summaryrefslogtreecommitdiff
path: root/meta-security
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security')
-rw-r--r--meta-security/classes/dm-verity-img.bbclass4
-rw-r--r--meta-security/classes/sanity-meta-security.bbclass2
-rw-r--r--meta-security/conf/layer.conf4
-rw-r--r--meta-security/kas/kas-security-base.yml13
-rw-r--r--meta-security/kas/kas-security-dm.yml1
-rw-r--r--meta-security/kas/kas-security-parsec.yml4
-rw-r--r--meta-security/meta-hardening/README6
-rw-r--r--meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb11
-rw-r--r--meta-security/meta-integrity/classes/kernel-modsign.bbclass2
-rw-r--r--meta-security/meta-parsec/conf/layer.conf2
-rw-r--r--meta-security/meta-tpm/README8
-rw-r--r--meta-security/recipes-ids/suricata/files/fixup.patch (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch)0
-rw-r--r--meta-security/recipes-ids/suricata/files/run-ptest (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest)0
-rw-r--r--meta-security/recipes-ids/suricata/files/suricata.service (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service)0
-rw-r--r--meta-security/recipes-ids/suricata/files/suricata.yaml (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml)0
-rw-r--r--meta-security/recipes-ids/suricata/files/tmpfiles.suricata (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata)0
-rw-r--r--meta-security/recipes-ids/suricata/files/volatiles.03_suricata (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata)0
-rw-r--r--meta-security/recipes-ids/suricata/libhtp_0.5.38.bb (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb)0
-rw-r--r--meta-security/recipes-ids/suricata/suricata.inc (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc)0
-rw-r--r--meta-security/recipes-ids/suricata/suricata_6.0.3.bb (renamed from meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb)0
-rw-r--r--meta-security/recipes-security/cryfs/cryfs_0.10.3.bb10
-rw-r--r--meta-security/recipes-security/krill/files/panic_workaround.patch (renamed from meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch)0
-rw-r--r--meta-security/recipes-security/krill/krill.inc (renamed from meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc)0
-rw-r--r--meta-security/recipes-security/krill/krill_0.9.1.bb (renamed from meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb)0
24 files changed, 32 insertions, 35 deletions
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index 16d395b55..a0950dabd 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -63,8 +63,8 @@ verity_setup() {
VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity"
IMAGE_TYPES += "${VERITY_TYPES}"
CONVERSIONTYPES += "verity"
-CONVERSION_CMD_verity = "verity_setup ${type}"
-CONVERSION_DEPENDS_verity = "cryptsetup-native"
+CONVERSION_CMD:verity = "verity_setup ${type}"
+CONVERSION_DEPENDS:verity = "cryptsetup-native"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
diff --git a/meta-security/classes/sanity-meta-security.bbclass b/meta-security/classes/sanity-meta-security.bbclass
index b6c6b9cb5..f9e26984f 100644
--- a/meta-security/classes/sanity-meta-security.bbclass
+++ b/meta-security/classes/sanity-meta-security.bbclass
@@ -1,7 +1,7 @@
addhandler security_bbappend_distrocheck
security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
python security_bbappend_distrocheck() {
- skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+ skip_check = e.data.getVar('SKIP_META_SECURITY_SANITY_CHECK') == "1"
if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
bb.warn("You have included the meta-security layer, but \
'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index cdcfaeec7..ad9da560f 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -16,7 +16,3 @@ LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer met
# Sanity check for meta-security layer.
# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
INHERIT += "sanity-meta-security"
-
-BBFILES_DYNAMIC += " \
-rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \
-"
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index b9ce493be..3bf46dbf0 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -1,5 +1,5 @@
header:
- version: 8
+ version: 9
distro: poky
@@ -30,15 +30,9 @@ repos:
meta-networking:
meta-filesystems:
- meta-rust:
- url: https://github.com/meta-rust/meta-rust.git
- refspec: master
-
-
-
local_conf_header:
base: |
- CONF_VERSION = "1"
+ CONF_VERSION = "2"
SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/"
SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n"
BB_HASHSERVE = "auto"
@@ -57,7 +51,7 @@ local_conf_header:
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
PACKAGE_CLASSES = "package_ipk"
- DISTRO_FEATURES:append = " pam apparmor smack ima"
+ DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2"
MACHINE_FEATURES:append = " tpm tpm2"
diskmon: |
@@ -73,7 +67,6 @@ local_conf_header:
bblayers_conf_header:
base: |
- POKY_BBLAYERS_CONF_VERSION = "2"
BBPATH = "${TOPDIR}"
BBFILES ?= ""
diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml
index 7ce0e9d72..c03b3361e 100644
--- a/meta-security/kas/kas-security-dm.yml
+++ b/meta-security/kas/kas-security-dm.yml
@@ -5,6 +5,7 @@ header:
local_conf_header:
dm-verify: |
+ DISTRO_FEATURES:append = " integrity"
DM_VERITY_IMAGE = "core-image-minimal"
DM_VERITY_IMAGE_TYPE = "ext4"
IMAGE_CLASSES += "dm-verity-img"
diff --git a/meta-security/kas/kas-security-parsec.yml b/meta-security/kas/kas-security-parsec.yml
index 22ef5dd82..9a009be14 100644
--- a/meta-security/kas/kas-security-parsec.yml
+++ b/meta-security/kas/kas-security-parsec.yml
@@ -8,10 +8,6 @@ repos:
layers:
meta-parsec:
- meta-rust:
- url: https://github.com/meta-rust/meta-rust.git
- refspec: master
-
meta-clang:
url: https://github.com/kraj/meta-clang.git
refspec: master
diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README
index 37a0b7ec8..191253c66 100644
--- a/meta-security/meta-hardening/README
+++ b/meta-security/meta-hardening/README
@@ -64,14 +64,14 @@ layers: meta-oe
Maintenance
-----------
-Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-hardening][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-hardening][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
index c35c2577e..38771cdfb 100644
--- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
+++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -10,7 +10,8 @@ LICENSE = "MIT"
IMAGE_ROOTFS_SIZE ?= "8192"
-inherit core-image extrausers
+inherit core-image
+IMAGE_CLASSES:append = " extrausers"
ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
@@ -19,7 +20,7 @@ DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
-EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
-EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
-EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
-EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass
index cf5d3ebe2..093c3585e 100644
--- a/meta-security/meta-integrity/classes/kernel-modsign.bbclass
+++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass
@@ -2,7 +2,7 @@
# set explicitly in a local.conf before activating kernel-modsign.
# To use the insecure (because public) example keys, use
# MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
-MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET"
+MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET"
# Private key for modules signing. The default is okay when
# using the example key directory.
diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf
index 86d41b22b..2eeb71b0f 100644
--- a/meta-security/meta-parsec/conf/layer.conf
+++ b/meta-security/meta-parsec/conf/layer.conf
@@ -10,5 +10,5 @@ BBFILE_PRIORITY_parsec-layer = "5"
LAYERSERIES_COMPAT_parsec-layer = "honister"
-LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer"
+LAYERDEPENDS_parsec-layer = "core clang-layer tpm-layer"
BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README
index 4441dd293..5722a92ab 100644
--- a/meta-security/meta-tpm/README
+++ b/meta-security/meta-tpm/README
@@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need
to have 'tpm' in DISTRO_FEATURES to have effect.
To enable them, add in configuration file the following line.
- DISTRO_FEATURES:append = " tmp"
+ DISTRO_FEATURES:append = " tpm"
If meta-tpm is included, but tpm is not enabled as a
distro feature a warning is printed at parse time:
@@ -57,14 +57,14 @@ other layers needed. e.g.:
Maintenance
-----------
-Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-security][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/meta-security/recipes-ids/suricata/files/fixup.patch
index fc44ce68f..fc44ce68f 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch
+++ b/meta-security/recipes-ids/suricata/files/fixup.patch
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/meta-security/recipes-ids/suricata/files/run-ptest
index 666ba9c95..666ba9c95 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest
+++ b/meta-security/recipes-ids/suricata/files/run-ptest
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/meta-security/recipes-ids/suricata/files/suricata.service
index a99a76ef8..a99a76ef8 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service
+++ b/meta-security/recipes-ids/suricata/files/suricata.service
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/meta-security/recipes-ids/suricata/files/suricata.yaml
index 8d06a2744..8d06a2744 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml
+++ b/meta-security/recipes-ids/suricata/files/suricata.yaml
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata
index fbf37848e..fbf37848e 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata
+++ b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata
index 4627bd3b0..4627bd3b0 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata
+++ b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb
index 2a0c93ccc..2a0c93ccc 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc
index 5754617fb..5754617fb 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc
+++ b/meta-security/recipes-ids/suricata/suricata.inc
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb b/meta-security/recipes-ids/suricata/suricata_6.0.3.bb
index ca9e03e32..ca9e03e32 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb
+++ b/meta-security/recipes-ids/suricata/suricata_6.0.3.bb
diff --git a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb
new file mode 100644
index 000000000..74f32a495
--- /dev/null
+++ b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb
@@ -0,0 +1,10 @@
+SUMMARY = "CryFS encrypts your files, so you can safely store them anywhere."
+HOMEDIR = "https://www.cryfs.org"
+
+LICENSE = "LGPL-3.0"
+FILE_CHK_SUM = "file://;md5=12345"
+
+SRC_URI = "https://github.com/${BPN}/${BPN}.git"
+SRCREV = "0f83a1ab7e5ca9f37f97bc57b20d3fab0f351d11"
+
+inherit cmake
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch b/meta-security/recipes-security/krill/files/panic_workaround.patch
index 9b08cb5ce..9b08cb5ce 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch
+++ b/meta-security/recipes-security/krill/files/panic_workaround.patch
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc b/meta-security/recipes-security/krill/krill.inc
index f86468b96..f86468b96 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc
+++ b/meta-security/recipes-security/krill/krill.inc
diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb b/meta-security/recipes-security/krill/krill_0.9.1.bb
index 4dc61cfb3..4dc61cfb3 100644
--- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb
+++ b/meta-security/recipes-security/krill/krill_0.9.1.bb
generated by cgit v1.2.3 (git 2.39.0) at 2024-06-15 19:01:48 +0300