux86-64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "x86" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml new file mode 100644 index 000000000..565b42327 --- /dev/null +++ b/meta-security/kas/qemux86-64-tpm.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml new file mode 100644 index 000000000..a43693ee9 --- /dev/null +++ b/meta-security/kas/qemux86-64-tpm2.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm2" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64.yml b/meta-security/kas/qemux86-64.yml new file mode 100644 index 000000000..4ba2b662b --- /dev/null +++ b/meta-security/kas/qemux86-64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-comp.yml b/meta-security/kas/qemux86-comp.yml new file mode 100644 index 000000000..14c5dcabf --- /dev/null +++ b/meta-security/kas/qemux86-comp.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-compliance: | + IMAGE_INSTALL_append = " lynis" + IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-harden.yml b/meta-security/kas/qemux86-harden.yml new file mode 100644 index 000000000..fb59ddab2 --- /dev/null +++ b/meta-security/kas/qemux86-harden.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO = "harden" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-ima.yml b/meta-security/kas/qemux86-ima.yml new file mode 100644 index 000000000..6528ba620 --- /dev/null +++ b/meta-security/kas/qemux86-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-musl.yml b/meta-security/kas/qemux86-musl.yml new file mode 100644 index 000000000..61d957214 --- /dev/null +++ b/meta-security/kas/qemux86-musl.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + musl: | + TCLIBC = "musl" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml new file mode 100644 index 000000000..7b5f45151 --- /dev/null +++ b/meta-security/kas/qemux86-test.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " apparmor smack pam" + +machine: qemux86 diff --git a/meta-security/kas/qemux86.yml b/meta-security/kas/qemux86.yml new file mode 100644 index 000000000..83a5353e7 --- /dev/null +++ b/meta-security/kas/qemux86.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemux86 diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README new file mode 100644 index 000000000..37a0b7ec8 --- /dev/null +++ b/meta-security/meta-hardening/README @@ -0,0 +1,86 @@ +# This is an example for Security hardening an OE or Poky image + + +Meta-hardening +============= + +This layer provides examples for hardening OE/Yocto images. +This layer does not provide 100% security protection. This is only +a framework from which a user can build from and can possible contribute to. +The goal here is to capture use cases and examples the community decided shares for +everyones benefit. + +Building the meta-hardening layer +------------------------------- +In order to add hardening support to the poky/OE build this layer should be added +to your projects bblayers.conf file. + +By default the hardening components are disabled. This conforms to the +Yocto Project compatible guideline that indicate that simply including a +layer should not change the system behavior. + +In order to use the components in this layer to take affect the 'harden' keyword must +set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework. + +If one wants the a more complete example of a hardened image, one must also build the image: +harden-image-minimal + +There are default example userid and passwards: +These can be over written in your local.conf via: +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" + +example: +local.conf +DISTRO = "harden" + +The default user and password are: +User: "myadmin" +Password: "1SimplePw!" + +bitbake {qemu machine} harden-image-minimal + +Dependencies +============ + +Branch: master + +This layer depends on: + +URI: git://git.yoctoproject.org/poky + +or this normal combo: + +URI: git://git.openembedded.org/meta-openembedded/meta-oe + +URI: git://git.openembedded.org/bitbake + +plus: + +URI: git://git.openembedded.org/meta-openembedded +layers: meta-oe + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-hardening][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster <akuster808@gmail.com> + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf new file mode 100644 index 000000000..66db9b797 --- /dev/null +++ b/meta-security/meta-hardening/conf/distro/harden.conf @@ -0,0 +1,11 @@ +DISTRO = "harden" +DISTRO_NAME = "Simple Security hardening example" +DISTRO_VERSION = "1.0" + +DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost" + +VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog" +IMAGE_ROOTFS_EXTRA_SPACE = "524288" +EXTRA_IMAGE_FEATURES_remove = "debug-tweaks" + +DISABLE_ROOT ?= "True" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf new file mode 100644 index 000000000..22d88749d --- /dev/null +++ b/meta-security/meta-hardening/conf/layer.conf @@ -0,0 +1,13 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have a recipes directory, add to BBFILES +BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" + +BBFILE_COLLECTIONS += "harden-layer" +BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" +BBFILE_PRIORITY_harden-layer = "10" + +LAYERSERIES_COMPAT_harden-layer = "gatesgarth" + +LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 000000000..67be3f313 --- /dev/null +++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,13 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config + fi +} diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..395630460 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,4 @@ + +do_install_append_harden () { + sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile +} diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb new file mode 100644 index 000000000..daed3fbcc --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -0,0 +1,25 @@ +SUMMARY = "A small image for an example hardening OE." + +IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening" +IMAGE_INSTALL_append = " os-release" + +IMAGE_FEATURES = "" +IMAGE_LINGUAS = " " + +LICENSE = "MIT" + +IMAGE_ROOTFS_SIZE ?= "8192" + +inherit core-image extrausers + +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" +DEFAULT_ADMIN_GROUP ?= "wheel" +DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" + +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" + +EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh new file mode 100755 index 000000000..e093f9621 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh @@ -0,0 +1,41 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: mountall +# Required-Start: mountvirtfs +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Mount all filesystems. +# Description: +### END INIT INFO + +. /etc/default/rcS + +# +# Mount local filesystems in /etc/fstab. For some reason, people +# might want to mount "proc" several times, and mount -v complains +# about this. So we mount "proc" filesystems without -v. +# +test "$VERBOSE" != no && echo "Mounting local filesystems..." +mkdir -p /home +mkdir -p /var +mount -at nonfs,nosmbfs,noncpfs 2>/dev/null + +# +# We might have mounted something over /dev, see if /dev/initctl is there. +# +if test ! -p /dev/initctl +then + rm -f /dev/initctl + mknod -m 600 /dev/initctl p +fi +kill -USR1 1 + +# +# Execute swapon command again, in case we want to swap to +# a file on a now mounted filesystem. +# +[ -x /sbin/swapon ] && swapon -a + +: exit 0 + diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend new file mode 100644 index 000000000..896b03973 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_harden = " file://mountall.sh" + +do_install_append_harden() { + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d +} diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb new file mode 100644 index 000000000..1dcd5fc3d --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb @@ -0,0 +1,19 @@ +# +# +# + +SUMMARY = "Hardening example group" + +inherit packagegroup + +PROVIDES = "${PACKAGES}" +PACKAGES = "${PN} \ + packagegroup-${PN} \ +" + +RDEPENDS_${PN} = "\ + init-ifupdown \ + ${VIRTUAL-RUNTIME_base-utils-syslog} \ + sudo \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \ +" diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 000000000..3f363f069 --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend @@ -0,0 +1,10 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs + sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs +} diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 000000000..a31c081fe --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend @@ -0,0 +1,7 @@ + +PACKAGECONFIG_append_harden = " pam-wheel" +do_install_append_harden () { + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers + fi +} diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index b4edac383..76374eb9b 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -2,8 +2,7 @@ BBPATH =. "${LAYERDIR}:" # We have a packages directory, add to BBFILES -BBFILES := "${BBFILES} \ - ${LAYERDIR}/recipes-*/*/*.bb \ +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" BBFILE_COLLECTIONS += "integrity" @@ -21,8 +20,12 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "dunfell" +LAYERSERIES_COMPAT_integrity = "gatesgarth" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" + +BBFILES_DYNAMIC += " \ +networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ +" diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc new file mode 100644 index 000000000..a45182e51 --- /dev/null +++ b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc @@ -0,0 +1,61 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +DEPENDS = "libtspi" + +SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" + +PACKAGECONFIG += " \ + aikgen \ + tpm \ +" + +PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,," +PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,," + +PACKAGECONFIG_ima += "\ + imc-test \ + imv-test \ + imc-scanner \ + imv-scanner \ + imc-os \ + imv-os \ + imc-attestation \ + imv-attestation \ + tnc-ifmap \ + tnc-imc \ + tnc-imv \ + tnc-pdp \ + tnccs-11 \ + tnccs-20 \ + tnccs-dynamic \ + " + +EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}" + +PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,," +PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,," +PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,," +PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,," +PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima,," +PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,," +PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,," + +PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,," +PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,," +PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,," +PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,," +PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima,," +PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,," +PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,," + +PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap,libxml2," +PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,," + +PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2," +PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,," +PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,," + +#FILES_${PN} += "${libdir}/ipsec/imcvs/*.so ${datadir}/regid.2004-03.org.strongswan" +#FILES_${PN}-dbg += "${libdir}/ipsec/imcvs/.debug" +#FILES_${PN}-dev += "${libdir}/ipsec/imcvs/*.la" +#FILES_${PN}-staticdev += "${libdir}/ipsec/imcvs/*.a" diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend new file mode 100644 index 000000000..4669fd2a1 --- /dev/null +++ b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'imp', 'strongswan-ima.inc', '', d)} diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 965c83797..db243f710 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "dunfell" +LAYERSERIES_COMPAT_scanners-layer = "gatesgarth" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb index 245761c37..2d5962362 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb @@ -8,8 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" -SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" +SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2" S = "${WORKDIR}/${BPN}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb index ad29efdad..51fa9ee2a 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb @@ -2,7 +2,7 @@ SUMARRY = "NIST Certified SCAP 1.2 toolkit" require openscap.inc -SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRCREV = "0cb55c55af6be9934d6fd0caf4563b206f289732" SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ " diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb index 963d3dec9..73a4729bf 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -5,8 +5,8 @@ SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" include openscap.inc -SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" +SRCREV = "a85943eee400fdbe59234d1c4a02d8cf710c4625" SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ " -PV = "1.3.1+git${SRCPV}" +PV = "1.3.3+git${SRCPV}" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 66c262302..32fce0fbb 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" -DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native" S = "${WORKDIR}/git" diff --git a/meta-security/meta-security-isfafw/classes/isafw.bbclass b/meta-security/meta-security-isafw/classes/isafw.bbclass index 146acdfbf..146acdfbf 100644 --- a/meta-security/meta-security-isfafw/classes/isafw.bbclass +++ b/meta-security/meta-security-isafw/classes/isafw.bbclass diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf index 63f990a8b..b8ee1c013 100644 --- a/meta-security/meta-security-isafw/conf/layer.conf +++ b/meta-security/meta-security-isafw/conf/layer.conf @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1" LAYERDEPENDS_security-isafw = "core" -LAYERSERIES_COMPAT_security-isafw = "dunfell" +LAYERSERIES_COMPAT_security-isafw = "gatesgarth" diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc index 74c1a1812..dcf53d0cc 100644 --- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc +++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc @@ -33,7 +33,6 @@ RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>" -RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>" RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index c3372c707..cd62fbac2 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,10 +8,14 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "dunfell" +LAYERSERIES_COMPAT_tpm-layer = "gatesgarth" LAYERDEPENDS_tpm-layer = " \ core \ openembedded-layer \ " BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" + +BBFILES_DYNAMIC += " \ +networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ +" diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch new file mode 100644 index 000000000..825028222 --- /dev/null +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch @@ -0,0 +1,38 @@ +From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Apr 2020 10:44:19 +0200 +Subject: [PATCH] xfrmi: Only build if libcharon is built + +The kernel-netlink plugin is only built if libcharon is. + +Closes strongswan/strongswan#167. + +Upstream-Status: Backport +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + src/Makefile.am | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +Index: strongswan-5.8.4/src/Makefile.am +=================================================================== +--- strongswan-5.8.4.orig/src/Makefile.am ++++ strongswan-5.8.4/src/Makefile.am +@@ -42,6 +42,9 @@ endif + + if USE_LIBCHARON + SUBDIRS += libcharon ++if USE_KERNEL_NETLINK ++ SUBDIRS += xfrmi ++endif + endif + + if USE_FILE_CONFIG +@@ -143,7 +146,3 @@ endif + if USE_TPM + SUBDIRS += tpm_extendpcr + endif +- +-if USE_KERNEL_NETLINK +- SUBDIRS += xfrmi +-endif diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc new file mode 100644 index 000000000..d8604e116 --- /dev/null +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc @@ -0,0 +1,12 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +DEPENDS = "libtspi" + +SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" + +PACKAGECONFIG += "aikgen tpm" + +PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,," +PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,," + +EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}" diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend new file mode 100644 index 000000000..34757bb47 --- /dev/null +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)} diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb index 25126effb..3844c7f9f 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb @@ -11,6 +11,11 @@ SUMMARY_packagegroup-security-tpm = "Security TPM support" RDEPENDS_packagegroup-security-tpm = " \ tpm-tools \ trousers \ + pcr-extend \ + tpm-quote-tools \ + swtpm \ + openssl-tpm-engine \ + libtpm \ ${X86_TPM_MODULES} \ " diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 8f5c537b9..8b6f03023 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -19,5 +19,4 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-abrmd \ tpm2-pkcs11 \ ibmswtpm2 \ - cryptsetup-tpm-incubator \ " diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb index 4588c8d09..0ade01dd5 100644 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb @@ -2,8 +2,8 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "c26e8f7b08b19a69cea9e8f1f1e6639c7951fb01" -SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}" +SRCREV = "7325acb4777f70419fe10a1d9621c2666e977e73" +SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.7.0" PE = "1" diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index fe8f55714..27b4e2f51 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -6,7 +6,7 @@ SECTION = "security/tpm" DEPENDS = "openssl" -SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0" +SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b" PV = "0.3.14+git${SRCPV}" SRC_URI = " \ @@ -104,6 +104,8 @@ FILES_${PN}-doc = " \ ${mandir}/man8 \ " +FILES_${PN} += "${systemd_unitdir}/*" + INITSCRIPT_NAME = "trousers" INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb deleted file mode 100644 index b706d1505..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ /dev/null @@ -1,42 +0,0 @@ -SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss" -DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module." - -SECTION = "security/tpm" -LICENSE = "LGPL-2.1 | GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \ - file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \ - " - -DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c" - -SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \ - file://configure_fix.patch " - -SRCREV = "15c283195f19f1d980e39ba45448683d5e383179" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig gettext - -PACKAGECONFIG ??= "openssl" -PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" -PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" - -EXTRA_OECONF = "--enable-static" - -RRECOMMENDS_${PN} = "kernel-module-aes-generic \ - kernel-module-dm-crypt \ - kernel-module-md5 \ - kernel-module-cbc \ - kernel-module-sha256-generic \ - kernel-module-xts \ - " - -FILES_${PN} += "${libdir}/tmpfiles.d" -RDEPENDS_${PN} += "lvm2 libdevmapper" -RRECOMMENDS_${PN} += "lvm2-udevrules" - -RREPLACES_${PN} = "cryptsetup" -RCONFLICTS_${PN} ="cryptsetup" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch deleted file mode 100644 index 8c7b6da41..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch +++ /dev/null @@ -1,16 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in] - - # For old automake use this - #AM_INIT_AUTOMAKE(dist-xz subdir-objects) --AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects]) -+AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign]) - - if test "x$prefix" = "xNONE"; then - sysconfdir=/etc diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch new file mode 100644 index 000000000..f2938e0e0 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch @@ -0,0 +1,27 @@ +Fix strict aliasing issue of gcc10 + +fixes: + +TpmFail.c: In function 'TpmLogFailure': +TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] + 217 | s_failFunction = *(UINT32 *)&function; /* kgold */ + | ^~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +Upstream-Status: Submitted + +Signed-off-by: Jens Rehsack <sno@NetBSD.org> + +Index: src/TpmFail.c +=================================================================== +--- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200 ++++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200 +@@ -214,7 +214,7 @@ + // On a 64-bit machine, this may truncate the address of the string + // of the function name where the error occurred. + #if FAIL_TRACE +- s_failFunction = *(UINT32 *)&function; /* kgold */ ++ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */ + s_failLine = line; + #else + s_failFunction = 0; diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch deleted file mode 100644 index 2919e2e54..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch +++ /dev/null @@ -1,26 +0,0 @@ -Allow recipe to overide optimization. - -fixes: - -397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) -| | ^~~~~~~ -| cc1: all warnings being treated as errors - - -Upstream-Status: OE specific - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: src/makefile -=================================================================== ---- src.orig/makefile -+++ src/makefile -@@ -43,7 +43,7 @@ CC = /usr/bin/gcc - CCFLAGS = -Wall \ - -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ - -Werror -Wsign-compare \ -- -c -ggdb -O0 \ -+ -c -ggdb -O \ - -DTPM_POSIX \ - -D_POSIX_ \ - -DTPM_NUVOTON diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch new file mode 100644 index 000000000..eebddb9e7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch @@ -0,0 +1,50 @@ +1) Allow recipe to overide optimization. + +fixes: + +397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) +| | ^~~~~~~ +| cc1: all warnings being treated as errors + +2) Allow recipe to override OE related compile-/link-flags + +fixes: + +ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags] + +Upstream-Status: OE specific + +Signed-off-by: Jens Rehsack <sno@NetBSD.org> + +Index: src/makefile +=================================================================== +--- src.orig/makefile ++++ src/makefile +@@ -38,12 +38,10 @@ + ################################################################################# + + +-CC = /usr/bin/gcc +- + CCFLAGS = -Wall \ + -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ + -Werror -Wsign-compare \ +- -c -ggdb -O0 \ ++ -c -ggdb -O \ + -DTPM_POSIX \ + -D_POSIX_ \ + -DTPM_NUVOTON +@@ -79,11 +77,11 @@ + .PRECIOUS: %.o + + tpm_server: $(OBJFILES) +- $(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server ++ $(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server + + clean: + rm -f *.o tpm_server *~ + + %.o: %.c +- $(CC) $(CCFLAGS) $< -o $@ ++ $(CC) $(CCFLAGS) $(CFLAGS) $< -o $@ + diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb deleted file mode 100644 index 80542269e..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "IBM's Software TPM 2.0" -LICENSE = "BSD" -SECTION = "securty/tpm" -LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" - -DEPENDS = "openssl" - -SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ - file://remove_optimization.patch \ - " -SRC_URI[md5sum] = "13013612b3a13dc935fefe1a5684179c" -SRC_URI[sha256sum] = "fc3a17f8315c1f47670764f2384943afc0d3ba1e9a0422dacb08d455733bd1e9" -SRC_URI[sha1sum] = "a2a5335024a2edc1739f08b99e716fa355be627d" -SRC_URI[sha384sum] = "b1f278acabe2198aa79c0fe8aa0182733fe701336cbf54a88058be0b574cab768f59f9315882d0e689e634678d05b79f" -SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb014124011221a492147d4c492584e87af23e2f842ca6307641b3919f67a3f27f09312c0" - -S = "${WORKDIR}/src" - -do_compile () { - make CC='${CC}' -} - -do_install () { - install -d ${D}/${bindir} - install -m 0755 tpm_server ${D}/${bindir} -} - diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb new file mode 100644 index 000000000..32afd377d --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb @@ -0,0 +1,39 @@ +SUMMARY = "IBM's Software TPM 2.0" +DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \ +education, and virtualization. \ +\ +The intent is that an application can be developed using the software TPM. \ +The application should then run using a hardware TPM without changes. \ +Advantages of this approach: \ +* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \ +* Application software errors are easily reversed by simply removing the TPM state and starting over. \ +* Difficult crypto errors are quickly debugged by looking inside the TPM." +HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ + file://tune-makefile.patch \ + file://fix-wrong-cast.patch \ + " +SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c" +SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327" +SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e" +SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d" +SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed" + +S = "${WORKDIR}/src" + +CFLAGS += "-Wno-error=maybe-uninitialized" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch new file mode 100644 index 000000000..8b13fb66c --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch @@ -0,0 +1,125 @@ +From 26091b7830d84a12308442b238652ee9475d407b Mon Sep 17 00:00:00 2001 +From: Jens Rehsack <sno@netbsd.org> +Date: Fri, 11 Sep 2020 07:46:41 +0200 +Subject: [PATCH] utils{,12}/Makefile.am: expand wildcards in prereqs + +Expand wildcards of required sources to avoid errors like: +make[2]: *** No rule to make target 'man/man1/*.1', needed by 'all-am'. Stop. +make[2]: *** Waiting for unfinished jobs.... + +Upstream-Status: Submitted + +Signed-off-by: Jens Rehsack <sno@netbsd.org> +--- + utils/Makefile.am | 75 +++++++++++++++++++++++++++++++++++++++++++-- + utils12/Makefile.am | 8 ++++- + 2 files changed, 79 insertions(+), 4 deletions(-) + +diff --git a/utils/Makefile.am b/utils/Makefile.am +index 1e51fe3..170a26e 100644 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -81,9 +81,78 @@ libibmtssutils_la_LIBADD = libibmtss.la $(LIBCRYPTO_LIBS) + + noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h tssccattributes.h + # install every header in ibmtss +-nobase_include_HEADERS = ibmtss/*.h +- +-notrans_man_MANS = man/man1/*.1 ++nobase_include_HEADERS = ibmtss/ActivateCredential_fp.h ibmtss/ActivateIdentity_fp.h ibmtss/BaseTypes.h \ ++ ibmtss/CertifyCreation_fp.h ibmtss/Certify_fp.h ibmtss/CertifyX509_fp.h ibmtss/ChangeEPS_fp.h \ ++ ibmtss/ChangePPS_fp.h ibmtss/ClearControl_fp.h ibmtss/Clear_fp.h ibmtss/ClockRateAdjust_fp.h \ ++ ibmtss/ClockSet_fp.h ibmtss/Commit_fp.h ibmtss/ContextLoad_fp.h ibmtss/ContextSave_fp.h \ ++ ibmtss/CreateEndorsementKeyPair_fp.h ibmtss/Create_fp.h ibmtss/CreateLoaded_fp.h \ ++ ibmtss/CreatePrimary_fp.h ibmtss/CreateWrapKey_fp.h ibmtss/DictionaryAttackLockReset_fp.h \ ++ ibmtss/DictionaryAttackParameters_fp.h ibmtss/Duplicate_fp.h ibmtss/ECC_Parameters_fp.h \ ++ ibmtss/ECDH_KeyGen_fp.h ibmtss/ECDH_ZGen_fp.h ibmtss/EC_Ephemeral_fp.h ibmtss/EncryptDecrypt2_fp.h \ ++ ibmtss/EncryptDecrypt_fp.h ibmtss/EventSequenceComplete_fp.h ibmtss/EvictControl_fp.h ibmtss/Extend_fp.h \ ++ ibmtss/FlushContext_fp.h ibmtss/FlushSpecific_fp.h ibmtss/GetCapability12_fp.h ibmtss/GetCapability_fp.h \ ++ ibmtss/GetCommandAuditDigest_fp.h ibmtss/GetRandom_fp.h ibmtss/GetSessionAuditDigest_fp.h \ ++ ibmtss/GetTestResult_fp.h ibmtss/GetTime_fp.h ibmtss/Hash_fp.h ibmtss/HashSequenceStart_fp.h \ ++ ibmtss/HierarchyChangeAuth_fp.h ibmtss/HierarchyControl_fp.h ibmtss/HMAC_fp.h ibmtss/HMAC_Start_fp.h \ ++ ibmtss/Implementation.h ibmtss/Import_fp.h ibmtss/IncrementalSelfTest_fp.h ibmtss/LoadExternal_fp.h \ ++ ibmtss/Load_fp.h ibmtss/LoadKey2_fp.h ibmtss/MakeCredential_fp.h ibmtss/MakeIdentity_fp.h ibmtss/NTC_fp.h \ ++ ibmtss/NV_Certify_fp.h ibmtss/NV_ChangeAuth_fp.h ibmtss/NV_DefineSpace12_fp.h ibmtss/NV_DefineSpace_fp.h \ ++ ibmtss/NV_Extend_fp.h ibmtss/NV_GlobalWriteLock_fp.h ibmtss/NV_Increment_fp.h ibmtss/NV_Read_fp.h \ ++ ibmtss/NV_ReadLock_fp.h ibmtss/NV_ReadPublic_fp.h ibmtss/NV_ReadValueAuth_fp.h ibmtss/NV_ReadValue_fp.h \ ++ ibmtss/NV_SetBits_fp.h ibmtss/NV_UndefineSpace_fp.h ibmtss/NV_UndefineSpaceSpecial_fp.h ibmtss/NV_Write_fp.h \ ++ ibmtss/NV_WriteLock_fp.h ibmtss/NV_WriteValueAuth_fp.h ibmtss/NV_WriteValue_fp.h ibmtss/ObjectChangeAuth_fp.h \ ++ ibmtss/OIAP_fp.h ibmtss/OSAP_fp.h ibmtss/OwnerReadInternalPub_fp.h ibmtss/OwnerSetDisable_fp.h \ ++ ibmtss/Parameters12.h ibmtss/Parameters.h ibmtss/PCR_Allocate_fp.h ibmtss/PCR_Event_fp.h ibmtss/PCR_Extend_fp.h \ ++ ibmtss/PcrRead12_fp.h ibmtss/PCR_Read_fp.h ibmtss/PCR_Reset12_fp.h ibmtss/PCR_Reset_fp.h ibmtss/PCR_SetAuthPolicy_fp.h \ ++ ibmtss/PCR_SetAuthValue_fp.h ibmtss/PolicyAuthorize_fp.h ibmtss/PolicyAuthorizeNV_fp.h ibmtss/PolicyAuthValue_fp.h \ ++ ibmtss/PolicyCommandCode_fp.h ibmtss/PolicyCounterTimer_fp.h ibmtss/PolicyCpHash_fp.h ibmtss/PolicyDuplicationSelect_fp.h \ ++ ibmtss/PolicyGetDigest_fp.h ibmtss/PolicyLocality_fp.h ibmtss/PolicyNameHash_fp.h ibmtss/PolicyNV_fp.h \ ++ ibmtss/PolicyNvWritten_fp.h ibmtss/PolicyOR_fp.h ibmtss/PolicyPassword_fp.h ibmtss/PolicyPCR_fp.h \ ++ ibmtss/PolicyPhysicalPresence_fp.h ibmtss/PolicyRestart_fp.h ibmtss/PolicySecret_fp.h ibmtss/PolicySigned_fp.h \ ++ ibmtss/PolicyTemplate_fp.h ibmtss/PolicyTicket_fp.h ibmtss/PP_Commands_fp.h ibmtss/Quote2_fp.h ibmtss/Quote_fp.h \ ++ ibmtss/ReadClock_fp.h ibmtss/ReadPubek_fp.h ibmtss/ReadPublic_fp.h ibmtss/Rewrap_fp.h ibmtss/RSA_Decrypt_fp.h \ ++ ibmtss/RSA_Encrypt_fp.h ibmtss/SelfTest_fp.h ibmtss/SequenceComplete_fp.h ibmtss/SequenceUpdate_fp.h \ ++ ibmtss/SetAlgorithmSet_fp.h ibmtss/SetCommandCodeAuditStatus_fp.h ibmtss/SetPrimaryPolicy_fp.h ibmtss/Shutdown_fp.h \ ++ ibmtss/Sign12_fp.h ibmtss/Sign_fp.h ibmtss/StartAuthSession_fp.h ibmtss/Startup12_fp.h ibmtss/Startup_fp.h \ ++ ibmtss/StirRandom_fp.h ibmtss/TakeOwnership_fp.h ibmtss/TestParms_fp.h ibmtss/TPMB.h ibmtss/TpmBuildSwitches.h \ ++ ibmtss/tpmconstants12.h ibmtss/tpmstructures12.h ibmtss/tpmtypes12.h ibmtss/TPM_Types.h ibmtss/tsscrypto.h \ ++ ibmtss/tsscryptoh.h ibmtss/tsserror12.h ibmtss/tsserror.h ibmtss/tssfile.h ibmtss/tss.h ibmtss/tssmarshal12.h \ ++ ibmtss/tssmarshal.h ibmtss/tssprintcmd.h ibmtss/tssprint.h ibmtss/tssresponsecode.h ibmtss/tsstransmit.h \ ++ ibmtss/tssutils.h ibmtss/Unmarshal12_fp.h ibmtss/Unmarshal_fp.h ibmtss/Unseal_fp.h ibmtss/VerifySignature_fp.h \ ++ ibmtss/ZGen_2Phase_fp.h ++ ++notrans_man_MANS = man/man1/tssactivatecredential.1 man/man1/tsscertify.1 man/man1/tsscertifycreation.1 \ ++ man/man1/tsscertifyx509.1 man/man1/tsschangeeps.1 man/man1/tsschangepps.1 man/man1/tssclear.1 \ ++ man/man1/tssclearcontrol.1 man/man1/tssclockrateadjust.1 man/man1/tssclockset.1 man/man1/tsscommit.1 \ ++ man/man1/tsscontextload.1 man/man1/tsscontextsave.1 man/man1/tsscreate.1 man/man1/tsscreateek.1 \ ++ man/man1/tsscreateekcert.1 man/man1/tsscreateloaded.1 man/man1/tsscreateprimary.1 \ ++ man/man1/tssdictionaryattacklockreset.1 man/man1/tssdictionaryattackparameters.1 man/man1/tssduplicate.1 \ ++ man/man1/tsseccparameters.1 man/man1/tssecephemeral.1 man/man1/tssencryptdecrypt.1 man/man1/tsseventextend.1 \ ++ man/man1/tsseventsequencecomplete.1 man/man1/tssevictcontrol.1 man/man1/tssflushcontext.1 man/man1/tssgetcapability.1 \ ++ man/man1/tssgetcommandauditdigest.1 man/man1/tssgetcryptolibrary.1 man/man1/tssgetrandom.1 \ ++ man/man1/tssgetsessionauditdigest.1 man/man1/tssgettestresult.1 man/man1/tssgettime.1 man/man1/tsshash.1 \ ++ man/man1/tsshashsequencestart.1 man/man1/tsshierarchychangeauth.1 man/man1/tsshierarchycontrol.1 \ ++ man/man1/tsshmac.1 man/man1/tsshmacstart.1 man/man1/tssimaextend.1 man/man1/tssimport.1 man/man1/tssimportpem.1 \ ++ man/man1/tssload.1 man/man1/tssloadexternal.1 man/man1/tssmakecredential.1 man/man1/tssntc2getconfig.1 \ ++ man/man1/tssntc2lockconfig.1 man/man1/tssntc2preconfig.1 man/man1/tssnvcertify.1 man/man1/tssnvchangeauth.1 \ ++ man/man1/tssnvdefinespace.1 man/man1/tssnvextend.1 man/man1/tssnvglobalwritelock.1 man/man1/tssnvincrement.1 \ ++ man/man1/tssnvread.1 man/man1/tssnvreadlock.1 man/man1/tssnvreadpublic.1 man/man1/tssnvsetbits.1 \ ++ man/man1/tssnvundefinespace.1 man/man1/tssnvundefinespacespecial.1 man/man1/tssnvwrite.1 man/man1/tssnvwritelock.1 \ ++ man/man1/tssobjectchangeauth.1 man/man1/tsspcrallocate.1 man/man1/tsspcrevent.1 man/man1/tsspcrextend.1 \ ++ man/man1/tsspcrread.1 man/man1/tsspcrreset.1 man/man1/tsspolicyauthorize.1 man/man1/tsspolicyauthorizenv.1 \ ++ man/man1/tsspolicyauthvalue.1 man/man1/tsspolicycommandcode.1 man/man1/tsspolicycountertimer.1 \ ++ man/man1/tsspolicycphash.1 man/man1/tsspolicyduplicationselect.1 man/man1/tsspolicygetdigest.1 \ ++ man/man1/tsspolicymaker.1 man/man1/tsspolicymakerpcr.1 man/man1/tsspolicynamehash.1 man/man1/tsspolicynv.1 \ ++ man/man1/tsspolicynvwritten.1 man/man1/tsspolicyor.1 man/man1/tsspolicypassword.1 man/man1/tsspolicypcr.1 \ ++ man/man1/tsspolicyrestart.1 man/man1/tsspolicysecret.1 man/man1/tsspolicysigned.1 man/man1/tsspolicytemplate.1 \ ++ man/man1/tsspolicyticket.1 man/man1/tsspowerup.1 man/man1/tssprintattr.1 man/man1/tsspublicname.1 \ ++ man/man1/tssquote.1 man/man1/tssreadclock.1 man/man1/tssreadpublic.1 man/man1/tssreturncode.1 \ ++ man/man1/tssrewrap.1 man/man1/tssrsadecrypt.1 man/man1/tssrsaencrypt.1 man/man1/tsssequencecomplete.1 \ ++ man/man1/tsssequenceupdate.1 man/man1/tsssetcommandcodeauditstatus.1 man/man1/tsssetprimarypolicy.1 \ ++ man/man1/tssshutdown.1 man/man1/tsssign.1 man/man1/tsssignapp.1 man/man1/tssstartauthsession.1 \ ++ man/man1/tssstartup.1 man/man1/tssstirrandom.1 man/man1/tsstimepacket.1 man/man1/tsstpm2pem.1 \ ++ man/man1/tsstpmcmd.1 man/man1/tsstpmpublic2eccpoint.1 man/man1/tssunseal.1 man/man1/tssverifysignature.1 \ ++ man/man1/tsswriteapp.1 man/man1/tsszgen2phase.1 + + if CONFIG_TPM20 + noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h +diff --git a/utils12/Makefile.am b/utils12/Makefile.am +index a01f47c..e9fe61e 100644 +--- a/utils12/Makefile.am ++++ b/utils12/Makefile.am +@@ -9,7 +9,13 @@ libibmtssutils12_la_CFLAGS = -I$(top_srcdir)/utils + # result: [current-age].age.revision + libibmtssutils12_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ ../utils/libibmtss.la + +-notrans_man_MANS = man/man1/*.1 ++notrans_man_MANS = man/man1/tss1activateidentity.1 man/man1/tss1createekcert.1 man/man1/tss1createendorsementkeypair.1 \ ++ man/man1/tss1createwrapkey.1 man/man1/tss1eventextend.1 man/man1/tss1extend.1 man/man1/tss1flushspecific.1 \ ++ man/man1/tss1getcapability.1 man/man1/tss1imaextend.1 man/man1/tss1loadkey2.1 man/man1/tss1makeekblob.1 \ ++ man/man1/tss1makeidentity.1 man/man1/tss1nvdefinespace.1 man/man1/tss1nvreadvalue.1 man/man1/tss1nvreadvalueauth.1 \ ++ man/man1/tss1nvwritevalue.1 man/man1/tss1nvwritevalueauth.1 man/man1/tss1oiap.1 man/man1/tss1osap.1 \ ++ man/man1/tss1ownerreadinternalpub.1 man/man1/tss1ownersetdisable.1 man/man1/tss1pcrread.1 man/man1/tss1quote2.1 \ ++ man/man1/tss1sign.1 man/man1/tss1startup.1 man/man1/tss1takeownership.1 man/man1/tss1tpminit.1 + noinst_HEADERS = ekutils12.h + + bin_PROGRAMS = activateidentity createendorsementkeypair createwrapkey extend flushspecific getcapability loadkey2 makeidentity nvdefinespace nvreadvalueauth nvreadvalue nvwritevalueauth nvwritevalue oiap osap ownerreadinternalpub ownersetdisable pcrread quote2 sign startup takeownership tpminit createekcert makeekblob eventextend imaextend +-- +2.17.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb new file mode 100644 index 000000000..18ad7eb43 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "IBM's Software TPM 2.0 TSS" +DESCRIPTION = "This is a user space TSS for TPM 2.0. It implements the \ +functionality equivalent to (but not API compatible with) the TCG TSS \ +working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a \ +hopefully simpler interface. \ +It comes with over 110 'TPM tools' samples that can be used for scripted \ +apps, rapid prototyping, education, and debugging. \ +It also comes with a web based TPM interface, suitable for a demo to an \ +audience that is unfamiliar with TCG technology. It is also useful for \ +basic TPM management." +HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl ibmswtpm2" + +inherit autotools pkgconfig + +SRCREV = "aa6c6ec83793ba21782033c03439977c26d3cc87" +SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \ + file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \ + " + +EXTRA_OECONF = "--disable-tpm-1.2" + +S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb index 991364ad3..d2a1c47b5 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb @@ -18,7 +18,7 @@ SRC_URI = "\ file://tpm2-abrmd.default \ " -SRCREV = "ac82192df1158cb58eac02777cf15c965b02cfbc" +SRCREV = "4cdda466010a3699ebe967d990ac715ae3de7d35" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch new file mode 100644 index 000000000..9d3f073e0 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch @@ -0,0 +1,77 @@ +From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 14 Oct 2020 08:55:33 -0700 +Subject: [PATCH] remove local binary checkes + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upsteam-Status: Inappropriate +These are only needed to run on the tartget so we add an RDPENDS. +Not needed for building. + +--- + configure.ac | 48 ------------------------------------------------ + 1 file changed, 48 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 50e7d4b..2b9abcf 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -219,54 +219,6 @@ AX_PROG_JAVAC() + AX_PROG_JAVA() + m4_popdef([AC_MSG_ERROR]) + +-AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no]) +- AS_IF([test "x$tpm2_createprimary" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no]) +- AS_IF([test "x$tpm2_create" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no]) +- AS_IF([test "x$tpm2_evictcontrol" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no]) +- AS_IF([test "x$tpm2_readpublic" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no]) +- AS_IF([test "x$tpm2_load" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no]) +- AS_IF([test "x$tpm2_loadexternal" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no]) +- AS_IF([test "x$tpm2_unseal" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no]) +- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no]) +- AS_IF([test "x$tpm2_sign" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no]) +- AS_IF([test "x$tpm2_getcap" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no]) +- AS_IF([test "x$tpm2_import" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no]) +- AS_IF([test "x$tpm2_changeauth" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])]) +- + AC_DEFUN([integration_test_checks], [ + + PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],, +-- +2.17.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb index 351e03e5b..486573341 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb @@ -2,15 +2,15 @@ SUMMARY = "A PKCS#11 interface for TPM2 hardware" DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." SECTION = "security/tpm" LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" -DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml" -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \ file://bootstrap_fixup.patch \ - " + file://0001-remove-local-binary-checkes.patch" -SRCREV = "6de3f6f9c6e0a4983f3fb90e35feb34906f8aea7" +SRCREV = "78bbf6a0237351830d0c3923b25ba0b57ae0b7e9" S = "${WORKDIR}/git" @@ -19,3 +19,5 @@ inherit autotools-brokensep pkgconfig do_configure_prepend () { ${S}/bootstrap } + +RDEPNDS_${PN} = "tpm2-tools" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch deleted file mode 100644 index bc70913e8..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch +++ /dev/null @@ -1,23 +0,0 @@ -Fix defined to match tpm2-tools 4.1.1 - -Upstream-Status: Submitted https://github.com/tpm2-software/tpm2-tcti-uefi/pull/81 -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: git/example/tpm2-get-caps-fixed.c -=================================================================== ---- git.orig/example/tpm2-get-caps-fixed.c -+++ git/example/tpm2-get-caps-fixed.c -@@ -140,11 +140,11 @@ dump_tpm_properties_fixed (TPMS_TAGGED_P - Print (L"TPM2_PT_INPUT_BUFFER:\n" - " value: 0x%X\n", value); - break; -- case TPM2_PT_HR_TRANSIENT_MIN: -+ case TPM2_PT_TPM2_HR_TRANSIENT_MIN: - Print (L"TPM2_PT_TPM2_HR_TRANSIENT_MIN:\n" - " value: 0x%X\n", value); - break; -- case TPM2_PT_HR_PERSISTENT_MIN: -+ case TPM2_PT_TPM2_HR_PERSISTENT_MIN: - Print (L"TPM2_PT_TPM2_HR_PERSISTENT_MIN:\n" - " value: 0x%X\n", value); - break; diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 67b36b787..a67e3c34d 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -7,9 +7,9 @@ DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf- SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ - file://tpm2-get-caps-fixed.patch \ file://fix_header_file.patch \ - " +" + SRCREV = "0241b08f069f0fdb3612f5c1b938144dbe9be811" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb deleted file mode 100644 index e90dcfe6e..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2-tools" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" -SECTION = "tpm" - -DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" - -SRC_URI[md5sum] = "701ae9e8c8cbdd37d89c8ad774f55395" -SRC_URI[sha256sum] = "40b9263d8b949bd2bc03a3cd60fa242e27116727467f9bbdd0b5f2539a25a7b1" -SRC_URI[sha1sum] = "d097d321237983435f05c974533ad90e6f20acef" -SRC_URI[sha384sum] = "396547f400e4f5626d7741d77ec543f312d94e6697899f4c36260d15fab3f4f971ad2c0487e6eaa2d60256f3cf68f85f" -SRC_URI[sha512sum] = "25952cf947f0acd16b1a8dbd3ac8573bce85ff970a7e24c290c4f9cd29418e77a3e48ac82c932fbd250887a9303ab301ff92db594c2fffaba47b873382444d26" - -inherit autotools pkgconfig bash-completion diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb new file mode 100644 index 000000000..5bd26ab98 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb @@ -0,0 +1,13 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a846608d090aa64494c45fc147cc12e3" +SECTION = "tpm" + +DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc" + +inherit autotools pkgconfig bash-completion diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb index 0dad67306..264484f7a 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb @@ -9,9 +9,8 @@ DEPENDS = "autoconf-archive libtss2-dev qrencode" PE = "1" -SRCREV = "994b4203e4769baefa6e7719915629bc8210e90a" -SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x \ - " +SRCREV = "bfd581986353edc1058604e77cac804bd8b0d30a" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x" inherit autotools-brokensep pkgconfig diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb index 3641b1b76..ebd6d539e 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb @@ -1,15 +1,15 @@ SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=7b3ab643b9ce041de515d1ed092a36d4" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3fb0047fd29391478a71e8e6101c76eb" SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "fdc8f65dfc8bad8b5a3aed181fae338267308f70" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" +SRCREV = "24f1383cc6befde44d6f01a51ea653304d844ffd" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.0.x" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb index 135efed84..78be51359 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb @@ -6,19 +6,14 @@ SECTION = "tpm" DEPENDS = "autoconf-archive-native libgcrypt openssl" -SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" - SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "fb7e6d371959a65dc6d129af81739742" -SRC_URI[sha256sum] = "82929a0611f39246e09202702a61b54c980ab694626c1f5823520ddf75024fa6" -SRC_URI[sha1sum] = "c24ce8b20a8686ada775239389292f6d78020668" -SRC_URI[sha384sum] = "a0c023c024efb6c9906df1e143d692f44433de332b616dc0584c9b4cd4fb0ad544308f291892e91c5a52ef1a4b2abf7f" -SRC_URI[sha512sum] = "7b679b54f3478c3adee5b6c3135cbe491ffd9f4712991f465edbd6c7d2831e5f1537038ec36f288e9545c719d5d167b61116c924cf5d816220615d0b58a1d436" +SRC_URI[sha256sum] = "e294677f8993234d0adfa191a5cbf9c5b83cc60c724c233e3d631c26712abea0" inherit autotools pkgconfig systemd extrausers PACKAGECONFIG ??= "" PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " +PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" EXTRA_OECONF_remove = " --disable-static" diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb index f9ea3762d..187aeaee2 100644 --- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb +++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -1,26 +1,34 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." -# We want a clean, minimal image. -IMAGE_FEATURES = "" +inherit core-image PACKAGE_INSTALL = " \ - initramfs-dm-verity \ base-files \ + base-passwd \ busybox \ - util-linux-mount \ - udev \ cryptsetup \ + initramfs-module-dmverity \ + initramfs-module-udev \ lvm2-udevrules \ + udev \ + util-linux-mount \ " +# We want a clean, minimal image. +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + # Can we somehow inspect reverse dependencies to avoid these variables? -do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" +do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE +do_image[nostamp] = "1" -inherit core-image +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" deploy_verity_hash() { - install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env + install -D -m 0644 \ + ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ + ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env } -ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" +IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb index a8757f980..a8757f980 100644 --- a/meta-security/recipes-security/images/security-build-image.bb +++ b/meta-security/recipes-core/images/security-build-image.bb diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-core/images/security-client-image.bb index f4ebc697c..f4ebc697c 100644 --- a/meta-security/recipes-security/images/security-client-image.bb +++ b/meta-security/recipes-core/images/security-client-image.bb diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-core/images/security-server-image.bb index 4927e0ee5..4927e0ee5 100644 --- a/meta-security/recipes-security/images/security-server-image.bb +++ b/meta-security/recipes-core/images/security-server-image.bb diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb new file mode 100644 index 000000000..54d89787f --- /dev/null +++ b/meta-security/recipes-core/images/security-test-image.bb @@ -0,0 +1,18 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +require security-build-image.bb + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_OVERHEAD_FACTOR = "1.0" +IMAGE_ROOTFS_EXTRA_SPACE = "1124288" + +# ptests need more memory than standard to avoid the OOM killer +# also lttng-tools needs /tmp that has at least 1G +QB_MEM = "-m 2048" + +PTEST_EXPECT_FAILURE = "1" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb deleted file mode 100644 index b61495655..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -SRC_URI = "file://init-dm-verity.sh" - -do_install() { - install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init - install -d ${D}/dev - mknod -m 622 ${D}/dev/console c 5 1 -} - -FILES_${PN} = "/init /dev/console" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh deleted file mode 100644 index 307d2c74b..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -PATH=/sbin:/bin:/usr/sbin:/usr/bin -RDEV="" -ROOT_DIR="/new_root" - -mkdir -p /proc -mkdir -p /sys -mkdir -p /run -mkdir -p /tmp -mount -t proc proc /proc -mount -t sysfs sysfs /sys -mount -t devtmpfs none /dev - -udevd --daemon -udevadm trigger --type=subsystems --action=add -udevadm trigger --type=devices --action=add -udevadm settle --timeout=10 - -for PARAM in $(cat /proc/cmdline); do - case $PARAM in - root=*) - RDEV=${PARAM#root=} - ;; - esac -done - -if ! [ -b $RDEV ]; then - echo "Missing root command line argument!" - exit 1 -fi - -case $RDEV in - UUID=*) - RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) - ;; -esac - -. /usr/share/dm-verity.env - -echo "Mounting $RDEV over dm-verity as the root filesystem" - -veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH -mkdir -p $ROOT_DIR -mount -o ro /dev/mapper/rootfs $ROOT_DIR -exec switch_root $ROOT_DIR /sbin/init diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity new file mode 100644 index 000000000..888052ccd --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -0,0 +1,63 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + ROOT_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done + + veritysetup \ + --data-block-size=1024 \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 000000000..dad9c967c --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index e0a9d0534..0a4452eea 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -9,38 +9,51 @@ PACKAGES = "\ packagegroup-core-security \ packagegroup-security-utils \ packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ packagegroup-security-utils \ packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" RDEPENDS_packagegroup-security-utils = "\ checksec \ + ding-libs \ + ecryptfs-utils \ + fscryptctl \ + keyutils \ nmap \ pinentry \ + python3-privacyidea \ + python3-fail2ban \ python3-scapy \ - ding-libs \ - keyutils \ - libseccomp \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ + softhsm \ + libest \ + opendnssec \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ " SUMMARY_packagegroup-security-scanners = "Security scanners" RDEPENDS_packagegroup-security-scanners = "\ + isic \ nikto \ checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ " +RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd" SUMMARY_packagegroup-security-audit = "Security Audit tools " RDEPENDS_packagegroup-security-audit = " \ @@ -57,7 +70,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ tripwire \ samhain-standalone \ - suricata \ + ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ " SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" @@ -66,3 +79,14 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " + +RDEPENDS_packagegroup-meta-security-ptest-packages = "\ + ptest-runner \ + samhain-standalone-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ +" diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.35.bb index 8305f7010..8305f7010 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.35.bb diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index 3adbcf6d4..b94285f0d 100644 --- a/meta-security/recipes-ids/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -2,8 +2,7 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.1.6" +VER = "4.1.9" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "da5de1e8053f05cbd295793210117d34" -SRC_URI[sha256sum] = "8441ac89016106459ade2112fcde58b3f789e4beb2fd8bfa081ffb75eec75fe0" +SRC_URI[sha256sum] = "3440cd1065b1b3999dc101a37c49321fab2791b38f16e2f7fe27369dd007eea7" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.6.bb b/meta-security/recipes-ids/suricata/suricata_4.1.9.bb index 9b7122b9e..135871cc7 100644 --- a/meta-security/recipes-ids/suricata/suricata_4.1.6.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.9.bb @@ -14,7 +14,7 @@ SRC_URI += " \ inherit autotools-brokensep pkgconfig python3-dir systemd ptest -CFLAGS += "-D_DEFAULT_SOURCE" +CFLAGS += "-D_DEFAULT_SOURCE -fcommon" CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index c26392a04..4f50bff73 100644 --- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -52,6 +52,7 @@ do_install () { install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 + rm ${D}${mandir}/man*/Makefile* install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} diff --git a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend index 76b5df55b..6bc40cd96 100644 --- a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend @@ -1,4 +1,4 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" - +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend index 39d4e6f50..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend index 39d4e6f50..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb deleted file mode 100644 index d6f61b39a..000000000 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ /dev/null @@ -1,198 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://0001-Makefile.am-suppress-perllocal.pod.patch \ - file://run-ptest \ - " - -SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check -REQUIRED_DISTRO_FEATURES = "apparmor" - -PACKAGECONFIG ??= "python perl aa-decode" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," -PACKAGECONFIG[aa-decode] = ",,,bash" - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - # Fixes: - # | sed -ie 's///g' Makefile.perl - # | sed: -e expression #1, char 0: no previous regular expression - #| Makefile:478: recipe for target 'Makefile.perl' failed - sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile - - - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - # If perl is disabled this script won't be any good - if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then - rm -f ${D}${sbindir}/aa-notify - fi - - if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then - rm -f ${D}${sbindir}/aa-decode - fi - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions - sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} - fi -} - -#Building ptest on arm fails. -do_compile_ptest_aarch64 () { - : -} - -do_compile_ptest_arm () { - : -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -#Building ptest on arm fails. -do_install_ptest_aarch64 () { - : -} - -do_install_ptest_arm() { - : -} - -pkg_postinst_ontarget_${PN} () { -if [ ! -d /etc/apparmor.d/cache ] ; then - mkdir /etc/apparmor.d/cache -fi -} - -# We need the init script so don't rm it -RMINITDIR_class-target_remove = " rm_sysvinit_initddir" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE ?= "enable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -RDEPENDS_${PN} += "coreutils findutils ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" - -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb new file mode 100644 index 000000000..35e95a0a2 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb @@ -0,0 +1,193 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://run-ptest \ + file://0001-apparmor-fix-manpage-order.patch \ + file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \ + file://0001-libapparmor-add-missing-include-for-socklen_t.patch \ + file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \ + file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \ + file://0001-aa_status-Fix-build-issue-with-musl.patch \ + file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \ + " + +SRCREV = "5d51483bfecf556183558644dc8958135397a7e2" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion + +REQUIRED_DISTRO_FEATURES = "apparmor" + +PACKAGECONFIG ?= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, " +PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + install -d ${D}/lib/security + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + fi +} + +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + +do_compile_ptest () { + sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile + oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0 + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE ?= "enable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +DEPENDS_append_libc-musl = " fts " +RDEPENDS_${PN}_libc-musl += "musl-utils" +RDEPENDS_${PN}_libc-glibc += "glibc-utils" + +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +INSANE_SKIP_${PN} = "ldflags" +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch new file mode 100644 index 000000000..791437d1d --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch @@ -0,0 +1,91 @@ +From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Sat, 3 Oct 2020 11:26:46 -0700 +Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based + on USE_SYSTEM" + +This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e. + +Upstream-Statue: OE specific +These changes cause during packaging with perms changing. + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + profiles/Makefile | 50 ++++++++++------------------------------------- + 1 file changed, 10 insertions(+), 40 deletions(-) + +diff --git a/profiles/Makefile b/profiles/Makefile +index ba47fc16..5384cb05 100644 +--- a/profiles/Makefile ++++ b/profiles/Makefile +@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/ + SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print) + TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*)) + +-ifdef USE_SYSTEM +- PYTHONPATH= +- PARSER?=apparmor_parser +- LOGPROF?=aa-logprof +-else +- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am +- PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))") +- LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/ +- LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH) +- PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH) +- PARSER?=../parser/apparmor_parser +- # use ../utils logprof +- LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof +-endif +- + # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value + PWD=$(shell pwd) + +-.PHONY: test-dependencies +-test-dependencies: __parser __libapparmor +- +- +-.PHONY: __parser __libapparmor +-__parser: +-ifndef USE_SYSTEM +- @if [ ! -f $(PARSER) ]; then \ +- echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \ +- echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \ +- echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \ +- exit 1; \ +- fi +-endif +- +-__libapparmor: +-ifndef USE_SYSTEM +- @if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \ +- echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \ +- echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \ +- echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \ +- exit 1; \ +- fi +-endif +- + local: + for profile in ${TOPLEVEL_PROFILES}; do \ + fn=$$(basename $$profile); \ +@@ -109,6 +69,16 @@ else + Q= + endif + ++ifndef PARSER ++# use system parser ++PARSER=../parser/apparmor_parser ++endif ++ ++ifndef LOGPROF ++# use ../utils logprof ++LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof ++endif ++ + .PHONY: docs + # docs: should we have some here? + docs: +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch new file mode 100644 index 000000000..239562a45 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch @@ -0,0 +1,31 @@ +From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 7 Oct 2020 08:27:11 -0700 +Subject: [PATCH] aa_status: Fix build issue with musl + +add limits.h + +aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? +| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char)); + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> +--- + binutils/aa_status.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/binutils/aa_status.c b/binutils/aa_status.c +index 78b03409..41f1954e 100644 +--- a/binutils/aa_status.c ++++ b/binutils/aa_status.c +@@ -10,6 +10,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + #include <sys/types.h> + #include <sys/stat.h> + #include <sys/wait.h> +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch new file mode 100644 index 000000000..9f3dce426 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch @@ -0,0 +1,43 @@ +From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Fri, 2 Oct 2020 19:43:44 -0700 +Subject: [PATCH] apparmor: fix manpage order + +It trys to create a symlink before the man pages are installed. + + ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8 + | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +... + +install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8; + +Signed-off-by: Armin Kuster <akuster@mvista.com> +--- + binutils/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/binutils/Makefile b/binutils/Makefile +index 99e54875..3f1d0011 100644 +--- a/binutils/Makefile ++++ b/binutils/Makefile +@@ -156,12 +156,12 @@ install-arch: arch + install -m 755 -d ${SBINDIR} + ln -sf aa-status ${SBINDIR}/apparmor_status + install -m 755 ${SBINTOOLS} ${SBINDIR} +- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 + + .PHONY: install-indep + install-indep: indep + $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} + $(MAKE) install_manpages DESTDIR=${DESTDIR} ++ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 + + ifndef VERBOSE + .SILENT: clean +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch new file mode 100644 index 000000000..2a56d8b85 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch @@ -0,0 +1,36 @@ +From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt <ps@pks.im> +Date: Sat, 3 Oct 2020 20:37:55 +0200 +Subject: [PATCH] libapparmor: add missing include for `socklen_t` + +While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't +include the `<sys/socket.h>` header to make its declaration available. +While this works on systems using glibc via transitive includes, it +breaks compilation on musl libc. + +Fix the issue by including the header. + +Signed-off-by: Patrick Steinhardt <ps@pks.im> + +Upstream-Status: Backport +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + libraries/libapparmor/include/sys/apparmor.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h +index 32892d06..d70eff94 100644 +--- a/libraries/libapparmor/include/sys/apparmor.h ++++ b/libraries/libapparmor/include/sys/apparmor.h +@@ -21,6 +21,7 @@ + #include <stdbool.h> + #include <stdint.h> + #include <unistd.h> ++#include <sys/socket.h> + #include <sys/types.h> + + #ifdef __cplusplus +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch new file mode 100644 index 000000000..9f7ad3c55 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch @@ -0,0 +1,37 @@ +From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster@mvista.com> +Date: Wed, 7 Oct 2020 20:50:38 -0700 +Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray + +In cross build environments, using the hosts cpp gives incorrect +detection of reallocarray. Change cpp to a variable. + +fixes: +parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)': +| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope +| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1); + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upstream-Status: Pending + +--- + parser/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser/Makefile b/parser/Makefile +index acef3d77..8250ac45 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -54,7 +54,7 @@ endif + CPPFLAGS += -D_GNU_SOURCE + + STDLIB_INCLUDE:="\#include <stdlib.h>" +-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true) ++HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true) + + WARNINGS = -Wall + CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS} +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch new file mode 100644 index 000000000..333f40fbd --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch @@ -0,0 +1,37 @@ +From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt <ps@pks.im> +Date: Sat, 3 Oct 2020 20:58:45 +0200 +Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public + symbols + +With AppArmor release 3.0, a new function `aa_features_new_from_file` +was added, but not added to the list of public symbols. As a result, +it's not possible to make use of this function when linking against +libapparmor.so. + +Fix the issue by adding it to the symbol map. + +Signed-off-by: Patrick Steinhardt <ps@pks.im> + +Upstream-Status: Backport +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + libraries/libapparmor/src/libapparmor.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map +index bbff51f5..1579509a 100644 +--- a/libraries/libapparmor/src/libapparmor.map ++++ b/libraries/libapparmor/src/libapparmor.map +@@ -117,6 +117,7 @@ APPARMOR_2.13.1 { + + APPARMOR_3.0 { + global: ++ aa_features_new_from_file; + aa_features_write_to_fd; + aa_features_value; + local: +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch new file mode 100644 index 000000000..543c7a185 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch @@ -0,0 +1,34 @@ +From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt <ps@pks.im> +Date: Sat, 3 Oct 2020 21:04:57 +0200 +Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols + +While `_aa_asprintf` is supposed to be of private visibility, it's used +by apparmor_parser and thus required to be visible when linking. This +commit thus adds it to the list of private symbols to make it available +for linking in apparmor_parser. + +Signed-off-by: Patrick Steinhardt <ps@pks.im> + +Upstream-Status: Backport +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + libraries/libapparmor/src/libapparmor.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map +index 1579509a..41e541ac 100644 +--- a/libraries/libapparmor/src/libapparmor.map ++++ b/libraries/libapparmor/src/libapparmor.map +@@ -127,6 +127,7 @@ APPARMOR_3.0 { + PRIVATE { + global: + _aa_is_blacklisted; ++ _aa_asprintf; + _aa_autofree; + _aa_autoclose; + _aa_autofclose; +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions index cef8cfe7d..e9e2bbfbf 100644 --- a/meta-security/recipes-mac/AppArmor/files/functions +++ b/meta-security/recipes-mac/AppArmor/files/functions @@ -144,7 +144,7 @@ clear_cache_var() { read_features_dir() { - for f in `ls -AU "$1"` ; do + for f in `ls -A "$1"` ; do if [ -f "$1/$f" ] ; then read -r KF < "$1/$f" || true echo -n "$f {$KF } " diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb index 2e37c0b3c..79af6a5d1 100644 --- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb +++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -13,7 +13,7 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" -S = "${WORKDIR}/${PN}" +S = "${WORKDIR}/${BPN}" inherit features_check diff --git a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb b/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb new file mode 100644 index 000000000..ca25d1459 --- /dev/null +++ b/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb @@ -0,0 +1,11 @@ +SUMMARY = "Add version info to file paths." +SECTION = "devel/python" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=038e1390e94fe637991fa5569daa62bc" + +PYPI_PACKAGE = "oauth2client" +SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b4209891cccc6" + +inherit pypi setuptools3 + +RDEPENDS_${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules" diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb index f4625b182..47fbae49f 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb @@ -23,9 +23,9 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \ S = "${WORKDIR}/git" LEAD_SONAME = "libclamav.so" -SO_VER = "9.0.2" +SO_VER = "9.0.4" -inherit autotools pkgconfig useradd systemd +inherit autotools pkgconfig useradd systemd multilib_header multilib_script CLAMAV_UID ?= "clamav" CLAMAV_GID ?= "clamav" @@ -45,6 +45,8 @@ PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, b PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, " PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " +MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/clamav-config ${PN}-cvd:${localstatedir}/lib/clamav/mirrors.dat" + EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \ --disable-mempool \ --program-prefix="" \ @@ -87,12 +89,15 @@ do_install_append_class-target () { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so - install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service install -d ${D}${sysconfdir}/tmpfiles.d install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf fi + oe_multilib_header clamav-types.h } pkg_postinst_ontarget_${PN} () { diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index e9accb56f..0290cae2e 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,8 +9,6 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit module-base - SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ file://FileContent.pm \ diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index d8cd06f8d..4a99b5af4 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://ecryptfs-utils-CVE-2016-6224.patch \ file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ + file://define_musl_sword_type.patch \ " SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" diff --git a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch new file mode 100644 index 000000000..3b29be038 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch @@ -0,0 +1,15 @@ +Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +=================================================================== +--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c ++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +@@ -45,6 +45,10 @@ + #include <values.h> + #include "../include/ecryptfs.h" + ++#ifndef __SWORD_TYPE ++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE; ++#endif ++ + /* Perhaps a future version of this program will allow these to be configurable + * by the system administrator (or user?) at run time. For now, these are set + * to reasonable values to reduce the burden of input validation. diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb deleted file mode 100644 index c71d7267d..000000000 --- a/meta-security/recipes-security/images/security-test-image.bb +++ /dev/null @@ -1,33 +0,0 @@ -DESCRIPTION = "A small image for testing meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" - -INSTALL_CLAMAV_CVD = "1" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-test-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb new file mode 100644 index 000000000..f993bd65e --- /dev/null +++ b/meta-security/recipes-security/libest/libest_3.2.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "EST is used for secure certificate \ +enrollment and is compatible with Suite B certs (as well as RSA \ +and DSA certificates)" + +LICENSE = "OpenSSL" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" + +SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" +SRC_URI = "git://github.com/cisco/libest" + +DEPENDS = "openssl" + +#fatal error: execinfo.h: No such file or directory +DEPENDS_append_libc-musl = " libexecinfo" + +inherit autotools-brokensep + +EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" + +CFLAGS += "-fcommon" +LDFLAGS_append_libc-musl = " -lexecinfo" + +S = "${WORKDIR}/git" + +PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" + +FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch new file mode 100644 index 000000000..7d17a038a --- /dev/null +++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch @@ -0,0 +1,49 @@ +Backport patch to fix cross compile error for mips: + +| syscalls.h:44:6: error: expected identifier or '(' before numeric constant +| 44 | int mips; +| | ^~~~ + +Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001 +From: Paul Moore <paul@paul-moore.com> +Date: Sun, 2 Aug 2020 09:57:39 -0400 +Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS + targets + +It turns out that the MIPS GCC compiler defines a "mips" cpp macro +which was resulting in build failures on MIPS so we need to +undefine the "mips" macro during build. As this should be safe +to do in all architectures, just add it to the compiler flags by +default. + +This was reported in the following GH issue: +* https://github.com/seccomp/libseccomp/issues/274 + +Reported-by: Rongwei Zhang <pudh4418@gmail.com> +Suggested-by: Rongwei Zhang <pudh4418@gmail.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> +--- + configure.ac | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 40d9dcbb..3e877348 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + + dnl #### + dnl build flags ++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it ++dnl for us which wreaks havoc on the build + dnl #### + AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" +-AM_CFLAGS="-Wall" ++AM_CFLAGS="-Wall -Umips" + AM_LDFLAGS="-Wl,-z -Wl,relro" + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST([AM_CFLAGS]) diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb index 9ca41e650..0cf2d70b8 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -4,18 +4,23 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" +DEPENDS += "gperf-native" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ +SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1" + +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \ file://run-ptest \ + file://fix-mips-build-failure.patch \ " +COMPATIBLE_HOST_riscv32 = "null" + S = "${WORKDIR}/git" inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3" DISABLE_STATIC = "" @@ -40,4 +45,4 @@ do_install_ptest() { FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" -RDEPENDS_${PN}-ptest = "bash" +RDEPENDS_${PN}-ptest = "coreutils bash" diff --git a/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb b/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb new file mode 100644 index 000000000..eb6b7eb33 --- /dev/null +++ b/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb @@ -0,0 +1,40 @@ +SUMMARY = "identity, multifactor authentication (OTP), authorization, audit" +DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications." + +HOMEPAGE = "http://www.privacyidea.org/" +LICENSE = "AGPL-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55" + +PYPI_PACKAGE = "privacyIDEA" +SRC_URI[sha256sum] = "55fbdd0fdc8957f7fc5b8900453fd9dc294860bae218e53e7fe394d93f982518" + +inherit pypi setuptools3 + +do_install_append () { + #install ${D}/var/log/privacyidea + + rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests +} + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system privacyidea" +USERADD_PARAM_${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ + --shell /bin/false privacyidea" + +FILES_${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" + +RDEPENDS_${PN} += " bash perl freeradius-mysql freeradius-utils" + +RDEPENDS_${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt" +RDEPENDS_${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" +RDEPENDS_${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" +RDEPENDS_${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate" +RDEPENDS_${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned" +RDEPENDS_${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress" +RDEPENDS_${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako" +RDEPENDS_${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow" +RDEPENDS_${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" +RDEPENDS_${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" +RDEPENDS_${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" +RDEPENDS_${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " +RDEPENDS_${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" diff --git a/meta-security/recipes-security/opendnssec/files/fix_fprint.patch b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch new file mode 100644 index 000000000..da0bcfe74 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch @@ -0,0 +1,25 @@ +format not a string literal and no format arguments + +missing module_str in call + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +../../../git/enforcer/src/keystate/keystate_ds.c:192:7: error: format not a string literal and no format arguments [-Werror=format-security] +| 192 | ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); +| | ^~~~~~~~~~~~~~~~~~~~~~~~ + + +Index: git/enforcer/src/keystate/keystate_ds.c +=================================================================== +--- git.orig/enforcer/src/keystate/keystate_ds.c ++++ git/enforcer/src/keystate/keystate_ds.c +@@ -189,7 +189,7 @@ exec_dnskey_by_id(int sockfd, struct dbw + status = 0; + } + else { +- ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); ++ ods_log_error_and_printf(sockfd, module_str, "Failed to run %s", cp_ds); + status = 7; + } + } diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch new file mode 100644 index 000000000..126e197f3 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -0,0 +1,217 @@ +Configure does not work with OE pkg-config for the ldns option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_ldns.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_ldns.m4 ++++ opendnssec-2.1.6/m4/acx_ldns.m4 +@@ -1,128 +1,65 @@ +-AC_DEFUN([ACX_LDNS],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- LIBS="$LIBS $LDNS_LIBS" +- +- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])]) +- LIBS=$tmp_LIBS +- +- AC_MSG_CHECKING([for ldns version]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION >= $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([>= $1.$2.$3]) +- ],[ +- AC_MSG_RESULT([< $1.$2.$3]) +- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)]) +- ],[]) +- AC_LANG_POP([C]) ++#serial 11 + +- CPPFLAGS=$tmp_CPPFLAGS +- +- AC_SUBST(LDNS_INCLUDES) +- AC_SUBST(LDNS_LIBS) +-]) +- +- +-AC_DEFUN([ACX_LDNS_NOT],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- +- AC_MSG_CHECKING([for ldns version not $1.$2.$3]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION != $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([ok]) +- ],[ +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS ++AU_ALIAS([CHECK_LDNS], [ACX_LDNS]) ++AC_DEFUN([ACX_LDNS], [ ++ found=false ++ AC_ARG_WITH([ldns], ++ [AS_HELP_STRING([--with-ldns=DIR], ++ [root of the lnds directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-lnds value]) ++ ;; ++ *) ldnsdirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and lnds has installed a .pc file, ++ # then use that information and don't search ldnsdirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null` ++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi ++ ++ # no such luck; use some default ldnsdirs ++ if ! $found; then ++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ if ! $found; then ++ LDNS_INCLUDES= ++ for ldnsdir in $ldnsdirs; do ++ AC_MSG_CHECKING([for LDNS in $ldnsdir]) ++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then ++ LDNS_INCLUDES="-I$ldnsdir/include" ++ LDNS_LDFLAGS="-L$ldnsdir/lib" ++ LDNS_LIBS="-lldns" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" ++ LIBS="$LDNS_LIBS $LIBS" ++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST([LDNS_INCLUDES]) ++ AC_SUBST([LDNS_LIBS]) ++ AC_SUBST([LDNS_LDFLAGS]) + ]) +Index: opendnssec-2.1.6/configure.ac +=================================================================== +--- opendnssec-2.1.6.orig/configure.ac ++++ opendnssec-2.1.6/configure.ac +@@ -138,9 +138,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_ + + # common dependencies + ACX_LIBXML2 +-ACX_LDNS(1,6,17) +-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html]) +-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html]) ++ACX_LDNS(1.6.17) + ACX_PKCS11_MODULES + ACX_RT + ACX_LIBC diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch new file mode 100644 index 000000000..b4ed4306d --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch @@ -0,0 +1,112 @@ +configure does not work with OE pkg-config for the libxml2 option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_libxml2.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4 ++++ opendnssec-2.1.6/m4/acx_libxml2.m4 +@@ -1,37 +1,67 @@ ++#serial 11 ++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2]) + AC_DEFUN([ACX_LIBXML2],[ +- AC_ARG_WITH(libxml2, +- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])], +- [ +- XML2_PATH="$withval" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin) +- ],[ +- XML2_PATH="/usr/local" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH) +- ]) +- if test -x "$XML2_CONFIG" +- then +- AC_MSG_CHECKING(what are the xml2 includes) +- XML2_INCLUDES="`$XML2_CONFIG --cflags`" +- AC_MSG_RESULT($XML2_INCLUDES) +- +- AC_MSG_CHECKING(what are the xml2 libs) +- XML2_LIBS="`$XML2_CONFIG --libs`" +- AC_MSG_RESULT($XML2_LIBS) +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES" +- LIBS="$LIBS $XML2_LIBS" +- +- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- LIBS=$tmp_LIBS +- else +- AC_MSG_ERROR([libxml2 required, but not found.]) +- fi ++ found=false ++ AC_ARG_WITH([libxml2], ++ [AS_HELP_STRING([--with-libxml2=DIR], ++ [root of the libxml directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-libxml2 value]) ++ ;; ++ *) xml2dirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and openssl has installed a .pc file, ++ # then use that information and don't search ssldirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null` ++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi + +- AC_SUBST(XML2_INCLUDES) +- AC_SUBST(XML2_LIBS) ++ # no such luck; use some default ssldirs ++ if ! $found; then ++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ # note that we #include <libxml/tree.h>, so the libxml2 headers have to be in ++ # an 'libxml' subdirectory ++ ++ if ! $found; then ++ XML2_INCLUDES= ++ for xml2dir in $xml2dirs; do ++ AC_MSG_CHECKING([for XML2 in $xml2dir]) ++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then ++ XML2_INCLUDES="-I$xml2dir/include/libxml2" ++ XML2_LDFLAGS="-L$xml2dir/lib" ++ XML2_LIBS="-lxml2" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS" ++ LIBS="$XML2_LIBS $LIBS" ++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST(XML2_INCLUDES) ++ AC_SUBST(XML2_LIBS) ++ AC_SUBST(XML2_LDFLAGS) + ]) diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb new file mode 100644 index 000000000..5e42ca8f7 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb @@ -0,0 +1,37 @@ +SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" + +DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " + +SRC_URI = "git://github.com/opendnssec/opendnssec;branch=develop \ + file://libxml2_conf.patch \ + file://libdns_conf_fix.patch \ + file://fix_fprint.patch \ + " + +SRCREV = "5876bccb38428790e2e9afc806ca68b029879874" + +inherit autotools pkgconfig perlnative + +S = "${WORKDIR}/git" + +EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ + --with-ssl=${STAGING_DIR_HOST}/usr " + +CFLAGS += "-fcommon" + +PACKAGECONFIG ?= "sqlite3" + +PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" +PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" +PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" +PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" + +do_install_append () { + rm -rf ${D}${localstatedir}/run +} + +RDEPENDS_${PN} = "softhsm" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index 83a9ed83e..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb new file mode 100644 index 000000000..74e837aa5 --- /dev/null +++ b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb @@ -0,0 +1,30 @@ +SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface." +HOMEPAGE = "www.opendnssec.org" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" + +DEPENDS = "sqlite3" + +SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz" +SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2" + +inherit autotools pkgconfig siteinfo + +EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr" +EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}" + +PACKAGECONFIG ?= "pk11 openssl" + +PACKAGECONFIG[npm] = ",--disable-non-paged-memory" +PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc" +PACKAGECONFIG[gost] = "--enable-gost,--disable-gost" +PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa" +PACKAGECONFIG[fips] = "--enable-fips, --disable-fips" +PACKAGECONFIG[notvisable] = "--disable-visibility" +PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl" +PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan" +PACKAGECONFIG[migrate] = "--with-migrate" +PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit" + +RDEPENDS_${PN} = "sqlite3" diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch new file mode 100644 index 000000000..b64670c17 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch @@ -0,0 +1,34 @@ +From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= <jonatan.p@gmail.com> +Date: Fri, 21 Aug 2020 14:45:10 +0200 +Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AC_CHECK_FILE does not support cross-compilation, and will only check +the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead, +to allow building manpages when cross-compiling. + +Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] +Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com> +--- + src/external/docbook.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 +index deb8632fa..acdc89a68 100644 +--- a/src/external/docbook.m4 ++++ b/src/external/docbook.m4 +@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and + dnl if a particular URI appears in the XML catalog + AC_DEFUN([CHECK_STYLESHEET], + [ +- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) ++ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) + + AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) + if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then +-- +2.26.1 + diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch new file mode 100644 index 000000000..c319269e9 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch @@ -0,0 +1,78 @@ +From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com> +Date: Thu, 27 Feb 2020 06:50:40 +0100 +Subject: [PATCH] nss: Collision with external nss symbol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +One of our internal static function names started +to collide with external nss symbol. Additional +sss_ suffix was added to avoid the collision. + +This is needed to unblock Fedora Rawhide's +SSSD build. + +Reviewed-by: Pavel Březina <pbrezina@redhat.com> + +Upstream-Status: Backport [https://github.com/SSSD/sssd.git] +Signed-off-by: Hongxu.jia@windriver.com +Signed-off-by: Qi.Chen@windriver.com +--- + src/responder/nss/nss_cmd.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c +index 25e663ed5..a4d4cfc0b 100644 +--- a/src/responder/nss/nss_cmd.c ++++ b/src/responder/nss/nss_cmd.c +@@ -728,11 +728,13 @@ done: + talloc_free(cmd_ctx); + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq); ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq); + +-static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, +- enum cache_req_type type, +- nss_protocol_fill_packet_fn fill_fn) ++/* This function's name started to collide with external nss symbol, ++ * so it has additional sss_* prefix unlike other functions here. */ ++static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, ++ enum cache_req_type type, ++ nss_protocol_fill_packet_fn fill_fn) + { + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; +@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, + goto done; + } + +- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); ++ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); + + ret = EOK; + +@@ -787,7 +789,7 @@ done: + return EOK; + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq) ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq) + { + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; +@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) + + static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) + { +- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, +- nss_protocol_fill_setnetgrent); ++ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, ++ nss_protocol_fill_setnetgrent); + } + + static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) +-- +2.21.0 + diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch new file mode 100644 index 000000000..1a2233209 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch @@ -0,0 +1,32 @@ +From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Thu, 8 Oct 2020 05:54:13 -0700 +Subject: [PATCH] Provide missing defines which otherwise are available on + glibc system headers + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upsteam-Status: Pending + +--- + src/util/util.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/util.h b/src/util/util.h +index 8a754dbfd..6e55b4bdc 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -76,6 +76,10 @@ + #define MAX(a, b) (((a) > (b)) ? (a) : (b)) + #endif + ++#ifndef ALLPERMS ++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */ ++#endif ++ + #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS + + #define SSSD_SERVER_OPTS(uid, gid) \ +-- +2.17.1 + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.5.bb index 7ea1586bd..9784ec77d 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.5.bb @@ -6,7 +6,9 @@ LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +DEPENDS_append_libc-musl = " musl-nscd" # If no crypto has been selected, default to DEPEND on nss, since that's what # sssd will pick if no active choice is made during configure @@ -17,10 +19,12 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://0001-nss-Collision-with-external-nss-symbol.patch \ + file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \ " -SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" -SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" +SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0" inherit autotools pkgconfig gettext python3-dir features_check systemd @@ -39,10 +43,9 @@ PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," @@ -60,6 +63,8 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --enable-pammoddir=${base_libdir}/security \ --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ " do_configure_prepend() { @@ -85,6 +90,7 @@ do_install () { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* } pkg_postinst_ontarget_${PN} () { @@ -109,8 +115,6 @@ SYSTEMD_SERVICE_${PN} = " \ sssd-pam-priv.socket \ sssd-pam.service \ sssd-pam.socket \ - sssd-secrets.service \ - sssd-secrets.socket \ sssd.service \ " SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-security/scripts/ci-cleanup.sh b/meta-security/scripts/ci-cleanup.sh new file mode 100755 index 000000000..df3b68f98 --- /dev/null +++ b/meta-security/scripts/ci-cleanup.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +set -e + +export SSTATE_CACHE_DIR=/home/srv/sstate/master + +./poky/scripts/sstate-cache-management.sh -d -y diff --git a/meta-security/scripts/upload-error-report b/meta-security/scripts/upload-error-report new file mode 100755 index 000000000..56bd24e47 --- /dev/null +++ b/meta-security/scripts/upload-error-report @@ -0,0 +1,26 @@ +#!/bin/bash + +ERR_REPORT_USERNAME=$1 +ERR_REPORT_EMAIL=$2 +BUILDDIR=$3 + +shift +shift +shift + +if [ ! -e $BUILDDIR ]; then + exit 0 +fi + +cd $BUILDDIR/../poky + +if [ -d $BUILDDIR/tmp/log/error-report/ ]; then + echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + + . ./oe-init-build-env $BUILDDIR + + for x in `ls $BUILDDIR/tmp/log/error-report/ | grep error_report_`; do + send-error-report -y tmp/log/error-report/$x + done +fi diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in index cd1702e1b..658018bac 100644 --- a/meta-security/wic/beaglebone-yocto-verity.wks.in +++ b/meta-security/wic/beaglebone-yocto-verity.wks.in @@ -11,5 +11,5 @@ # This .wks only works with the dm-verity-img class. part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid -part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" +part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" bootloader --append="console=ttyS0,115200" diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in new file mode 100644 index 000000000..ef114cab0 --- /dev/null +++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in @@ -0,0 +1,15 @@ +# A dm-verity variant of the regular wks for IA machines. We need to fetch +# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will +# not recreate the exact block device corresponding with the hash tree. We must +# not alter the label or any other setting on the image. +# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file +# +# This .wks only works with the dm-verity-img class. + +part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid + +part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid + +part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid + +bootloader --ptable gpt --timeout=5 --append=" " |