From 064f75b35a14f3bd6e99ce65a7f7609b973036d5 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Sat, 27 Jun 2020 00:14:46 -0500 Subject: meta-security: subtree update:95fe86eb98..7831969f8c Alexander Kanavin (1): apparmor: pull in coreutils/findutils only when not using systemd as init manager Armin Kuster (7): tpm2-tools: update to 4.1.3 tpm2-tss: update to 2.4.1 tpm2-tss-engine: add branch to SRC_URI & update to tip tpm2-pkcs11: update 1.2.0 libtpm: update to 0.7.2 openscap: update to 1.3.3 tpm2-tcti-uefi: drop patch no longer needed Jeremy Puhlman (2): clamav: resolve multilib issues tripwire: Remove makefiles from the man directories. Kai Kang (1): sssd: disable build secrets Signed-off-by: Andrew Geissler Change-Id: I1e19d2563541504bcf89f1f70c680bd7e7e62d6c --- .../meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb | 16 ----- .../meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb | 16 +++++ .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb | 21 ------ .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb | 20 ++++++ .../tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch | 23 ------ .../tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 4 +- .../recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb | 17 ----- .../recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb | 13 ++++ .../tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb | 8 +-- .../recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb | 81 ---------------------- .../recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb | 78 +++++++++++++++++++++ 11 files changed, 133 insertions(+), 164 deletions(-) delete mode 100644 meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb (limited to 'meta-security/meta-tpm') diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb deleted file mode 100644 index 4588c8d09..000000000 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.0.bb +++ /dev/null @@ -1,16 +0,0 @@ -SUMMARY = "LIBPM - Software TPM Library" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" - -SRCREV = "c26e8f7b08b19a69cea9e8f1f1e6639c7951fb01" -SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-${PV}" - -PE = "1" - -S = "${WORKDIR}/git" -inherit autotools-brokensep pkgconfig perlnative - -PACKAGECONFIG ?= "openssl" -PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb new file mode 100644 index 000000000..0ade01dd5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.7.2.bb @@ -0,0 +1,16 @@ +SUMMARY = "LIBPM - Software TPM Library" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" + +SRCREV = "7325acb4777f70419fe10a1d9621c2666e977e73" +SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.7.0" + +PE = "1" + +S = "${WORKDIR}/git" +inherit autotools-brokensep pkgconfig perlnative + +PACKAGECONFIG ?= "openssl" +PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb deleted file mode 100644 index 351e03e5b..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb +++ /dev/null @@ -1,21 +0,0 @@ -SUMMARY = "A PKCS#11 interface for TPM2 hardware" -DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." -SECTION = "security/tpm" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=93645981214b60a02688745c14f93c95" - -DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools" - -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git \ - file://bootstrap_fixup.patch \ - " - -SRCREV = "6de3f6f9c6e0a4983f3fb90e35feb34906f8aea7" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig - -do_configure_prepend () { - ${S}/bootstrap -} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb new file mode 100644 index 000000000..ce2dac0a5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb @@ -0,0 +1,20 @@ +SUMMARY = "A PKCS#11 interface for TPM2 hardware" +DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." +SECTION = "security/tpm" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" + +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml" + +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \ + file://bootstrap_fixup.patch " + +SRCREV = "8d8f137f65f1d61d66cc191947b59c378f23e97d" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig + +do_configure_prepend () { + ${S}/bootstrap +} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch deleted file mode 100644 index bc70913e8..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/files/tpm2-get-caps-fixed.patch +++ /dev/null @@ -1,23 +0,0 @@ -Fix defined to match tpm2-tools 4.1.1 - -Upstream-Status: Submitted https://github.com/tpm2-software/tpm2-tcti-uefi/pull/81 -Signed-off-by: Armin Kuster - -Index: git/example/tpm2-get-caps-fixed.c -=================================================================== ---- git.orig/example/tpm2-get-caps-fixed.c -+++ git/example/tpm2-get-caps-fixed.c -@@ -140,11 +140,11 @@ dump_tpm_properties_fixed (TPMS_TAGGED_P - Print (L"TPM2_PT_INPUT_BUFFER:\n" - " value: 0x%X\n", value); - break; -- case TPM2_PT_HR_TRANSIENT_MIN: -+ case TPM2_PT_TPM2_HR_TRANSIENT_MIN: - Print (L"TPM2_PT_TPM2_HR_TRANSIENT_MIN:\n" - " value: 0x%X\n", value); - break; -- case TPM2_PT_HR_PERSISTENT_MIN: -+ case TPM2_PT_TPM2_HR_PERSISTENT_MIN: - Print (L"TPM2_PT_TPM2_HR_PERSISTENT_MIN:\n" - " value: 0x%X\n", value); - break; diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index 67b36b787..a67e3c34d 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb @@ -7,9 +7,9 @@ DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf- SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \ file://configure_oe_fixup.patch \ file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \ - file://tpm2-get-caps-fixed.patch \ file://fix_header_file.patch \ - " +" + SRCREV = "0241b08f069f0fdb3612f5c1b938144dbe9be811" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb deleted file mode 100644 index e90dcfe6e..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.1.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2-tools" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" -SECTION = "tpm" - -DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" - -SRC_URI[md5sum] = "701ae9e8c8cbdd37d89c8ad774f55395" -SRC_URI[sha256sum] = "40b9263d8b949bd2bc03a3cd60fa242e27116727467f9bbdd0b5f2539a25a7b1" -SRC_URI[sha1sum] = "d097d321237983435f05c974533ad90e6f20acef" -SRC_URI[sha384sum] = "396547f400e4f5626d7741d77ec543f312d94e6697899f4c36260d15fab3f4f971ad2c0487e6eaa2d60256f3cf68f85f" -SRC_URI[sha512sum] = "25952cf947f0acd16b1a8dbd3ac8573bce85ff970a7e24c290c4f9cd29418e77a3e48ac82c932fbd250887a9303ab301ff92db594c2fffaba47b873382444d26" - -inherit autotools pkgconfig bash-completion diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb new file mode 100644 index 000000000..ae01d5e1d --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb @@ -0,0 +1,13 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" +SECTION = "tpm" + +DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "bb5d3310620e75468fe33dbd530bd73dd648c70ec707b4579c74d9f63fc82704" + +inherit autotools pkgconfig bash-completion diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb index 3641b1b76..ebd6d539e 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.0.1.bb @@ -1,15 +1,15 @@ SUMMARY = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL." DESCRIPTION = "The tpm2-tss-engine project implements a cryptographic engine for OpenSSL for Trusted Platform Module (TPM 2.0) using the tpm2-tss software stack that follows the Trusted Computing Groups (TCG) TPM Software Stack (TSS 2.0). It uses the Enhanced System API (ESAPI) interface of the TSS 2.0 for downwards communication. It supports RSA decryption and signatures as well as ECDSA signatures." -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=7b3ab643b9ce041de515d1ed092a36d4" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3fb0047fd29391478a71e8e6101c76eb" SECTION = "security/tpm" DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl" -SRCREV = "fdc8f65dfc8bad8b5a3aed181fae338267308f70" -SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git" +SRCREV = "24f1383cc6befde44d6f01a51ea653304d844ffd" +SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.0.x" inherit autotools-brokensep pkgconfig systemd diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb deleted file mode 100644 index 135efed84..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.3.2.bb +++ /dev/null @@ -1,81 +0,0 @@ -SUMMARY = "Software stack for TPM2." -DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -SECTION = "tpm" - -DEPENDS = "autoconf-archive-native libgcrypt openssl" - -SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" -SRC_URI[md5sum] = "fb7e6d371959a65dc6d129af81739742" -SRC_URI[sha256sum] = "82929a0611f39246e09202702a61b54c980ab694626c1f5823520ddf75024fa6" -SRC_URI[sha1sum] = "c24ce8b20a8686ada775239389292f6d78020668" -SRC_URI[sha384sum] = "a0c023c024efb6c9906df1e143d692f44433de332b616dc0584c9b4cd4fb0ad544308f291892e91c5a52ef1a4b2abf7f" -SRC_URI[sha512sum] = "7b679b54f3478c3adee5b6c3135cbe491ffd9f4712991f465edbd6c7d2831e5f1537038ec36f288e9545c719d5d167b61116c924cf5d816220615d0b58a1d436" - -inherit autotools pkgconfig systemd extrausers - -PACKAGECONFIG ??= "" -PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " - -EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" -EXTRA_OECONF_remove = " --disable-static" - - -EXTRA_USERS_PARAMS = "\ - useradd -p '' tss; \ - groupadd tss; \ - " - -PROVIDES = "${PACKAGES}" -PACKAGES = " \ - ${PN} \ - ${PN}-dbg \ - ${PN}-doc \ - libtss2-mu \ - libtss2-mu-dev \ - libtss2-mu-staticdev \ - libtss2-tcti-device \ - libtss2-tcti-device-dev \ - libtss2-tcti-device-staticdev \ - libtss2-tcti-mssim \ - libtss2-tcti-mssim-dev \ - libtss2-tcti-mssim-staticdev \ - libtss2 \ - libtss2-dev \ - libtss2-staticdev \ -" - -FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" -FILES_libtss2-tcti-device-dev = " \ - ${includedir}/tss2/tss2_tcti_device.h \ - ${libdir}/pkgconfig/tss2-tcti-device.pc \ - ${libdir}/libtss2-tcti-device.so" -FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" - -FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" -FILES_libtss2-tcti-mssim-dev = " \ - ${includedir}/tss2/tss2_tcti_mssim.h \ - ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ - ${libdir}/libtss2-tcti-mssim.so" -FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" - -FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" -FILES_libtss2-mu-dev = " \ - ${includedir}/tss2/tss2_mu.h \ - ${libdir}/pkgconfig/tss2-mu.pc \ - ${libdir}/libtss2-mu.so" -FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" - -FILES_libtss2 = "${libdir}/libtss2*so.*" -FILES_libtss2-dev = " \ - ${includedir} \ - ${libdir}/pkgconfig \ - ${libdir}/libtss2*so" -FILES_libtss2-staticdev = "${libdir}/libtss*a" - -FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" - -RDEPENDS_libtss2 = "libgcrypt" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb new file mode 100644 index 000000000..22b961d1c --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb @@ -0,0 +1,78 @@ +SUMMARY = "Software stack for TPM2." +DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +SECTION = "tpm" + +DEPENDS = "autoconf-archive-native libgcrypt openssl" + +SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" +SRC_URI[sha256sum] = "58d7afcab9ff3daaafb5316e57d2c211118334b470d5a5bc6ceace6f89a1e60d" + +inherit autotools pkgconfig systemd extrausers + +PACKAGECONFIG ??= "" +PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " +PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " + +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" +EXTRA_OECONF_remove = " --disable-static" + + +EXTRA_USERS_PARAMS = "\ + useradd -p '' tss; \ + groupadd tss; \ + " + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + ${PN} \ + ${PN}-dbg \ + ${PN}-doc \ + libtss2-mu \ + libtss2-mu-dev \ + libtss2-mu-staticdev \ + libtss2-tcti-device \ + libtss2-tcti-device-dev \ + libtss2-tcti-device-staticdev \ + libtss2-tcti-mssim \ + libtss2-tcti-mssim-dev \ + libtss2-tcti-mssim-staticdev \ + libtss2 \ + libtss2-dev \ + libtss2-staticdev \ +" + +FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" +FILES_libtss2-tcti-device-dev = " \ + ${includedir}/tss2/tss2_tcti_device.h \ + ${libdir}/pkgconfig/tss2-tcti-device.pc \ + ${libdir}/libtss2-tcti-device.so" +FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" + +FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" +FILES_libtss2-tcti-mssim-dev = " \ + ${includedir}/tss2/tss2_tcti_mssim.h \ + ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ + ${libdir}/libtss2-tcti-mssim.so" +FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" + +FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" +FILES_libtss2-mu-dev = " \ + ${includedir}/tss2/tss2_mu.h \ + ${libdir}/pkgconfig/tss2-mu.pc \ + ${libdir}/libtss2-mu.so" +FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" + +FILES_libtss2 = "${libdir}/libtss2*so.*" +FILES_libtss2-dev = " \ + ${includedir} \ + ${libdir}/pkgconfig \ + ${libdir}/libtss2*so" +FILES_libtss2-staticdev = "${libdir}/libtss*a" + +FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" + +RDEPENDS_libtss2 = "libgcrypt" -- cgit v1.2.3 From 5bea8d8239056487ed7ec39d7b1c319c664dcf68 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 24 Jul 2020 16:10:05 -0500 Subject: meta-security: subtree update:547f552c85..066a04425c Armin Kuster (9): python3-oauth2client: add recipe python3-privacyidea: adding initial support for mfa strongswan: add bbappends for tpm changes layer.conf: add dynamic-layer for strongswan strongswan: Add bbappends for ima changes meta-integrity: add dynamic-layer for strongswan add gitlab framework and qemu machine kas: add ima, tpm and tpm2 build configs drop ci-build: it is hiding errors Jeremy Puhlman (2): cryptsetup-tpm-incubator: RPROVIDES cryptsetup and cryptsetup-dev packagegroup-security-tpm2: Depend on preferred provider for cryptsetup Zheng Ruoqin (2): ccs-tools:Fix build error when enable multilib. bastille: Deleted redundant inherit to fix error when enable multilib. Signed-off-by: Andrew Geissler Change-Id: I023e45c8080c3d423cd25cc656da5c1f527295e5 --- meta-security/.gitlab-ci.yml | 86 ++++++++++++++++++++++ meta-security/kas/kas-security-base.yml | 57 ++++++++++++++ meta-security/kas/qemuarm.yml | 6 ++ meta-security/kas/qemuarm64-ima.yml | 10 +++ meta-security/kas/qemuarm64-tpm2.yml | 10 +++ meta-security/kas/qemuarm64.yml | 6 ++ meta-security/kas/qemumips64.yml | 6 ++ meta-security/kas/qemuppc.yml | 6 ++ meta-security/kas/qemuriscv64.yml | 6 ++ meta-security/kas/qemux86-64-ima.yml | 10 +++ meta-security/kas/qemux86-64-tpm.yml | 10 +++ meta-security/kas/qemux86-64-tpm2.yml | 10 +++ meta-security/kas/qemux86-64.yml | 6 ++ meta-security/kas/qemux86-ima.yml | 10 +++ meta-security/kas/qemux86.yml | 6 ++ meta-security/meta-integrity/conf/layer.conf | 4 + .../recipes-support/strongswan/strongswan-ima.inc | 61 +++++++++++++++ .../strongswan/strongswan_5.%.bbappend | 1 + meta-security/meta-tpm/conf/layer.conf | 4 + ...01-xfrmi-Only-build-if-libcharon-is-built.patch | 38 ++++++++++ .../recipes-support/strongswan/strongswan-tpm.inc | 12 +++ .../strongswan/strongswan_5.%.bbappend | 1 + .../packagegroup/packagegroup-security-tpm2.bb | 3 +- .../cryptsetup-tpm-incubator_0.9.9.bb | 5 ++ .../recipes-mac/ccs-tools/ccs-tools_1.8.4.bb | 2 +- .../python/python3-oauth2client_4.1.3.bb | 11 +++ .../recipes-security/bastille/bastille_3.2.1.bb | 2 - .../mfa/python3-privacyidea_3.3.bb | 40 ++++++++++ meta-security/scripts/ci-cleanup.sh | 7 ++ 29 files changed, 432 insertions(+), 4 deletions(-) create mode 100644 meta-security/.gitlab-ci.yml create mode 100644 meta-security/kas/kas-security-base.yml create mode 100644 meta-security/kas/qemuarm.yml create mode 100644 meta-security/kas/qemuarm64-ima.yml create mode 100644 meta-security/kas/qemuarm64-tpm2.yml create mode 100644 meta-security/kas/qemuarm64.yml create mode 100644 meta-security/kas/qemumips64.yml create mode 100644 meta-security/kas/qemuppc.yml create mode 100644 meta-security/kas/qemuriscv64.yml create mode 100644 meta-security/kas/qemux86-64-ima.yml create mode 100644 meta-security/kas/qemux86-64-tpm.yml create mode 100644 meta-security/kas/qemux86-64-tpm2.yml create mode 100644 meta-security/kas/qemux86-64.yml create mode 100644 meta-security/kas/qemux86-ima.yml create mode 100644 meta-security/kas/qemux86.yml create mode 100644 meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc create mode 100644 meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend create mode 100644 meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch create mode 100644 meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc create mode 100644 meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend create mode 100644 meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb create mode 100644 meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb create mode 100755 meta-security/scripts/ci-cleanup.sh (limited to 'meta-security/meta-tpm') diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml new file mode 100644 index 000000000..132eb785c --- /dev/null +++ b/meta-security/.gitlab-ci.yml @@ -0,0 +1,86 @@ +stages: + - build + +.build: + stage: build + image: crops/poky + before_script: + - export PATH=~/.local/bin:$PATH + - wget https://bootstrap.pypa.io/get-pip.py + - python3 get-pip.py + - python3 -m pip install kas + - wget -q 'https://downloads.rclone.org/rclone-current-linux-amd64.zip' + - unzip -q rclone-current-linux-amd64.zip + - mv rclone-*-linux-amd64/rclone ~/.local/bin/ + - rm -rf rclone-*-linux-amd64* + after_script: + - rm -rf build + - ./scripts/ci-cleanup.sh + cache: + paths: + - layers + +qemux86: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuppc: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuriscv64: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-tpm: + extends: .build + script: + - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml + +qemux86-64-tpm2: + extends: .build + script: + - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + +qemuarm64-tpm2: + extends: .build + script: + - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml + +qemux86-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemuarm64-ima: + extends: .build + script: + - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml new file mode 100644 index 000000000..768390e25 --- /dev/null +++ b/meta-security/kas/kas-security-base.yml @@ -0,0 +1,57 @@ +header: + version: 8 + +distro: poky + +repos: + meta-security: + layers: + ../meta-security: + meta-tpm: + meta-integrity: + meta-security-compliance: + + poky: + url: https://git.yoctoproject.org/git/poky + refspec: master + layers: + meta: + meta-poky: + meta-yocto-bsp: + + meta-openembedded: + url: http://git.openembedded.org/meta-openembedded + refspec: master + layers: + meta-oe: + meta-perl: + meta-python: + meta-networking: + +local_conf_header: + meta-security: | + CONF_VERSION = "1" + SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" + SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" + SSTATE_DIR = "/home/srv/sstate/master" + DL_DIR = "/home/srv/downloads/master" + BB_HASHSERVE = "auto" + BB_SIGNATURE_HANDLER = "OEEquivHash" + + diskmon: | + BB_DISKMON_DIRS = "\ + STOPTASKS,${TMPDIR},1G,100K \ + STOPTASKS,${DL_DIR},1G,100K \ + STOPTASKS,${SSTATE_DIR},1G,100K \ + STOPTASKS,/tmp,100M,100K \ + ABORT,${TMPDIR},100M,1K \ + ABORT,${DL_DIR},100M,1K \ + ABORT,${SSTATE_DIR},100M,1K \ + ABORT,/tmp,10M,1K" + +bblayers_conf_header: + meta-security: | + POKY_BBLAYERS_CONF_VERSION = "2" + BBPATH = "${TOPDIR}" + BBFILES ?= "" + diff --git a/meta-security/kas/qemuarm.yml b/meta-security/kas/qemuarm.yml new file mode 100644 index 000000000..f51abacf0 --- /dev/null +++ b/meta-security/kas/qemuarm.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuarm diff --git a/meta-security/kas/qemuarm64-ima.yml b/meta-security/kas/qemuarm64-ima.yml new file mode 100644 index 000000000..b4784729b --- /dev/null +++ b/meta-security/kas/qemuarm64-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml new file mode 100644 index 000000000..3a8d8fc0d --- /dev/null +++ b/meta-security/kas/qemuarm64-tpm2.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm2" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64.yml b/meta-security/kas/qemuarm64.yml new file mode 100644 index 000000000..a0c2d1abb --- /dev/null +++ b/meta-security/kas/qemuarm64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuarm64 diff --git a/meta-security/kas/qemumips64.yml b/meta-security/kas/qemumips64.yml new file mode 100644 index 000000000..64e52f77b --- /dev/null +++ b/meta-security/kas/qemumips64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemumips64 diff --git a/meta-security/kas/qemuppc.yml b/meta-security/kas/qemuppc.yml new file mode 100644 index 000000000..3dad81c27 --- /dev/null +++ b/meta-security/kas/qemuppc.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuppc diff --git a/meta-security/kas/qemuriscv64.yml b/meta-security/kas/qemuriscv64.yml new file mode 100644 index 000000000..e1b1e4947 --- /dev/null +++ b/meta-security/kas/qemuriscv64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemuriscv64 diff --git a/meta-security/kas/qemux86-64-ima.yml b/meta-security/kas/qemux86-64-ima.yml new file mode 100644 index 000000000..e64931c17 --- /dev/null +++ b/meta-security/kas/qemux86-64-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml new file mode 100644 index 000000000..565b42327 --- /dev/null +++ b/meta-security/kas/qemux86-64-tpm.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml new file mode 100644 index 000000000..a43693ee9 --- /dev/null +++ b/meta-security/kas/qemux86-64-tpm2.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " tpm2" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64.yml b/meta-security/kas/qemux86-64.yml new file mode 100644 index 000000000..4ba2b662b --- /dev/null +++ b/meta-security/kas/qemux86-64.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-ima.yml b/meta-security/kas/qemux86-ima.yml new file mode 100644 index 000000000..6528ba620 --- /dev/null +++ b/meta-security/kas/qemux86-ima.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ima" + +machine: qemux86 diff --git a/meta-security/kas/qemux86.yml b/meta-security/kas/qemux86.yml new file mode 100644 index 000000000..83a5353e7 --- /dev/null +++ b/meta-security/kas/qemux86.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +machine: qemux86 diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index b4edac383..f905b0be4 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -26,3 +26,7 @@ LAYERSERIES_COMPAT_integrity = "dunfell" LAYERDEPENDS_integrity = "core openembedded-layer" BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" + +BBFILES_DYNAMIC += " \ +networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ +" diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc new file mode 100644 index 000000000..a45182e51 --- /dev/null +++ b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc @@ -0,0 +1,61 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +DEPENDS = "libtspi" + +SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" + +PACKAGECONFIG += " \ + aikgen \ + tpm \ +" + +PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,," +PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,," + +PACKAGECONFIG_ima += "\ + imc-test \ + imv-test \ + imc-scanner \ + imv-scanner \ + imc-os \ + imv-os \ + imc-attestation \ + imv-attestation \ + tnc-ifmap \ + tnc-imc \ + tnc-imv \ + tnc-pdp \ + tnccs-11 \ + tnccs-20 \ + tnccs-dynamic \ + " + +EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}" + +PACKAGECONFIG[imc-test] = "--enable-imc-test,--disable-imc-test,," +PACKAGECONFIG[imc-scanner] = "--enable-imc-scanner,--disable-imc-scanner,," +PACKAGECONFIG[imc-os] = "--enable-imc-os,--disable-imc-os,," +PACKAGECONFIG[imc-attestation] = "--enable-imc-attestation,--disable-imc-attestation,," +PACKAGECONFIG[imc-swima] = "--enable-imc-swima, --disable-imc-swima,," +PACKAGECONFIG[imc-hcd] = "--enable-imc-hcd, --disable-imc-hcd,," +PACKAGECONFIG[tnc-imc] = "--enable-tnc-imc,--disable-tnc-imc,," + +PACKAGECONFIG[imv-test] = "--enable-imv-test,--disable-imv-test,," +PACKAGECONFIG[imv-scanner] = "--enable-imv-scanner,--disable-imv-scanner,," +PACKAGECONFIG[imv-os] = "--enable-imv-os,--disable-imv-os,," +PACKAGECONFIG[imv-attestation] = "--enable-imv-attestation,--disable-imv-attestation,," +PACKAGECONFIG[imv-swima] = "--enable-imv-swima, --disable-imv-swima,," +PACKAGECONFIG[imv-hcd] = "--enable-imv-hcd, --disable-imv-hcd,," +PACKAGECONFIG[tnc-imv] = "--enable-tnc-imv,--disable-tnc-imv,," + +PACKAGECONFIG[tnc-ifmap] = "--enable-tnc-ifmap,--disable-tnc-ifmap,libxml2," +PACKAGECONFIG[tnc-pdp] = "--enable-tnc-pdp,--disable-tnc-pdp,," + +PACKAGECONFIG[tnccs-11] = "--enable-tnccs-11,--disable-tnccs-11,libxml2," +PACKAGECONFIG[tnccs-20] = "--enable-tnccs-20,--disable-tnccs-20,," +PACKAGECONFIG[tnccs-dynamic] = "--enable-tnccs-dynamic,--disable-tnccs-dynamic,," + +#FILES_${PN} += "${libdir}/ipsec/imcvs/*.so ${datadir}/regid.2004-03.org.strongswan" +#FILES_${PN}-dbg += "${libdir}/ipsec/imcvs/.debug" +#FILES_${PN}-dev += "${libdir}/ipsec/imcvs/*.la" +#FILES_${PN}-staticdev += "${libdir}/ipsec/imcvs/*.a" diff --git a/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend new file mode 100644 index 000000000..4669fd2a1 --- /dev/null +++ b/meta-security/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'imp', 'strongswan-ima.inc', '', d)} diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index c3372c707..46d0279cc 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -15,3 +15,7 @@ LAYERDEPENDS_tpm-layer = " \ openembedded-layer \ " BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" + +BBFILES_DYNAMIC += " \ +networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \ +" diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch new file mode 100644 index 000000000..825028222 --- /dev/null +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch @@ -0,0 +1,38 @@ +From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Tue, 14 Apr 2020 10:44:19 +0200 +Subject: [PATCH] xfrmi: Only build if libcharon is built + +The kernel-netlink plugin is only built if libcharon is. + +Closes strongswan/strongswan#167. + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + src/Makefile.am | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +Index: strongswan-5.8.4/src/Makefile.am +=================================================================== +--- strongswan-5.8.4.orig/src/Makefile.am ++++ strongswan-5.8.4/src/Makefile.am +@@ -42,6 +42,9 @@ endif + + if USE_LIBCHARON + SUBDIRS += libcharon ++if USE_KERNEL_NETLINK ++ SUBDIRS += xfrmi ++endif + endif + + if USE_FILE_CONFIG +@@ -143,7 +146,3 @@ endif + if USE_TPM + SUBDIRS += tpm_extendpcr + endif +- +-if USE_KERNEL_NETLINK +- SUBDIRS += xfrmi +-endif diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc new file mode 100644 index 000000000..d8604e116 --- /dev/null +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc @@ -0,0 +1,12 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +DEPENDS = "libtspi" + +SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" + +PACKAGECONFIG += "aikgen tpm" + +PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,," +PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,," + +EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}" diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend new file mode 100644 index 000000000..34757bb47 --- /dev/null +++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)} diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 8f5c537b9..a553a63d8 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -7,6 +7,7 @@ inherit packagegroup PACKAGES = "${PN}" +PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ @@ -19,5 +20,5 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-abrmd \ tpm2-pkcs11 \ ibmswtpm2 \ - cryptsetup-tpm-incubator \ + ${PREFERRED_PROVIDER_cryptsetup} \ " diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb index b706d1505..261716235 100644 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb @@ -36,7 +36,12 @@ FILES_${PN} += "${libdir}/tmpfiles.d" RDEPENDS_${PN} += "lvm2 libdevmapper" RRECOMMENDS_${PN} += "lvm2-udevrules" +RPROVIDES_${PN} = "cryptsetup" RREPLACES_${PN} = "cryptsetup" RCONFLICTS_${PN} ="cryptsetup" +RPROVIDES_${PN}-dev = "cryptsetup-dev" +RREPLACES_${PN}-dev = "cryptsetup-dev" +RCONFLICTS_${PN}-dev ="cryptsetup-dev" + BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb index 2e37c0b3c..79af6a5d1 100644 --- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb +++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb @@ -13,7 +13,7 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" -S = "${WORKDIR}/${PN}" +S = "${WORKDIR}/${BPN}" inherit features_check diff --git a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb b/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb new file mode 100644 index 000000000..ca25d1459 --- /dev/null +++ b/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb @@ -0,0 +1,11 @@ +SUMMARY = "Add version info to file paths." +SECTION = "devel/python" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=038e1390e94fe637991fa5569daa62bc" + +PYPI_PACKAGE = "oauth2client" +SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b4209891cccc6" + +inherit pypi setuptools3 + +RDEPENDS_${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules" diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb index e9accb56f..0290cae2e 100644 --- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,8 +9,6 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit module-base - SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ file://FileContent.pm \ diff --git a/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb b/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb new file mode 100644 index 000000000..eb6b7eb33 --- /dev/null +++ b/meta-security/recipes-security/mfa/python3-privacyidea_3.3.bb @@ -0,0 +1,40 @@ +SUMMARY = "identity, multifactor authentication (OTP), authorization, audit" +DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications." + +HOMEPAGE = "http://www.privacyidea.org/" +LICENSE = "AGPL-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55" + +PYPI_PACKAGE = "privacyIDEA" +SRC_URI[sha256sum] = "55fbdd0fdc8957f7fc5b8900453fd9dc294860bae218e53e7fe394d93f982518" + +inherit pypi setuptools3 + +do_install_append () { + #install ${D}/var/log/privacyidea + + rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests +} + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "--system privacyidea" +USERADD_PARAM_${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ + --shell /bin/false privacyidea" + +FILES_${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" + +RDEPENDS_${PN} += " bash perl freeradius-mysql freeradius-utils" + +RDEPENDS_${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt" +RDEPENDS_${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" +RDEPENDS_${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" +RDEPENDS_${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate" +RDEPENDS_${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned" +RDEPENDS_${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress" +RDEPENDS_${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako" +RDEPENDS_${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow" +RDEPENDS_${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" +RDEPENDS_${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" +RDEPENDS_${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" +RDEPENDS_${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " +RDEPENDS_${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" diff --git a/meta-security/scripts/ci-cleanup.sh b/meta-security/scripts/ci-cleanup.sh new file mode 100755 index 000000000..df3b68f98 --- /dev/null +++ b/meta-security/scripts/ci-cleanup.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +set -e + +export SSTATE_CACHE_DIR=/home/srv/sstate/master + +./poky/scripts/sstate-cache-management.sh -d -y -- cgit v1.2.3 From b2fe863db1c3690813aab4707203ed8fbcdc7d52 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 21 Aug 2020 15:57:21 -0500 Subject: meta-security: subtree update:066a04425c..787ba6faea Armin Kuster (10): lynis: update to 3.0.0 security images: Move to recipe-core security packagegroups: move to recipes-core packagegroup-security-tpm: add more packages for building packagegroup-core-security: remove clamav for riscv* libsecomp: rv32/rv64 target builds are not supported yet packagegroup-core-security: remove libseccomp for riscv* libseccomp: update to 2.5.0 packagegroup-core-security: restore riscv64 for libssecomp trousers: Several Security fixes Charlie Davies (1): clamav: add INSTALL_CLAMAV_CVD flag to do_install Kai Kang (1): libseccomp: fix cross compile error for mips Yi Zhao (1): ibmswtpm2: upgrade 1563 -> 1628 Signed-off-by: Andrew Geissler Change-Id: I0341c0d4cd61fb6ef7db6a29f9fc60de3caa822f --- .../recipes-auditors/lynis/lynis_2.7.5.bb | 41 ---------- .../recipes-auditors/lynis/lynis_3.0.0.bb | 40 +++++++++ .../packagegroup/packagegroup-security-tpm.bb | 5 ++ ...tiple-security-issues-that-are-present-if.patch | 94 ++++++++++++++++++++++ .../meta-tpm/recipes-tpm/trousers/trousers_git.bb | 1 + .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb | 27 ------- .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb | 26 ++++++ .../recipes-core/images/security-build-image.bb | 19 +++++ .../recipes-core/images/security-client-image.bb | 16 ++++ .../recipes-core/images/security-server-image.bb | 19 +++++ .../recipes-core/images/security-test-image.bb | 33 ++++++++ .../packagegroup-core-security-ptest.bb | 28 +++++++ .../packagegroup/packagegroup-core-security.bb | 66 +++++++++++++++ .../recipes-scanners/clamav/clamav_0.101.5.bb | 4 +- .../images/security-build-image.bb | 19 ----- .../images/security-client-image.bb | 16 ---- .../images/security-server-image.bb | 19 ----- .../recipes-security/images/security-test-image.bb | 33 -------- .../libseccomp/files/fix-mips-build-failure.patch | 49 +++++++++++ .../libseccomp/libseccomp_2.4.3.bb | 43 ---------- .../libseccomp/libseccomp_2.5.0.bb | 48 +++++++++++ .../packagegroup-core-security-ptest.bb | 28 ------- .../packagegroup/packagegroup-core-security.bb | 68 ---------------- 23 files changed, 447 insertions(+), 295 deletions(-) delete mode 100644 meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb create mode 100644 meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb create mode 100644 meta-security/recipes-core/images/security-build-image.bb create mode 100644 meta-security/recipes-core/images/security-client-image.bb create mode 100644 meta-security/recipes-core/images/security-server-image.bb create mode 100644 meta-security/recipes-core/images/security-test-image.bb create mode 100644 meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb create mode 100644 meta-security/recipes-core/packagegroup/packagegroup-core-security.bb delete mode 100644 meta-security/recipes-security/images/security-build-image.bb delete mode 100644 meta-security/recipes-security/images/security-client-image.bb delete mode 100644 meta-security/recipes-security/images/security-server-image.bb delete mode 100644 meta-security/recipes-security/images/security-test-image.bb create mode 100644 meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch delete mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb create mode 100644 meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb delete mode 100644 meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb delete mode 100644 meta-security/recipes-security/packagegroup/packagegroup-core-security.bb (limited to 'meta-security/meta-tpm') diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb deleted file mode 100644 index 245761c37..000000000 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright (C) 2017 Armin Kuster -# Released under the MIT license (see COPYING.MIT for the terms) - -SUMMARY = "Lynis is a free and open source security and auditing tool." -HOMEDIR = "https://cisofy.com/" -LICENSE = "GPL-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" - -SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" - -SRC_URI[md5sum] = "fb527b6976e70a6bcd57036c9cddc242" -SRC_URI[sha256sum] = "3d27ade73a5c1248925ad9c060024940ce5d2029f40aaa901f43314888fe324d" - -S = "${WORKDIR}/${BPN}" - -inherit autotools-brokensep - -do_compile[noexec] = "1" -do_configure[noexec] = "1" - -do_install () { - install -d ${D}/${bindir} - install -d ${D}/${sysconfdir}/lynis - install -m 555 ${S}/lynis ${D}/${bindir} - - install -d ${D}/${datadir}/lynis/db - install -d ${D}/${datadir}/lynis/plugins - install -d ${D}/${datadir}/lynis/include - install -d ${D}/${datadir}/lynis/extras - - cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. - cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. - cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. - cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. - cp ${S}/*.prf ${D}/${sysconfdir}/lynis -} - -FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" -FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" - -RDEPENDS_${PN} += "procps findutils" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb new file mode 100644 index 000000000..2d5962362 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb @@ -0,0 +1,40 @@ +# Copyright (C) 2017 Armin Kuster +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMMARY = "Lynis is a free and open source security and auditing tool." +HOMEDIR = "https://cisofy.com/" +LICENSE = "GPL-3.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" + +SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2" + +S = "${WORKDIR}/${BPN}" + +inherit autotools-brokensep + +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install () { + install -d ${D}/${bindir} + install -d ${D}/${sysconfdir}/lynis + install -m 555 ${S}/lynis ${D}/${bindir} + + install -d ${D}/${datadir}/lynis/db + install -d ${D}/${datadir}/lynis/plugins + install -d ${D}/${datadir}/lynis/include + install -d ${D}/${datadir}/lynis/extras + + cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. + cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. + cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. + cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. + cp ${S}/*.prf ${D}/${sysconfdir}/lynis +} + +FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" +FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" + +RDEPENDS_${PN} += "procps findutils" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb index 25126effb..3844c7f9f 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb @@ -11,6 +11,11 @@ SUMMARY_packagegroup-security-tpm = "Security TPM support" RDEPENDS_packagegroup-security-tpm = " \ tpm-tools \ trousers \ + pcr-extend \ + tpm-quote-tools \ + swtpm \ + openssl-tpm-engine \ + libtpm \ ${X86_TPM_MODULES} \ " diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch new file mode 100644 index 000000000..72c81d11a --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch @@ -0,0 +1,94 @@ +From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 14 Aug 2020 22:14:36 -0700 +Subject: [PATCH] Correct multiple security issues that are present if the tcsd + is started by root instead of the tss user. + +Patch fixes the following 3 CVEs: + +CVE-2020-24332 +If the tcsd daemon is started with root privileges, +the creation of the system.data file is prone to symlink attacks + +CVE-2020-24330 +If the tcsd daemon is started with root privileges, +it fails to drop the root gid after it is no longer needed + +CVE-2020-24331 +If the tcsd daemon is started with root privileges, +the tss user has read and write access to the /etc/tcsd.conf file + +Authored-by: Matthias Gerstner +Signed-off-by: Debora Velarde Babb + +Upstream-Status: Backport +CVE: CVE-2020-24332 +CVE: CVE-2020-24330 +CVE: CVE-2020-24331 + +Signed-off-by: Armin Kuster + +--- + src/tcs/ps/tcsps.c | 2 +- + src/tcsd/svrside.c | 1 + + src/tcsd/tcsd_conf.c | 10 +++++----- + 3 files changed, 7 insertions(+), 6 deletions(-) + +Index: git/src/tcs/ps/tcsps.c +=================================================================== +--- git.orig/src/tcs/ps/tcsps.c ++++ git/src/tcs/ps/tcsps.c +@@ -72,7 +72,7 @@ get_file() + } + + /* open and lock the file */ +- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); ++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); + if (system_ps_fd < 0) { + LogError("system PS: open() of %s failed: %s", + tcsd_options.system_ps_file, strerror(errno)); +Index: git/src/tcsd/svrside.c +=================================================================== +--- git.orig/src/tcsd/svrside.c ++++ git/src/tcsd/svrside.c +@@ -473,6 +473,7 @@ main(int argc, char **argv) + } + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++ setgid(pwd->pw_gid); + setuid(pwd->pw_uid); + #endif + #endif +Index: git/src/tcsd/tcsd_conf.c +=================================================================== +--- git.orig/src/tcsd/tcsd_conf.c ++++ git/src/tcsd/tcsd_conf.c +@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) + #ifndef SOLARIS + struct group *grp; + struct passwd *pw; +- mode_t mode = (S_IRUSR|S_IWUSR); ++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); + #endif /* SOLARIS */ + TSS_RESULT result; + +@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) + } + + /* make sure user/group TSS owns the conf file */ +- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { ++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +- TSS_USER_NAME, TSS_GROUP_NAME); ++ "root", TSS_GROUP_NAME); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + +- /* make sure only the tss user can manipulate the config file */ ++ /* make sure only the tss user can read (but not manipulate) the config file */ + if (((stat_buf.st_mode & 0777) ^ mode) != 0) { +- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); ++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + #endif /* SOLARIS */ diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index fe8f55714..95e821bfa 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -16,6 +16,7 @@ SRC_URI = " \ file://tcsd.service \ file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ + file://0001-Correct-multiple-security-issues-that-are-present-if.patch \ " S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb deleted file mode 100644 index 80542269e..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "IBM's Software TPM 2.0" -LICENSE = "BSD" -SECTION = "securty/tpm" -LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" - -DEPENDS = "openssl" - -SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ - file://remove_optimization.patch \ - " -SRC_URI[md5sum] = "13013612b3a13dc935fefe1a5684179c" -SRC_URI[sha256sum] = "fc3a17f8315c1f47670764f2384943afc0d3ba1e9a0422dacb08d455733bd1e9" -SRC_URI[sha1sum] = "a2a5335024a2edc1739f08b99e716fa355be627d" -SRC_URI[sha384sum] = "b1f278acabe2198aa79c0fe8aa0182733fe701336cbf54a88058be0b574cab768f59f9315882d0e689e634678d05b79f" -SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb014124011221a492147d4c492584e87af23e2f842ca6307641b3919f67a3f27f09312c0" - -S = "${WORKDIR}/src" - -do_compile () { - make CC='${CC}' -} - -do_install () { - install -d ${D}/${bindir} - install -m 0755 tpm_server ${D}/${bindir} -} - diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb new file mode 100644 index 000000000..3373a307f --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb @@ -0,0 +1,26 @@ +SUMMARY = "IBM's Software TPM 2.0" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ + file://remove_optimization.patch \ + " +SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259" +SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3" +SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f" +SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91" +SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0" + +S = "${WORKDIR}/src" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb new file mode 100644 index 000000000..a8757f980 --- /dev/null +++ b/meta-security/recipes-core/images/security-build-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A small image for building meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security \ + os-release" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-build-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/images/security-client-image.bb b/meta-security/recipes-core/images/security-client-image.bb new file mode 100644 index 000000000..f4ebc697c --- /dev/null +++ b/meta-security/recipes-core/images/security-client-image.bb @@ -0,0 +1,16 @@ +DESCRIPTION = "A Client side Security example" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + os-release \ + samhain-client \ + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-core/images/security-server-image.bb b/meta-security/recipes-core/images/security-server-image.bb new file mode 100644 index 000000000..4927e0ee5 --- /dev/null +++ b/meta-security/recipes-core/images/security-server-image.bb @@ -0,0 +1,19 @@ +DESCRIPTION = "A Serve side image for Security example " + +IMAGE_FEATURES += "ssh-server-openssh" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + samhain-server \ + os-release " + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-server-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb new file mode 100644 index 000000000..c71d7267d --- /dev/null +++ b/meta-security/recipes-core/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 000000000..cf34ded19 --- /dev/null +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb new file mode 100644 index 000000000..c6342fdb2 --- /dev/null +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -0,0 +1,66 @@ +DESCRIPTION = "Security packagegroup for Poky" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit packagegroup + +PACKAGES = "\ + packagegroup-core-security \ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-ids \ + packagegroup-security-mac \ + " + +RDEPENDS_packagegroup-core-security = "\ + packagegroup-security-utils \ + packagegroup-security-scanners \ + packagegroup-security-ids \ + packagegroup-security-mac \ + " + +SUMMARY_packagegroup-security-utils = "Security utilities" +RDEPENDS_packagegroup-security-utils = "\ + checksec \ + nmap \ + pinentry \ + python3-scapy \ + ding-libs \ + keyutils \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ + " + +SUMMARY_packagegroup-security-scanners = "Security scanners" +RDEPENDS_packagegroup-security-scanners = "\ + nikto \ + checksecurity \ + ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ + " + +SUMMARY_packagegroup-security-audit = "Security Audit tools " +RDEPENDS_packagegroup-security-audit = " \ + buck-security \ + redhat-security \ + " + +SUMMARY_packagegroup-security-hardening = "Security Hardening tools" +RDEPENDS_packagegroup-security-hardening = " \ + bastille \ + " + +SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" +RDEPENDS_packagegroup-security-ids = " \ + tripwire \ + samhain-standalone \ + suricata \ + " + +SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" +RDEPENDS_packagegroup-security-mac = " \ + ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ + " diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb index 2ea2c9bd2..770186ad4 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb @@ -89,7 +89,9 @@ do_install_append_class-target () { install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so - install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then + install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. + fi if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service install -d ${D}${sysconfdir}/tmpfiles.d diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb deleted file mode 100644 index a8757f980..000000000 --- a/meta-security/recipes-security/images/security-build-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A small image for building meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security \ - os-release" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-build-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb deleted file mode 100644 index f4ebc697c..000000000 --- a/meta-security/recipes-security/images/security-client-image.bb +++ /dev/null @@ -1,16 +0,0 @@ -DESCRIPTION = "A Client side Security example" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - os-release \ - samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-client-image" diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb deleted file mode 100644 index 4927e0ee5..000000000 --- a/meta-security/recipes-security/images/security-server-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A Serve side image for Security example " - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - samhain-server \ - os-release " - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-server-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/images/security-test-image.bb b/meta-security/recipes-security/images/security-test-image.bb deleted file mode 100644 index c71d7267d..000000000 --- a/meta-security/recipes-security/images/security-test-image.bb +++ /dev/null @@ -1,33 +0,0 @@ -DESCRIPTION = "A small image for testing meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" - -INSTALL_CLAMAV_CVD = "1" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-test-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch new file mode 100644 index 000000000..7d17a038a --- /dev/null +++ b/meta-security/recipes-security/libseccomp/files/fix-mips-build-failure.patch @@ -0,0 +1,49 @@ +Backport patch to fix cross compile error for mips: + +| syscalls.h:44:6: error: expected identifier or '(' before numeric constant +| 44 | int mips; +| | ^~~~ + +Upstream-Status: Submitted [https://github.com/seccomp/libseccomp/pull/279/commits/04c519e5] + +Signed-off-by: Kai Kang + +From 04c519e5b1de53592e98307813e5c6db7418f91b Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Sun, 2 Aug 2020 09:57:39 -0400 +Subject: [PATCH] build: undefine "mips" to prevent build problems for MIPS + targets + +It turns out that the MIPS GCC compiler defines a "mips" cpp macro +which was resulting in build failures on MIPS so we need to +undefine the "mips" macro during build. As this should be safe +to do in all architectures, just add it to the compiler flags by +default. + +This was reported in the following GH issue: +* https://github.com/seccomp/libseccomp/issues/274 + +Reported-by: Rongwei Zhang +Suggested-by: Rongwei Zhang +Signed-off-by: Paul Moore +--- + configure.ac | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 40d9dcbb..3e877348 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -65,9 +65,11 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) + + dnl #### + dnl build flags ++dnl NOTE: the '-Umips' is here because MIPS GCC compilers "helpfully" define it ++dnl for us which wreaks havoc on the build + dnl #### + AM_CPPFLAGS="-I\${top_srcdir}/include -I\${top_builddir}/include" +-AM_CFLAGS="-Wall" ++AM_CFLAGS="-Wall -Umips" + AM_LDFLAGS="-Wl,-z -Wl,relro" + AC_SUBST([AM_CPPFLAGS]) + AC_SUBST([AM_CFLAGS]) diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb deleted file mode 100644 index 9ca41e650..000000000 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ /dev/null @@ -1,43 +0,0 @@ -SUMMARY = "interface to seccomp filtering mechanism" -DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." -SECTION = "security" -LICENSE = "LGPL-2.1" -LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" - -SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" - -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ - file://run-ptest \ -" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig ptest - -PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" - -DISABLE_STATIC = "" - -do_compile_ptest() { - oe_runmake -C tests check-build -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - install -d ${D}${PTEST_PATH}/tools - for file in $(find tests/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tests/*.tests -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tools/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools - done -} - -FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" -FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" - -RDEPENDS_${PN}-ptest = "bash" diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb new file mode 100644 index 000000000..35365d5b4 --- /dev/null +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -0,0 +1,48 @@ +SUMMARY = "interface to seccomp filtering mechanism" +DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." +SECTION = "security" +LICENSE = "LGPL-2.1" +LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" + +DEPENDS += "gperf-native" + +SRCREV = "f13f58efc690493fe7aa69f54cb52a118f3769c1" + +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \ + file://run-ptest \ + file://fix-mips-build-failure.patch \ +" + +COMPATIBLE_HOST_riscv32 = "null" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig ptest + +PACKAGECONFIG ??= "" +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3" + +DISABLE_STATIC = "" + +do_compile_ptest() { + oe_runmake -C tests check-build +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/tests + install -d ${D}${PTEST_PATH}/tools + for file in $(find tests/* -executable -type f); do + install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests + done + for file in $(find tests/*.tests -type f); do + install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests + done + for file in $(find tools/* -executable -type f); do + install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools + done +} + +FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" +FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" + +RDEPENDS_${PN}-ptest = "bash" diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index cf34ded19..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb deleted file mode 100644 index e0a9d0534..000000000 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ /dev/null @@ -1,68 +0,0 @@ -DESCRIPTION = "Security packagegroup for Poky" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit packagegroup - -PACKAGES = "\ - packagegroup-core-security \ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -RDEPENDS_packagegroup-core-security = "\ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -SUMMARY_packagegroup-security-utils = "Security utilities" -RDEPENDS_packagegroup-security-utils = "\ - checksec \ - nmap \ - pinentry \ - python3-scapy \ - ding-libs \ - keyutils \ - libseccomp \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ - " - -SUMMARY_packagegroup-security-scanners = "Security scanners" -RDEPENDS_packagegroup-security-scanners = "\ - nikto \ - checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ - " - -SUMMARY_packagegroup-security-audit = "Security Audit tools " -RDEPENDS_packagegroup-security-audit = " \ - buck-security \ - redhat-security \ - " - -SUMMARY_packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS_packagegroup-security-hardening = " \ - bastille \ - " - -SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" -RDEPENDS_packagegroup-security-ids = " \ - tripwire \ - samhain-standalone \ - suricata \ - " - -SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" -RDEPENDS_packagegroup-security-mac = " \ - ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ - " -- cgit v1.2.3 From cc58928593c3952679181b6bf8e4113080ffa867 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 18 Sep 2020 13:34:40 -0500 Subject: meta-security: subtree update:787ba6faea..d6baccc068 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Armin Kuster (20): trousers: update to tip upload-error-report: add script to upload errors kas/kas-security-base.yml: lets enable error reporting .gitlab: send error reports cryptsetup-tpm-incubator: drop recipe sssd: Avoid nss function conflicts with glibc nss.h cryptsetup-tpm-incubator: remove reference from other files packagegroup-core-security: dont include suricata on riscv or ppc kas-security-base: add testimage kas: add test config kas: add one dm-verify image build gitlab-ci: add dm-verify-image gitlab-ci: add testimage meta-harden: Add a layer to demo harding OE/YP kas-security-base: define sections as base packagegroup-core-security: add more pkgs to base group apparmor: exclude mips64, not supported kas: add alt and mutli build images kas-security-base: set RPM and disable ptest qemu test: set ptest Charlie Davies (1): clamav: update SO_VER to 9.0.4 Jens Rehsack (2): ibmswtpm2: update to 1637 ibmtpm2tss: add recipe Jonatan Pålsson (1): sssd: Make manpages buildable Qi.Chen@windriver.com (1): nss: update patch to fix do_patch error Zheng Ruoqin (1): trousers: Fix the problem that do_package fails when multilib is enabled. niko.mauno@vaisala.com (12): dm-verity-img.bbclass: Fix bashisms dm-verity-img.bbclass: Reorder parse-time check dm-verity-image-initramfs: Ensure verity hash sync dm-verity-image-initramfs: Bind at do_image instead linux-yocto(-dev): Add dm-verity fragment as needed dm-verity-img.bbclass: Stage verity.env file initramfs-framework: Add dmverity module dm-verity-image-initramfs: Use initramfs-framework dm-verity-initramfs-image: Cosmetic improvements dm-verity-image-initramfs: Add base-passwd package dm-verity-image-initramfs: Drop locales from image beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR Signed-off-by: Andrew Geissler Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7 --- meta-security/.gitlab-ci.yml | 58 +++++++++- meta-security/classes/dm-verity-img.bbclass | 22 ++-- meta-security/kas/kas-security-base.yml | 12 +- meta-security/kas/kas-security-dm.yml | 13 +++ meta-security/kas/qemuarm64-alt.yml | 10 ++ meta-security/kas/qemuarm64-multi.yml | 12 ++ meta-security/kas/qemumips64-alt.yml | 10 ++ meta-security/kas/qemumips64-multi.yml | 14 +++ meta-security/kas/qemux86-64-alt.yml | 10 ++ meta-security/kas/qemux86-64-dm-verify.yml | 6 + meta-security/kas/qemux86-64-multi.yml | 12 ++ meta-security/kas/qemux86-test.yml | 11 ++ meta-security/meta-hardening/README | 86 ++++++++++++++ .../meta-hardening/conf/distro/harden.conf | 11 ++ meta-security/meta-hardening/conf/layer.conf | 13 +++ .../openssh/openssh_%.bbappend | 13 +++ .../recipes-core/base-files/base-files_%.bbappend | 4 + .../recipes-core/images/harden-image-minimal.bb | 25 +++++ .../recipes-core/initscripts/files/mountall.sh | 41 +++++++ .../initscripts/initscripts_1.0.bbappend | 8 ++ .../packagegroups/packagegroup-hardening.bb | 19 ++++ .../recipes-extended/shadow/shadow_%.bbappend | 10 ++ .../recipes-extended/sudo/sudo_%.bbappend | 7 ++ .../meta-tpm/conf/distro/include/maintainers.inc | 1 - .../packagegroup/packagegroup-security-tpm2.bb | 2 - ...tiple-security-issues-that-are-present-if.patch | 94 ---------------- .../meta-tpm/recipes-tpm/trousers/trousers_git.bb | 5 +- .../cryptsetup-tpm-incubator_0.9.9.bb | 47 -------- .../files/configure_fix.patch | 16 --- .../ibmswtpm2/files/fix-wrong-cast.patch | 27 +++++ .../ibmswtpm2/files/remove_optimization.patch | 26 ----- .../ibmswtpm2/files/tune-makefile.patch | 50 +++++++++ .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb | 26 ----- .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb | 39 +++++++ ...2-Makefile.am-expand-wildcards-in-prereqs.patch | 125 +++++++++++++++++++++ .../recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb | 27 +++++ .../images/dm-verity-image-initramfs.bb | 28 +++-- .../initrdscripts/initramfs-dm-verity.bb | 13 --- .../initramfs-dm-verity/init-dm-verity.sh | 46 -------- .../initrdscripts/initramfs-framework/dmverity | 53 +++++++++ .../initrdscripts/initramfs-framework_1.0.bbappend | 16 +++ .../packagegroup/packagegroup-core-security.bb | 19 +++- .../recipes-kernel/linux/linux-yocto-dev.bbappend | 1 + .../recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 + .../recipes-mac/AppArmor/apparmor_2.13.4.bb | 2 + .../recipes-scanners/clamav/clamav_0.101.5.bb | 2 +- ...-use-AC_CHECK_FILE-when-building-manpages.patch | 34 ++++++ ...01-nss-Collision-with-external-nss-symbol.patch | 78 +++++++++++++ meta-security/recipes-security/sssd/sssd_1.16.4.bb | 5 +- meta-security/scripts/upload-error-report | 26 +++++ meta-security/wic/beaglebone-yocto-verity.wks.in | 2 +- 51 files changed, 931 insertions(+), 307 deletions(-) create mode 100644 meta-security/kas/kas-security-dm.yml create mode 100644 meta-security/kas/qemuarm64-alt.yml create mode 100644 meta-security/kas/qemuarm64-multi.yml create mode 100644 meta-security/kas/qemumips64-alt.yml create mode 100644 meta-security/kas/qemumips64-multi.yml create mode 100644 meta-security/kas/qemux86-64-alt.yml create mode 100644 meta-security/kas/qemux86-64-dm-verify.yml create mode 100644 meta-security/kas/qemux86-64-multi.yml create mode 100644 meta-security/kas/qemux86-test.yml create mode 100644 meta-security/meta-hardening/README create mode 100644 meta-security/meta-hardening/conf/distro/harden.conf create mode 100644 meta-security/meta-hardening/conf/layer.conf create mode 100644 meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb create mode 100755 meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh create mode 100644 meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb create mode 100644 meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend delete mode 100644 meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend create mode 100644 meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch create mode 100644 meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch create mode 100755 meta-security/scripts/upload-error-report (limited to 'meta-security/meta-tpm') diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 132eb785c..46468fd1c 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -5,17 +5,21 @@ stages: stage: build image: crops/poky before_script: + - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error - export PATH=~/.local/bin:$PATH - wget https://bootstrap.pypa.io/get-pip.py - python3 get-pip.py - python3 -m pip install kas - - wget -q 'https://downloads.rclone.org/rclone-current-linux-amd64.zip' - - unzip -q rclone-current-linux-amd64.zip - - mv rclone-*-linux-amd64/rclone ~/.local/bin/ - - rm -rf rclone-*-linux-amd64* after_script: + - cd $CI_PROJECT_DIR/poky + - . ./oe-init-build-env $CI_PROJECT_DIR/build + - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do + - send-error-report -y tmp/log/error-report/$x + - done + - cd $CI_PROJECT_DIR - rm -rf build - - ./scripts/ci-cleanup.sh + - $CI_PROJECT_DIR/scripts/ci-cleanup.sh cache: paths: - layers @@ -84,3 +88,47 @@ qemuarm64-ima: extends: .build script: - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-dm-verify: + extends: .build + script: + - kas build --target core-image-minimal kas/qemux86-64.yml + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml + + +qemuarm64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + + +qemux86-test: + extends: .build + script: + - kas build --target security-test-image kas/$CI_JOB_NAME.yml + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 1c0e29b6e..16d395b55 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -18,12 +18,18 @@ # The resulting image can then be used to implement the device mapper block # integrity checking on the target device. +# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash +# is stored where it can be installed into associated initramfs rootfs. +STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity" + # Process the output from veritysetup and generate the corresponding .env # file. The output from veritysetup is not very machine-friendly so we need to # convert it to some better format. Let's drop the first line (doesn't contain # any useful info) and feed the rest to a script. process_verity() { - local ENV="$OUTPUT.env" + local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env" + install -d ${STAGING_VERITY_DIR} + rm -f $ENV # Each line contains a key and a value string delimited by ':'. Read the # two parts into separate variables and process them separately. For the @@ -32,15 +38,13 @@ process_verity() { # just trim all white-spaces. IFS=":" while read KEY VAL; do - echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV - echo -ne "=" >> $ENV - echo "$VAL" | tr -d " \t" >> $ENV + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV done # Add partition size echo "DATA_SIZE=$SIZE" >> $ENV - - ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env } verity_setup() { @@ -68,13 +72,13 @@ python __anonymous() { image_fstypes = d.getVar('IMAGE_FSTYPES') pn = d.getVar('PN') - if verity_image != pn: - return # This doesn't concern this image - if not verity_image or not verity_type: bb.warn('dm-verity-img class inherited but not used') return + if verity_image != pn: + return # This doesn't concern this image + if len(verity_type.split()) is not 1: bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index 768390e25..cd87d1d40 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -29,7 +29,7 @@ repos: meta-networking: local_conf_header: - meta-security: | + base: | CONF_VERSION = "1" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" @@ -37,6 +37,14 @@ local_conf_header: DL_DIR = "/home/srv/downloads/master" BB_HASHSERVE = "auto" BB_SIGNATURE_HANDLER = "OEEquivHash" + INHERIT += "buildstats buildstats-summary buildhistory" + INHERIT += "report-error" + INHERIT += "testimage" + TEST_QEMUBOOT_TIMEOUT = "1500" + EXTRA_IMAGE_FEATURES ?= "debug-tweaks" + DISTRO_FEATURES_remove = " ptest" + PACKAGE_CLASSES = "package_rpm" + diskmon: | BB_DISKMON_DIRS = "\ @@ -50,7 +58,7 @@ local_conf_header: ABORT,/tmp,10M,1K" bblayers_conf_header: - meta-security: | + base: | POKY_BBLAYERS_CONF_VERSION = "2" BBPATH = "${TOPDIR}" BBFILES ?= "" diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml new file mode 100644 index 000000000..7ce0e9d72 --- /dev/null +++ b/meta-security/kas/kas-security-dm.yml @@ -0,0 +1,13 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + dm-verify: | + DM_VERITY_IMAGE = "core-image-minimal" + DM_VERITY_IMAGE_TYPE = "ext4" + IMAGE_CLASSES += "dm-verity-img" + INITRAMFS_IMAGE_BUNDLE = "1" + INITRAMFS_IMAGE = "dm-verity-image-initramfs" + diff --git a/meta-security/kas/qemuarm64-alt.yml b/meta-security/kas/qemuarm64-alt.yml new file mode 100644 index 000000000..d23e38e0f --- /dev/null +++ b/meta-security/kas/qemuarm64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam systemd" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-multi.yml b/meta-security/kas/qemuarm64-multi.yml new file mode 100644 index 000000000..d79142c37 --- /dev/null +++ b/meta-security/kas/qemuarm64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon" + +machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml new file mode 100644 index 000000000..923c21370 --- /dev/null +++ b/meta-security/kas/qemumips64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " pam systmed" + +machine: qemumips64 diff --git a/meta-security/kas/qemumips64-multi.yml b/meta-security/kas/qemumips64-multi.yml new file mode 100644 index 000000000..c8cf94b71 --- /dev/null +++ b/meta-security/kas/qemumips64-multi.yml @@ -0,0 +1,14 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib64 multilib:lib32" + DEFAULTTUNE = "mips64-n32" + DEFAULTTUNE_virtclass-multilib-lib64 = "mips64" + DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2" + +machine: qemumips64 diff --git a/meta-security/kas/qemux86-64-alt.yml b/meta-security/kas/qemux86-64-alt.yml new file mode 100644 index 000000000..4364bf57e --- /dev/null +++ b/meta-security/kas/qemux86-64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam systmed" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-dm-verify.yml b/meta-security/kas/qemux86-64-dm-verify.yml new file mode 100644 index 000000000..1f2600887 --- /dev/null +++ b/meta-security/kas/qemux86-64-dm-verify.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-dm.yml + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-multi.yml b/meta-security/kas/qemux86-64-multi.yml new file mode 100644 index 000000000..711ce2863 --- /dev/null +++ b/meta-security/kas/qemux86-64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "x86" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml new file mode 100644 index 000000000..823a8b235 --- /dev/null +++ b/meta-security/kas/qemux86-test.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ptest apparmor pam" + +machine: qemux86 diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README new file mode 100644 index 000000000..37a0b7ec8 --- /dev/null +++ b/meta-security/meta-hardening/README @@ -0,0 +1,86 @@ +# This is an example for Security hardening an OE or Poky image + + +Meta-hardening +============= + +This layer provides examples for hardening OE/Yocto images. +This layer does not provide 100% security protection. This is only +a framework from which a user can build from and can possible contribute to. +The goal here is to capture use cases and examples the community decided shares for +everyones benefit. + +Building the meta-hardening layer +------------------------------- +In order to add hardening support to the poky/OE build this layer should be added +to your projects bblayers.conf file. + +By default the hardening components are disabled. This conforms to the +Yocto Project compatible guideline that indicate that simply including a +layer should not change the system behavior. + +In order to use the components in this layer to take affect the 'harden' keyword must +set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework. + +If one wants the a more complete example of a hardened image, one must also build the image: +harden-image-minimal + +There are default example userid and passwards: +These can be over written in your local.conf via: +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" + +example: +local.conf +DISTRO = "harden" + +The default user and password are: +User: "myadmin" +Password: "1SimplePw!" + +bitbake {qemu machine} harden-image-minimal + +Dependencies +============ + +Branch: master + +This layer depends on: + +URI: git://git.yoctoproject.org/poky + +or this normal combo: + +URI: git://git.openembedded.org/meta-openembedded/meta-oe + +URI: git://git.openembedded.org/bitbake + +plus: + +URI: git://git.openembedded.org/meta-openembedded +layers: meta-oe + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-hardening][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf new file mode 100644 index 000000000..66db9b797 --- /dev/null +++ b/meta-security/meta-hardening/conf/distro/harden.conf @@ -0,0 +1,11 @@ +DISTRO = "harden" +DISTRO_NAME = "Simple Security hardening example" +DISTRO_VERSION = "1.0" + +DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost" + +VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog" +IMAGE_ROOTFS_EXTRA_SPACE = "524288" +EXTRA_IMAGE_FEATURES_remove = "debug-tweaks" + +DISABLE_ROOT ?= "True" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf new file mode 100644 index 000000000..589621440 --- /dev/null +++ b/meta-security/meta-hardening/conf/layer.conf @@ -0,0 +1,13 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have a recipes directory, add to BBFILES +BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" + +BBFILE_COLLECTIONS += "harden-layer" +BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" +BBFILE_PRIORITY_harden-layer = "10" + +LAYERSERIES_COMPAT_harden-layer = "dunfell" + +LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 000000000..67be3f313 --- /dev/null +++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,13 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config + fi +} diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..395630460 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,4 @@ + +do_install_append_harden () { + sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile +} diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb new file mode 100644 index 000000000..daed3fbcc --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -0,0 +1,25 @@ +SUMMARY = "A small image for an example hardening OE." + +IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening" +IMAGE_INSTALL_append = " os-release" + +IMAGE_FEATURES = "" +IMAGE_LINGUAS = " " + +LICENSE = "MIT" + +IMAGE_ROOTFS_SIZE ?= "8192" + +inherit core-image extrausers + +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" +DEFAULT_ADMIN_GROUP ?= "wheel" +DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" + +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" + +EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh new file mode 100755 index 000000000..e093f9621 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh @@ -0,0 +1,41 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: mountall +# Required-Start: mountvirtfs +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Mount all filesystems. +# Description: +### END INIT INFO + +. /etc/default/rcS + +# +# Mount local filesystems in /etc/fstab. For some reason, people +# might want to mount "proc" several times, and mount -v complains +# about this. So we mount "proc" filesystems without -v. +# +test "$VERBOSE" != no && echo "Mounting local filesystems..." +mkdir -p /home +mkdir -p /var +mount -at nonfs,nosmbfs,noncpfs 2>/dev/null + +# +# We might have mounted something over /dev, see if /dev/initctl is there. +# +if test ! -p /dev/initctl +then + rm -f /dev/initctl + mknod -m 600 /dev/initctl p +fi +kill -USR1 1 + +# +# Execute swapon command again, in case we want to swap to +# a file on a now mounted filesystem. +# +[ -x /sbin/swapon ] && swapon -a + +: exit 0 + diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend new file mode 100644 index 000000000..896b03973 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_harden = " file://mountall.sh" + +do_install_append_harden() { + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d +} diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb new file mode 100644 index 000000000..1dcd5fc3d --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb @@ -0,0 +1,19 @@ +# +# +# + +SUMMARY = "Hardening example group" + +inherit packagegroup + +PROVIDES = "${PACKAGES}" +PACKAGES = "${PN} \ + packagegroup-${PN} \ +" + +RDEPENDS_${PN} = "\ + init-ifupdown \ + ${VIRTUAL-RUNTIME_base-utils-syslog} \ + sudo \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \ +" diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 000000000..3f363f069 --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend @@ -0,0 +1,10 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs + sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs +} diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 000000000..a31c081fe --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend @@ -0,0 +1,7 @@ + +PACKAGECONFIG_append_harden = " pam-wheel" +do_install_append_harden () { + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers + fi +} diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc index 74c1a1812..dcf53d0cc 100644 --- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc +++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc @@ -33,7 +33,6 @@ RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster " -RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster " RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster " diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index a553a63d8..8b6f03023 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -7,7 +7,6 @@ inherit packagegroup PACKAGES = "${PN}" -PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ @@ -20,5 +19,4 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-abrmd \ tpm2-pkcs11 \ ibmswtpm2 \ - ${PREFERRED_PROVIDER_cryptsetup} \ " diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch deleted file mode 100644 index 72c81d11a..000000000 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 -From: Matthias Gerstner -Date: Fri, 14 Aug 2020 22:14:36 -0700 -Subject: [PATCH] Correct multiple security issues that are present if the tcsd - is started by root instead of the tss user. - -Patch fixes the following 3 CVEs: - -CVE-2020-24332 -If the tcsd daemon is started with root privileges, -the creation of the system.data file is prone to symlink attacks - -CVE-2020-24330 -If the tcsd daemon is started with root privileges, -it fails to drop the root gid after it is no longer needed - -CVE-2020-24331 -If the tcsd daemon is started with root privileges, -the tss user has read and write access to the /etc/tcsd.conf file - -Authored-by: Matthias Gerstner -Signed-off-by: Debora Velarde Babb - -Upstream-Status: Backport -CVE: CVE-2020-24332 -CVE: CVE-2020-24330 -CVE: CVE-2020-24331 - -Signed-off-by: Armin Kuster - ---- - src/tcs/ps/tcsps.c | 2 +- - src/tcsd/svrside.c | 1 + - src/tcsd/tcsd_conf.c | 10 +++++----- - 3 files changed, 7 insertions(+), 6 deletions(-) - -Index: git/src/tcs/ps/tcsps.c -=================================================================== ---- git.orig/src/tcs/ps/tcsps.c -+++ git/src/tcs/ps/tcsps.c -@@ -72,7 +72,7 @@ get_file() - } - - /* open and lock the file */ -- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); -+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); - if (system_ps_fd < 0) { - LogError("system PS: open() of %s failed: %s", - tcsd_options.system_ps_file, strerror(errno)); -Index: git/src/tcsd/svrside.c -=================================================================== ---- git.orig/src/tcsd/svrside.c -+++ git/src/tcsd/svrside.c -@@ -473,6 +473,7 @@ main(int argc, char **argv) - } - return TCSERR(TSS_E_INTERNAL_ERROR); - } -+ setgid(pwd->pw_gid); - setuid(pwd->pw_uid); - #endif - #endif -Index: git/src/tcsd/tcsd_conf.c -=================================================================== ---- git.orig/src/tcsd/tcsd_conf.c -+++ git/src/tcsd/tcsd_conf.c -@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) - #ifndef SOLARIS - struct group *grp; - struct passwd *pw; -- mode_t mode = (S_IRUSR|S_IWUSR); -+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); - #endif /* SOLARIS */ - TSS_RESULT result; - -@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) - } - - /* make sure user/group TSS owns the conf file */ -- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { -+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { - LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, -- TSS_USER_NAME, TSS_GROUP_NAME); -+ "root", TSS_GROUP_NAME); - return TCSERR(TSS_E_INTERNAL_ERROR); - } - -- /* make sure only the tss user can manipulate the config file */ -+ /* make sure only the tss user can read (but not manipulate) the config file */ - if (((stat_buf.st_mode & 0777) ^ mode) != 0) { -- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); -+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); - return TCSERR(TSS_E_INTERNAL_ERROR); - } - #endif /* SOLARIS */ diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index 95e821bfa..27b4e2f51 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -6,7 +6,7 @@ SECTION = "security/tpm" DEPENDS = "openssl" -SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0" +SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b" PV = "0.3.14+git${SRCPV}" SRC_URI = " \ @@ -16,7 +16,6 @@ SRC_URI = " \ file://tcsd.service \ file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ - file://0001-Correct-multiple-security-issues-that-are-present-if.patch \ " S = "${WORKDIR}/git" @@ -105,6 +104,8 @@ FILES_${PN}-doc = " \ ${mandir}/man8 \ " +FILES_${PN} += "${systemd_unitdir}/*" + INITSCRIPT_NAME = "trousers" INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb deleted file mode 100644 index 261716235..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ /dev/null @@ -1,47 +0,0 @@ -SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss" -DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module." - -SECTION = "security/tpm" -LICENSE = "LGPL-2.1 | GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \ - file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \ - " - -DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c" - -SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \ - file://configure_fix.patch " - -SRCREV = "15c283195f19f1d980e39ba45448683d5e383179" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig gettext - -PACKAGECONFIG ??= "openssl" -PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" -PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" - -EXTRA_OECONF = "--enable-static" - -RRECOMMENDS_${PN} = "kernel-module-aes-generic \ - kernel-module-dm-crypt \ - kernel-module-md5 \ - kernel-module-cbc \ - kernel-module-sha256-generic \ - kernel-module-xts \ - " - -FILES_${PN} += "${libdir}/tmpfiles.d" -RDEPENDS_${PN} += "lvm2 libdevmapper" -RRECOMMENDS_${PN} += "lvm2-udevrules" - -RPROVIDES_${PN} = "cryptsetup" -RREPLACES_${PN} = "cryptsetup" -RCONFLICTS_${PN} ="cryptsetup" - -RPROVIDES_${PN}-dev = "cryptsetup-dev" -RREPLACES_${PN}-dev = "cryptsetup-dev" -RCONFLICTS_${PN}-dev ="cryptsetup-dev" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch deleted file mode 100644 index 8c7b6da41..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch +++ /dev/null @@ -1,16 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster - -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in] - - # For old automake use this - #AM_INIT_AUTOMAKE(dist-xz subdir-objects) --AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects]) -+AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign]) - - if test "x$prefix" = "xNONE"; then - sysconfdir=/etc diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch new file mode 100644 index 000000000..f2938e0e0 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch @@ -0,0 +1,27 @@ +Fix strict aliasing issue of gcc10 + +fixes: + +TpmFail.c: In function 'TpmLogFailure': +TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] + 217 | s_failFunction = *(UINT32 *)&function; /* kgold */ + | ^~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +Upstream-Status: Submitted + +Signed-off-by: Jens Rehsack + +Index: src/TpmFail.c +=================================================================== +--- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200 ++++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200 +@@ -214,7 +214,7 @@ + // On a 64-bit machine, this may truncate the address of the string + // of the function name where the error occurred. + #if FAIL_TRACE +- s_failFunction = *(UINT32 *)&function; /* kgold */ ++ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */ + s_failLine = line; + #else + s_failFunction = 0; diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch deleted file mode 100644 index 2919e2e54..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch +++ /dev/null @@ -1,26 +0,0 @@ -Allow recipe to overide optimization. - -fixes: - -397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) -| | ^~~~~~~ -| cc1: all warnings being treated as errors - - -Upstream-Status: OE specific - -Signed-off-by: Armin Kuster - -Index: src/makefile -=================================================================== ---- src.orig/makefile -+++ src/makefile -@@ -43,7 +43,7 @@ CC = /usr/bin/gcc - CCFLAGS = -Wall \ - -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ - -Werror -Wsign-compare \ -- -c -ggdb -O0 \ -+ -c -ggdb -O \ - -DTPM_POSIX \ - -D_POSIX_ \ - -DTPM_NUVOTON diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch new file mode 100644 index 000000000..eebddb9e7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch @@ -0,0 +1,50 @@ +1) Allow recipe to overide optimization. + +fixes: + +397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) +| | ^~~~~~~ +| cc1: all warnings being treated as errors + +2) Allow recipe to override OE related compile-/link-flags + +fixes: + +ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags] + +Upstream-Status: OE specific + +Signed-off-by: Jens Rehsack + +Index: src/makefile +=================================================================== +--- src.orig/makefile ++++ src/makefile +@@ -38,12 +38,10 @@ + ################################################################################# + + +-CC = /usr/bin/gcc +- + CCFLAGS = -Wall \ + -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ + -Werror -Wsign-compare \ +- -c -ggdb -O0 \ ++ -c -ggdb -O \ + -DTPM_POSIX \ + -D_POSIX_ \ + -DTPM_NUVOTON +@@ -79,11 +77,11 @@ + .PRECIOUS: %.o + + tpm_server: $(OBJFILES) +- $(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server ++ $(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server + + clean: + rm -f *.o tpm_server *~ + + %.o: %.c +- $(CC) $(CCFLAGS) $< -o $@ ++ $(CC) $(CCFLAGS) $(CFLAGS) $< -o $@ + diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb deleted file mode 100644 index 3373a307f..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "IBM's Software TPM 2.0" -LICENSE = "BSD" -SECTION = "securty/tpm" -LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" - -DEPENDS = "openssl" - -SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ - file://remove_optimization.patch \ - " -SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259" -SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3" -SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f" -SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91" -SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0" - -S = "${WORKDIR}/src" - -do_compile () { - make CC='${CC}' -} - -do_install () { - install -d ${D}/${bindir} - install -m 0755 tpm_server ${D}/${bindir} -} diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb new file mode 100644 index 000000000..32afd377d --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb @@ -0,0 +1,39 @@ +SUMMARY = "IBM's Software TPM 2.0" +DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \ +education, and virtualization. \ +\ +The intent is that an application can be developed using the software TPM. \ +The application should then run using a hardware TPM without changes. \ +Advantages of this approach: \ +* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \ +* Application software errors are easily reversed by simply removing the TPM state and starting over. \ +* Difficult crypto errors are quickly debugged by looking inside the TPM." +HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ + file://tune-makefile.patch \ + file://fix-wrong-cast.patch \ + " +SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c" +SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327" +SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e" +SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d" +SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed" + +S = "${WORKDIR}/src" + +CFLAGS += "-Wno-error=maybe-uninitialized" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch new file mode 100644 index 000000000..8b13fb66c --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch @@ -0,0 +1,125 @@ +From 26091b7830d84a12308442b238652ee9475d407b Mon Sep 17 00:00:00 2001 +From: Jens Rehsack +Date: Fri, 11 Sep 2020 07:46:41 +0200 +Subject: [PATCH] utils{,12}/Makefile.am: expand wildcards in prereqs + +Expand wildcards of required sources to avoid errors like: +make[2]: *** No rule to make target 'man/man1/*.1', needed by 'all-am'. Stop. +make[2]: *** Waiting for unfinished jobs.... + +Upstream-Status: Submitted + +Signed-off-by: Jens Rehsack +--- + utils/Makefile.am | 75 +++++++++++++++++++++++++++++++++++++++++++-- + utils12/Makefile.am | 8 ++++- + 2 files changed, 79 insertions(+), 4 deletions(-) + +diff --git a/utils/Makefile.am b/utils/Makefile.am +index 1e51fe3..170a26e 100644 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -81,9 +81,78 @@ libibmtssutils_la_LIBADD = libibmtss.la $(LIBCRYPTO_LIBS) + + noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h tssccattributes.h + # install every header in ibmtss +-nobase_include_HEADERS = ibmtss/*.h +- +-notrans_man_MANS = man/man1/*.1 ++nobase_include_HEADERS = ibmtss/ActivateCredential_fp.h ibmtss/ActivateIdentity_fp.h ibmtss/BaseTypes.h \ ++ ibmtss/CertifyCreation_fp.h ibmtss/Certify_fp.h ibmtss/CertifyX509_fp.h ibmtss/ChangeEPS_fp.h \ ++ ibmtss/ChangePPS_fp.h ibmtss/ClearControl_fp.h ibmtss/Clear_fp.h ibmtss/ClockRateAdjust_fp.h \ ++ ibmtss/ClockSet_fp.h ibmtss/Commit_fp.h ibmtss/ContextLoad_fp.h ibmtss/ContextSave_fp.h \ ++ ibmtss/CreateEndorsementKeyPair_fp.h ibmtss/Create_fp.h ibmtss/CreateLoaded_fp.h \ ++ ibmtss/CreatePrimary_fp.h ibmtss/CreateWrapKey_fp.h ibmtss/DictionaryAttackLockReset_fp.h \ ++ ibmtss/DictionaryAttackParameters_fp.h ibmtss/Duplicate_fp.h ibmtss/ECC_Parameters_fp.h \ ++ ibmtss/ECDH_KeyGen_fp.h ibmtss/ECDH_ZGen_fp.h ibmtss/EC_Ephemeral_fp.h ibmtss/EncryptDecrypt2_fp.h \ ++ ibmtss/EncryptDecrypt_fp.h ibmtss/EventSequenceComplete_fp.h ibmtss/EvictControl_fp.h ibmtss/Extend_fp.h \ ++ ibmtss/FlushContext_fp.h ibmtss/FlushSpecific_fp.h ibmtss/GetCapability12_fp.h ibmtss/GetCapability_fp.h \ ++ ibmtss/GetCommandAuditDigest_fp.h ibmtss/GetRandom_fp.h ibmtss/GetSessionAuditDigest_fp.h \ ++ ibmtss/GetTestResult_fp.h ibmtss/GetTime_fp.h ibmtss/Hash_fp.h ibmtss/HashSequenceStart_fp.h \ ++ ibmtss/HierarchyChangeAuth_fp.h ibmtss/HierarchyControl_fp.h ibmtss/HMAC_fp.h ibmtss/HMAC_Start_fp.h \ ++ ibmtss/Implementation.h ibmtss/Import_fp.h ibmtss/IncrementalSelfTest_fp.h ibmtss/LoadExternal_fp.h \ ++ ibmtss/Load_fp.h ibmtss/LoadKey2_fp.h ibmtss/MakeCredential_fp.h ibmtss/MakeIdentity_fp.h ibmtss/NTC_fp.h \ ++ ibmtss/NV_Certify_fp.h ibmtss/NV_ChangeAuth_fp.h ibmtss/NV_DefineSpace12_fp.h ibmtss/NV_DefineSpace_fp.h \ ++ ibmtss/NV_Extend_fp.h ibmtss/NV_GlobalWriteLock_fp.h ibmtss/NV_Increment_fp.h ibmtss/NV_Read_fp.h \ ++ ibmtss/NV_ReadLock_fp.h ibmtss/NV_ReadPublic_fp.h ibmtss/NV_ReadValueAuth_fp.h ibmtss/NV_ReadValue_fp.h \ ++ ibmtss/NV_SetBits_fp.h ibmtss/NV_UndefineSpace_fp.h ibmtss/NV_UndefineSpaceSpecial_fp.h ibmtss/NV_Write_fp.h \ ++ ibmtss/NV_WriteLock_fp.h ibmtss/NV_WriteValueAuth_fp.h ibmtss/NV_WriteValue_fp.h ibmtss/ObjectChangeAuth_fp.h \ ++ ibmtss/OIAP_fp.h ibmtss/OSAP_fp.h ibmtss/OwnerReadInternalPub_fp.h ibmtss/OwnerSetDisable_fp.h \ ++ ibmtss/Parameters12.h ibmtss/Parameters.h ibmtss/PCR_Allocate_fp.h ibmtss/PCR_Event_fp.h ibmtss/PCR_Extend_fp.h \ ++ ibmtss/PcrRead12_fp.h ibmtss/PCR_Read_fp.h ibmtss/PCR_Reset12_fp.h ibmtss/PCR_Reset_fp.h ibmtss/PCR_SetAuthPolicy_fp.h \ ++ ibmtss/PCR_SetAuthValue_fp.h ibmtss/PolicyAuthorize_fp.h ibmtss/PolicyAuthorizeNV_fp.h ibmtss/PolicyAuthValue_fp.h \ ++ ibmtss/PolicyCommandCode_fp.h ibmtss/PolicyCounterTimer_fp.h ibmtss/PolicyCpHash_fp.h ibmtss/PolicyDuplicationSelect_fp.h \ ++ ibmtss/PolicyGetDigest_fp.h ibmtss/PolicyLocality_fp.h ibmtss/PolicyNameHash_fp.h ibmtss/PolicyNV_fp.h \ ++ ibmtss/PolicyNvWritten_fp.h ibmtss/PolicyOR_fp.h ibmtss/PolicyPassword_fp.h ibmtss/PolicyPCR_fp.h \ ++ ibmtss/PolicyPhysicalPresence_fp.h ibmtss/PolicyRestart_fp.h ibmtss/PolicySecret_fp.h ibmtss/PolicySigned_fp.h \ ++ ibmtss/PolicyTemplate_fp.h ibmtss/PolicyTicket_fp.h ibmtss/PP_Commands_fp.h ibmtss/Quote2_fp.h ibmtss/Quote_fp.h \ ++ ibmtss/ReadClock_fp.h ibmtss/ReadPubek_fp.h ibmtss/ReadPublic_fp.h ibmtss/Rewrap_fp.h ibmtss/RSA_Decrypt_fp.h \ ++ ibmtss/RSA_Encrypt_fp.h ibmtss/SelfTest_fp.h ibmtss/SequenceComplete_fp.h ibmtss/SequenceUpdate_fp.h \ ++ ibmtss/SetAlgorithmSet_fp.h ibmtss/SetCommandCodeAuditStatus_fp.h ibmtss/SetPrimaryPolicy_fp.h ibmtss/Shutdown_fp.h \ ++ ibmtss/Sign12_fp.h ibmtss/Sign_fp.h ibmtss/StartAuthSession_fp.h ibmtss/Startup12_fp.h ibmtss/Startup_fp.h \ ++ ibmtss/StirRandom_fp.h ibmtss/TakeOwnership_fp.h ibmtss/TestParms_fp.h ibmtss/TPMB.h ibmtss/TpmBuildSwitches.h \ ++ ibmtss/tpmconstants12.h ibmtss/tpmstructures12.h ibmtss/tpmtypes12.h ibmtss/TPM_Types.h ibmtss/tsscrypto.h \ ++ ibmtss/tsscryptoh.h ibmtss/tsserror12.h ibmtss/tsserror.h ibmtss/tssfile.h ibmtss/tss.h ibmtss/tssmarshal12.h \ ++ ibmtss/tssmarshal.h ibmtss/tssprintcmd.h ibmtss/tssprint.h ibmtss/tssresponsecode.h ibmtss/tsstransmit.h \ ++ ibmtss/tssutils.h ibmtss/Unmarshal12_fp.h ibmtss/Unmarshal_fp.h ibmtss/Unseal_fp.h ibmtss/VerifySignature_fp.h \ ++ ibmtss/ZGen_2Phase_fp.h ++ ++notrans_man_MANS = man/man1/tssactivatecredential.1 man/man1/tsscertify.1 man/man1/tsscertifycreation.1 \ ++ man/man1/tsscertifyx509.1 man/man1/tsschangeeps.1 man/man1/tsschangepps.1 man/man1/tssclear.1 \ ++ man/man1/tssclearcontrol.1 man/man1/tssclockrateadjust.1 man/man1/tssclockset.1 man/man1/tsscommit.1 \ ++ man/man1/tsscontextload.1 man/man1/tsscontextsave.1 man/man1/tsscreate.1 man/man1/tsscreateek.1 \ ++ man/man1/tsscreateekcert.1 man/man1/tsscreateloaded.1 man/man1/tsscreateprimary.1 \ ++ man/man1/tssdictionaryattacklockreset.1 man/man1/tssdictionaryattackparameters.1 man/man1/tssduplicate.1 \ ++ man/man1/tsseccparameters.1 man/man1/tssecephemeral.1 man/man1/tssencryptdecrypt.1 man/man1/tsseventextend.1 \ ++ man/man1/tsseventsequencecomplete.1 man/man1/tssevictcontrol.1 man/man1/tssflushcontext.1 man/man1/tssgetcapability.1 \ ++ man/man1/tssgetcommandauditdigest.1 man/man1/tssgetcryptolibrary.1 man/man1/tssgetrandom.1 \ ++ man/man1/tssgetsessionauditdigest.1 man/man1/tssgettestresult.1 man/man1/tssgettime.1 man/man1/tsshash.1 \ ++ man/man1/tsshashsequencestart.1 man/man1/tsshierarchychangeauth.1 man/man1/tsshierarchycontrol.1 \ ++ man/man1/tsshmac.1 man/man1/tsshmacstart.1 man/man1/tssimaextend.1 man/man1/tssimport.1 man/man1/tssimportpem.1 \ ++ man/man1/tssload.1 man/man1/tssloadexternal.1 man/man1/tssmakecredential.1 man/man1/tssntc2getconfig.1 \ ++ man/man1/tssntc2lockconfig.1 man/man1/tssntc2preconfig.1 man/man1/tssnvcertify.1 man/man1/tssnvchangeauth.1 \ ++ man/man1/tssnvdefinespace.1 man/man1/tssnvextend.1 man/man1/tssnvglobalwritelock.1 man/man1/tssnvincrement.1 \ ++ man/man1/tssnvread.1 man/man1/tssnvreadlock.1 man/man1/tssnvreadpublic.1 man/man1/tssnvsetbits.1 \ ++ man/man1/tssnvundefinespace.1 man/man1/tssnvundefinespacespecial.1 man/man1/tssnvwrite.1 man/man1/tssnvwritelock.1 \ ++ man/man1/tssobjectchangeauth.1 man/man1/tsspcrallocate.1 man/man1/tsspcrevent.1 man/man1/tsspcrextend.1 \ ++ man/man1/tsspcrread.1 man/man1/tsspcrreset.1 man/man1/tsspolicyauthorize.1 man/man1/tsspolicyauthorizenv.1 \ ++ man/man1/tsspolicyauthvalue.1 man/man1/tsspolicycommandcode.1 man/man1/tsspolicycountertimer.1 \ ++ man/man1/tsspolicycphash.1 man/man1/tsspolicyduplicationselect.1 man/man1/tsspolicygetdigest.1 \ ++ man/man1/tsspolicymaker.1 man/man1/tsspolicymakerpcr.1 man/man1/tsspolicynamehash.1 man/man1/tsspolicynv.1 \ ++ man/man1/tsspolicynvwritten.1 man/man1/tsspolicyor.1 man/man1/tsspolicypassword.1 man/man1/tsspolicypcr.1 \ ++ man/man1/tsspolicyrestart.1 man/man1/tsspolicysecret.1 man/man1/tsspolicysigned.1 man/man1/tsspolicytemplate.1 \ ++ man/man1/tsspolicyticket.1 man/man1/tsspowerup.1 man/man1/tssprintattr.1 man/man1/tsspublicname.1 \ ++ man/man1/tssquote.1 man/man1/tssreadclock.1 man/man1/tssreadpublic.1 man/man1/tssreturncode.1 \ ++ man/man1/tssrewrap.1 man/man1/tssrsadecrypt.1 man/man1/tssrsaencrypt.1 man/man1/tsssequencecomplete.1 \ ++ man/man1/tsssequenceupdate.1 man/man1/tsssetcommandcodeauditstatus.1 man/man1/tsssetprimarypolicy.1 \ ++ man/man1/tssshutdown.1 man/man1/tsssign.1 man/man1/tsssignapp.1 man/man1/tssstartauthsession.1 \ ++ man/man1/tssstartup.1 man/man1/tssstirrandom.1 man/man1/tsstimepacket.1 man/man1/tsstpm2pem.1 \ ++ man/man1/tsstpmcmd.1 man/man1/tsstpmpublic2eccpoint.1 man/man1/tssunseal.1 man/man1/tssverifysignature.1 \ ++ man/man1/tsswriteapp.1 man/man1/tsszgen2phase.1 + + if CONFIG_TPM20 + noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h +diff --git a/utils12/Makefile.am b/utils12/Makefile.am +index a01f47c..e9fe61e 100644 +--- a/utils12/Makefile.am ++++ b/utils12/Makefile.am +@@ -9,7 +9,13 @@ libibmtssutils12_la_CFLAGS = -I$(top_srcdir)/utils + # result: [current-age].age.revision + libibmtssutils12_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ ../utils/libibmtss.la + +-notrans_man_MANS = man/man1/*.1 ++notrans_man_MANS = man/man1/tss1activateidentity.1 man/man1/tss1createekcert.1 man/man1/tss1createendorsementkeypair.1 \ ++ man/man1/tss1createwrapkey.1 man/man1/tss1eventextend.1 man/man1/tss1extend.1 man/man1/tss1flushspecific.1 \ ++ man/man1/tss1getcapability.1 man/man1/tss1imaextend.1 man/man1/tss1loadkey2.1 man/man1/tss1makeekblob.1 \ ++ man/man1/tss1makeidentity.1 man/man1/tss1nvdefinespace.1 man/man1/tss1nvreadvalue.1 man/man1/tss1nvreadvalueauth.1 \ ++ man/man1/tss1nvwritevalue.1 man/man1/tss1nvwritevalueauth.1 man/man1/tss1oiap.1 man/man1/tss1osap.1 \ ++ man/man1/tss1ownerreadinternalpub.1 man/man1/tss1ownersetdisable.1 man/man1/tss1pcrread.1 man/man1/tss1quote2.1 \ ++ man/man1/tss1sign.1 man/man1/tss1startup.1 man/man1/tss1takeownership.1 man/man1/tss1tpminit.1 + noinst_HEADERS = ekutils12.h + + bin_PROGRAMS = activateidentity createendorsementkeypair createwrapkey extend flushspecific getcapability loadkey2 makeidentity nvdefinespace nvreadvalueauth nvreadvalue nvwritevalueauth nvwritevalue oiap osap ownerreadinternalpub ownersetdisable pcrread quote2 sign startup takeownership tpminit createekcert makeekblob eventextend imaextend +-- +2.17.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb new file mode 100644 index 000000000..18ad7eb43 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "IBM's Software TPM 2.0 TSS" +DESCRIPTION = "This is a user space TSS for TPM 2.0. It implements the \ +functionality equivalent to (but not API compatible with) the TCG TSS \ +working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a \ +hopefully simpler interface. \ +It comes with over 110 'TPM tools' samples that can be used for scripted \ +apps, rapid prototyping, education, and debugging. \ +It also comes with a web based TPM interface, suitable for a demo to an \ +audience that is unfamiliar with TCG technology. It is also useful for \ +basic TPM management." +HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl ibmswtpm2" + +inherit autotools pkgconfig + +SRCREV = "aa6c6ec83793ba21782033c03439977c26d3cc87" +SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \ + file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \ + " + +EXTRA_OECONF = "--disable-tpm-1.2" + +S = "${WORKDIR}/git" diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb index f9ea3762d..187aeaee2 100644 --- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb +++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -1,26 +1,34 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." -# We want a clean, minimal image. -IMAGE_FEATURES = "" +inherit core-image PACKAGE_INSTALL = " \ - initramfs-dm-verity \ base-files \ + base-passwd \ busybox \ - util-linux-mount \ - udev \ cryptsetup \ + initramfs-module-dmverity \ + initramfs-module-udev \ lvm2-udevrules \ + udev \ + util-linux-mount \ " +# We want a clean, minimal image. +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + # Can we somehow inspect reverse dependencies to avoid these variables? -do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" +do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE +do_image[nostamp] = "1" -inherit core-image +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" deploy_verity_hash() { - install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env + install -D -m 0644 \ + ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ + ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env } -ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" +IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb deleted file mode 100644 index b61495655..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -SRC_URI = "file://init-dm-verity.sh" - -do_install() { - install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init - install -d ${D}/dev - mknod -m 622 ${D}/dev/console c 5 1 -} - -FILES_${PN} = "/init /dev/console" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh deleted file mode 100644 index 307d2c74b..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -PATH=/sbin:/bin:/usr/sbin:/usr/bin -RDEV="" -ROOT_DIR="/new_root" - -mkdir -p /proc -mkdir -p /sys -mkdir -p /run -mkdir -p /tmp -mount -t proc proc /proc -mount -t sysfs sysfs /sys -mount -t devtmpfs none /dev - -udevd --daemon -udevadm trigger --type=subsystems --action=add -udevadm trigger --type=devices --action=add -udevadm settle --timeout=10 - -for PARAM in $(cat /proc/cmdline); do - case $PARAM in - root=*) - RDEV=${PARAM#root=} - ;; - esac -done - -if ! [ -b $RDEV ]; then - echo "Missing root command line argument!" - exit 1 -fi - -case $RDEV in - UUID=*) - RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) - ;; -esac - -. /usr/share/dm-verity.env - -echo "Mounting $RDEV over dm-verity as the root filesystem" - -veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH -mkdir -p $ROOT_DIR -mount -o ro /dev/mapper/rootfs $ROOT_DIR -exec switch_root $ROOT_DIR /sbin/init diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity new file mode 100644 index 000000000..bb07aab58 --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -0,0 +1,53 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + ROOT_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + + if ! [ -b "${RDEV}" ]; then + echo "Root device resolution failed" + exit 1 + fi + + veritysetup \ + --data-block-size=1024 \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 000000000..dad9c967c --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index c6342fdb2..1d0180052 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -9,6 +9,8 @@ PACKAGES = "\ packagegroup-core-security \ packagegroup-security-utils \ packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ " @@ -16,6 +18,8 @@ PACKAGES = "\ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-utils \ packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ " @@ -23,18 +27,23 @@ RDEPENDS_packagegroup-core-security = "\ SUMMARY_packagegroup-security-utils = "Security utilities" RDEPENDS_packagegroup-security-utils = "\ checksec \ + ding-libs \ + ecryptfs-utils \ + fscryptctl \ + keyutils \ nmap \ pinentry \ + python3-privacyidea \ + python3-fail2ban \ python3-scapy \ - ding-libs \ - keyutils \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ " SUMMARY_packagegroup-security-scanners = "Security scanners" RDEPENDS_packagegroup-security-scanners = "\ + isic \ nikto \ checksecurity \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ @@ -55,7 +64,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ tripwire \ samhain-standalone \ - suricata \ + ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ " SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend index 39d4e6f50..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend index 39d4e6f50..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb index 552cac70a..dcdc1f7e6 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb @@ -30,6 +30,8 @@ S = "${WORKDIR}/git" PARALLEL_MAKE = "" +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check REQUIRED_DISTRO_FEATURES = "apparmor" diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb index 770186ad4..47fbae49f 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb @@ -23,7 +23,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \ S = "${WORKDIR}/git" LEAD_SONAME = "libclamav.so" -SO_VER = "9.0.2" +SO_VER = "9.0.4" inherit autotools pkgconfig useradd systemd multilib_header multilib_script diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch new file mode 100644 index 000000000..b64670c17 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch @@ -0,0 +1,34 @@ +From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= +Date: Fri, 21 Aug 2020 14:45:10 +0200 +Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AC_CHECK_FILE does not support cross-compilation, and will only check +the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead, +to allow building manpages when cross-compiling. + +Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] +Signed-off-by: Jonatan Pålsson +--- + src/external/docbook.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 +index deb8632fa..acdc89a68 100644 +--- a/src/external/docbook.m4 ++++ b/src/external/docbook.m4 +@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and + dnl if a particular URI appears in the XML catalog + AC_DEFUN([CHECK_STYLESHEET], + [ +- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) ++ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) + + AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) + if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then +-- +2.26.1 + diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch new file mode 100644 index 000000000..c319269e9 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch @@ -0,0 +1,78 @@ +From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= +Date: Thu, 27 Feb 2020 06:50:40 +0100 +Subject: [PATCH] nss: Collision with external nss symbol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +One of our internal static function names started +to collide with external nss symbol. Additional +sss_ suffix was added to avoid the collision. + +This is needed to unblock Fedora Rawhide's +SSSD build. + +Reviewed-by: Pavel Březina + +Upstream-Status: Backport [https://github.com/SSSD/sssd.git] +Signed-off-by: Hongxu.jia@windriver.com +Signed-off-by: Qi.Chen@windriver.com +--- + src/responder/nss/nss_cmd.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c +index 25e663ed5..a4d4cfc0b 100644 +--- a/src/responder/nss/nss_cmd.c ++++ b/src/responder/nss/nss_cmd.c +@@ -728,11 +728,13 @@ done: + talloc_free(cmd_ctx); + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq); ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq); + +-static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, +- enum cache_req_type type, +- nss_protocol_fill_packet_fn fill_fn) ++/* This function's name started to collide with external nss symbol, ++ * so it has additional sss_* prefix unlike other functions here. */ ++static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, ++ enum cache_req_type type, ++ nss_protocol_fill_packet_fn fill_fn) + { + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; +@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, + goto done; + } + +- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); ++ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); + + ret = EOK; + +@@ -787,7 +789,7 @@ done: + return EOK; + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq) ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq) + { + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; +@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) + + static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) + { +- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, +- nss_protocol_fill_setnetgrent); ++ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, ++ nss_protocol_fill_setnetgrent); + } + + static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) +-- +2.21.0 + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb index 2c3c8032e..e54fa98e9 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -17,6 +17,8 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://0001-nss-Collision-with-external-nss-symbol.patch \ " SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" @@ -41,7 +43,7 @@ PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," @@ -60,6 +62,7 @@ EXTRA_OECONF += " \ --enable-pammoddir=${base_libdir}/security \ --without-python2-bindings \ --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ " do_configure_prepend() { diff --git a/meta-security/scripts/upload-error-report b/meta-security/scripts/upload-error-report new file mode 100755 index 000000000..56bd24e47 --- /dev/null +++ b/meta-security/scripts/upload-error-report @@ -0,0 +1,26 @@ +#!/bin/bash + +ERR_REPORT_USERNAME=$1 +ERR_REPORT_EMAIL=$2 +BUILDDIR=$3 + +shift +shift +shift + +if [ ! -e $BUILDDIR ]; then + exit 0 +fi + +cd $BUILDDIR/../poky + +if [ -d $BUILDDIR/tmp/log/error-report/ ]; then + echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + + . ./oe-init-build-env $BUILDDIR + + for x in `ls $BUILDDIR/tmp/log/error-report/ | grep error_report_`; do + send-error-report -y tmp/log/error-report/$x + done +fi diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in index cd1702e1b..658018bac 100644 --- a/meta-security/wic/beaglebone-yocto-verity.wks.in +++ b/meta-security/wic/beaglebone-yocto-verity.wks.in @@ -11,5 +11,5 @@ # This .wks only works with the dm-verity-img class. part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid -part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" +part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" bootloader --append="console=ttyS0,115200" -- cgit v1.2.3 From d1d22e6713c601a72ff7329133cd86f30ac3d6ce Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 16 Oct 2020 10:14:32 -0500 Subject: meta-security: subtree update:d6baccc068..4c2f7ffd49 Adrian (1): gitignore added Armin Kuster (31): kas: build with ptest. remove apparmor softHSM: add pkg packagegroup-core-security: add softHSM libest: add recipe packagegroup-core-security: add libest package opendnssec: add recipe packagegroup-core-security: add opendnssec to pkg grp gitlab-ci: allow test to fail libseccomp: fix ptest failures. packagegroup-core-security-ptest: remove keyutils-ptest security-test-image: simplify packagegroup-core-security-ptest: remove apparmor: fix build issue with ptest enabled. security-test-image: tweak to get more tests to runn apparmor: update to 3.0 packagegroup-core-security: apparmor 3.0 ptest does not build suricata: fix compiling on gcc10 qemux86-test: add apparmor back apparmor: fix build for on musl ecryptfs-utils: fix musl build libest: fix musl build. sssd: update to latest ltm 1.16.5 packagegroup-core-security: remove clamav from musl image suricata: update to 4.1.9 kas: fixup alt configs gitlab-ci: add qemux86 and qemuarm64 musl builds tpm2-tss: update to 2.4.3 tpm2-totp: update to 0.2.1 tpm2-abrmd: update to 2.3.3 tpm2-tools: update to 4.3.0 tpm2-pkcs11: update to 1.4.0 Mingli Yu (1): scap-security-guide: add expat-native to DEPENDS Naveen Saini (3): initramfs-framework/dmverity: add retry loop for slow boot devices wic: add wks.in for intel dm-verity linux-%/5.x: Add dm-verity fragment as needed Signed-off-by: Andrew Geissler Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905 --- meta-security/.gitignore | 7 + meta-security/.gitlab-ci.yml | 10 + meta-security/kas/kas-security-alt.yml | 8 + meta-security/kas/kas-security-base.yml | 3 +- meta-security/kas/qemuarm64-alt.yml | 6 +- meta-security/kas/qemuarm64-musl.yml | 10 + meta-security/kas/qemux86-64-alt.yml | 6 +- meta-security/kas/qemux86-musl.yml | 10 + meta-security/kas/qemux86-test.yml | 2 +- .../scap-security-guide/scap-security-guide.inc | 2 +- .../recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb | 54 ----- .../recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb | 54 +++++ .../files/0001-remove-local-binary-checkes.patch | 77 ++++++++ .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb | 20 -- .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb | 23 +++ .../recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb | 13 -- .../recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb | 13 ++ .../recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb | 18 -- .../recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb | 17 ++ .../recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb | 78 -------- .../recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb | 76 ++++++++ .../recipes-core/images/security-test-image.bb | 31 +-- .../initrdscripts/initramfs-framework/dmverity | 64 +++--- .../packagegroup-core-security-ptest.bb | 28 --- .../packagegroup/packagegroup-core-security.bb | 17 ++ .../recipes-ids/suricata/libhtp_0.5.33.bb | 15 -- .../recipes-ids/suricata/libhtp_0.5.35.bb | 15 ++ meta-security/recipes-ids/suricata/suricata.inc | 4 +- .../recipes-ids/suricata/suricata_4.1.8.bb | 97 --------- .../recipes-ids/suricata/suricata_4.1.9.bb | 97 +++++++++ .../recipes-kernel/linux/linux-%_5.%.bbappend | 2 +- .../recipes-mac/AppArmor/apparmor_2.13.4.bb | 201 ------------------- meta-security/recipes-mac/AppArmor/apparmor_3.0.bb | 193 ++++++++++++++++++ ...iles-Update-make-check-to-select-tools-ba.patch | 91 +++++++++ .../0001-aa_status-Fix-build-issue-with-musl.patch | 31 +++ .../files/0001-apparmor-fix-manpage-order.patch | 43 ++++ ...pparmor-add-missing-include-for-socklen_t.patch | 36 ++++ ...file-dont-force-host-cpp-to-detect-reallo.patch | 37 ++++ ...-add-aa_features_new_from_file-to-public-.patch | 37 ++++ ...armor-add-_aa_asprintf-to-private-symbols.patch | 34 ++++ meta-security/recipes-mac/AppArmor/files/functions | 2 +- .../ecryptfs-utils/ecryptfs-utils_111.bb | 1 + .../files/define_musl_sword_type.patch | 15 ++ .../recipes-security/libest/libest_3.2.0.bb | 27 +++ .../libseccomp/libseccomp_2.5.0.bb | 2 +- .../opendnssec/files/fix_fprint.patch | 25 +++ .../opendnssec/files/libdns_conf_fix.patch | 217 +++++++++++++++++++++ .../opendnssec/files/libxml2_conf.patch | 112 +++++++++++ .../opendnssec/opendnssec_2.1.6.bb | 37 ++++ .../recipes-security/softHSM/softhsm_2.6.1.bb | 30 +++ ...sing-defines-which-otherwise-are-availabl.patch | 32 +++ meta-security/recipes-security/sssd/sssd_1.16.4.bb | 126 ------------ meta-security/recipes-security/sssd/sssd_1.16.5.bb | 128 ++++++++++++ meta-security/wic/systemd-bootdisk-dmverity.wks.in | 15 ++ 54 files changed, 1630 insertions(+), 719 deletions(-) create mode 100644 meta-security/.gitignore create mode 100644 meta-security/kas/kas-security-alt.yml create mode 100644 meta-security/kas/qemuarm64-musl.yml create mode 100644 meta-security/kas/qemux86-musl.yml delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb delete mode 100644 meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb delete mode 100644 meta-security/recipes-ids/suricata/libhtp_0.5.33.bb create mode 100644 meta-security/recipes-ids/suricata/libhtp_0.5.35.bb delete mode 100644 meta-security/recipes-ids/suricata/suricata_4.1.8.bb create mode 100644 meta-security/recipes-ids/suricata/suricata_4.1.9.bb delete mode 100644 meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb create mode 100644 meta-security/recipes-mac/AppArmor/apparmor_3.0.bb create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch create mode 100644 meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch create mode 100644 meta-security/recipes-security/libest/libest_3.2.0.bb create mode 100644 meta-security/recipes-security/opendnssec/files/fix_fprint.patch create mode 100644 meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch create mode 100644 meta-security/recipes-security/opendnssec/files/libxml2_conf.patch create mode 100644 meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb create mode 100644 meta-security/recipes-security/softHSM/softhsm_2.6.1.bb create mode 100644 meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch delete mode 100644 meta-security/recipes-security/sssd/sssd_1.16.4.bb create mode 100644 meta-security/recipes-security/sssd/sssd_1.16.5.bb create mode 100644 meta-security/wic/systemd-bootdisk-dmverity.wks.in (limited to 'meta-security/meta-tpm') diff --git a/meta-security/.gitignore b/meta-security/.gitignore new file mode 100644 index 000000000..c01df45ec --- /dev/null +++ b/meta-security/.gitignore @@ -0,0 +1,7 @@ +*.pyc +*.pyo +/*.patch +*.swp +*.orig +*.rej +*~ diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 46468fd1c..50bfe4fa3 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -126,9 +126,19 @@ qemux86-64-multi: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml +qemux86-musl: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-musl: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-test: extends: .build + allow_failure: true script: - kas build --target security-test-image kas/$CI_JOB_NAME.yml - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml new file mode 100644 index 000000000..309acaa03 --- /dev/null +++ b/meta-security/kas/kas-security-alt.yml @@ -0,0 +1,8 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam smack systemd" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index cd87d1d40..6a77af599 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -42,8 +42,7 @@ local_conf_header: INHERIT += "testimage" TEST_QEMUBOOT_TIMEOUT = "1500" EXTRA_IMAGE_FEATURES ?= "debug-tweaks" - DISTRO_FEATURES_remove = " ptest" - PACKAGE_CLASSES = "package_rpm" + PACKAGE_CLASSES = "package_ipk" diskmon: | diff --git a/meta-security/kas/qemuarm64-alt.yml b/meta-security/kas/qemuarm64-alt.yml index d23e38e0f..48e688c2a 100644 --- a/meta-security/kas/qemuarm64-alt.yml +++ b/meta-security/kas/qemuarm64-alt.yml @@ -1,10 +1,6 @@ header: version: 8 includes: - - kas-security-base.yml - -local_conf_header: - alt: | - DISTRO_FEATURES_append = " apparmor pam systemd" + - kas-security-alt.yml machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-musl.yml b/meta-security/kas/qemuarm64-musl.yml new file mode 100644 index 000000000..b353eb4f1 --- /dev/null +++ b/meta-security/kas/qemuarm64-musl.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + musl: | + TCLIBC = "musl" + +machine: qemuarm64 diff --git a/meta-security/kas/qemux86-64-alt.yml b/meta-security/kas/qemux86-64-alt.yml index 4364bf57e..f0d6b27d0 100644 --- a/meta-security/kas/qemux86-64-alt.yml +++ b/meta-security/kas/qemux86-64-alt.yml @@ -1,10 +1,6 @@ header: version: 8 includes: - - kas-security-base.yml - -local_conf_header: - alt: | - DISTRO_FEATURES_append = " apparmor pam systmed" + - kas-security-alt.yml machine: qemux86-64 diff --git a/meta-security/kas/qemux86-musl.yml b/meta-security/kas/qemux86-musl.yml new file mode 100644 index 000000000..61d957214 --- /dev/null +++ b/meta-security/kas/qemux86-musl.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + musl: | + TCLIBC = "musl" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml index 823a8b235..7b5f45151 100644 --- a/meta-security/kas/qemux86-test.yml +++ b/meta-security/kas/qemux86-test.yml @@ -6,6 +6,6 @@ header: local_conf_header: meta-security: | - DISTRO_FEATURES_append = " ptest apparmor pam" + DISTRO_FEATURES_append = " apparmor smack pam" machine: qemux86 diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 66c262302..32fce0fbb 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" -DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native" S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb deleted file mode 100644 index 991364ad3..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.0.bb +++ /dev/null @@ -1,54 +0,0 @@ -SUMMARY = "TPM2 Access Broker & Resource Manager" -DESCRIPTION = "This is a system daemon implementing the TPM2 access \ -broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \ -is implemented using Glib and the GObject system. In this documentation and \ -in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \ -" -SECTION = "security/tpm" - -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" - -DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ - libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" - -SRC_URI = "\ - git://github.com/tpm2-software/tpm2-abrmd.git \ - file://tpm2-abrmd-init.sh \ - file://tpm2-abrmd.default \ -" - -SRCREV = "ac82192df1158cb58eac02777cf15c965b02cfbc" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig systemd update-rc.d useradd - -SYSTEMD_PACKAGES += "${PN}" -SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" - -INITSCRIPT_NAME = "${PN}" -INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "tss" -USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" - -PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" - -do_install_append() { - install -d "${D}${sysconfdir}/init.d" - install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd" - - install -d "${D}${sysconfdir}/default" - install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" -} - -FILES_${PN} += "${libdir}/systemd/system-preset \ - ${datadir}/dbus-1" - -RDEPENDS_${PN} += "tpm2-tss" - -BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb new file mode 100644 index 000000000..d2a1c47b5 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.3.3.bb @@ -0,0 +1,54 @@ +SUMMARY = "TPM2 Access Broker & Resource Manager" +DESCRIPTION = "This is a system daemon implementing the TPM2 access \ +broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \ +is implemented using Glib and the GObject system. In this documentation and \ +in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \ +" +SECTION = "security/tpm" + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" + +DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \ + libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim" + +SRC_URI = "\ + git://github.com/tpm2-software/tpm2-abrmd.git \ + file://tpm2-abrmd-init.sh \ + file://tpm2-abrmd.default \ +" + +SRCREV = "4cdda466010a3699ebe967d990ac715ae3de7d35" + +S = "${WORKDIR}/git" + +inherit autotools pkgconfig systemd update-rc.d useradd + +SYSTEMD_PACKAGES += "${PN}" +SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service" +SYSTEMD_AUTO_ENABLE_${PN} = "disable" + +INITSCRIPT_NAME = "${PN}" +INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM_${PN} = "tss" +USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss" + +PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}" +PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no" + +do_install_append() { + install -d "${D}${sysconfdir}/init.d" + install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd" + + install -d "${D}${sysconfdir}/default" + install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd" +} + +FILES_${PN} += "${libdir}/systemd/system-preset \ + ${datadir}/dbus-1" + +RDEPENDS_${PN} += "tpm2-tss" + +BBCLASSEXTEND = "native" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch new file mode 100644 index 000000000..9d3f073e0 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch @@ -0,0 +1,77 @@ +From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Wed, 14 Oct 2020 08:55:33 -0700 +Subject: [PATCH] remove local binary checkes + +Signed-off-by: Armin Kuster + +Upsteam-Status: Inappropriate +These are only needed to run on the tartget so we add an RDPENDS. +Not needed for building. + +--- + configure.ac | 48 ------------------------------------------------ + 1 file changed, 48 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 50e7d4b..2b9abcf 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -219,54 +219,6 @@ AX_PROG_JAVAC() + AX_PROG_JAVA() + m4_popdef([AC_MSG_ERROR]) + +-AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no]) +- AS_IF([test "x$tpm2_createprimary" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no]) +- AS_IF([test "x$tpm2_create" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no]) +- AS_IF([test "x$tpm2_evictcontrol" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no]) +- AS_IF([test "x$tpm2_readpublic" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no]) +- AS_IF([test "x$tpm2_load" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no]) +- AS_IF([test "x$tpm2_loadexternal" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no]) +- AS_IF([test "x$tpm2_unseal" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no]) +- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no]) +- AS_IF([test "x$tpm2_sign" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no]) +- AS_IF([test "x$tpm2_getcap" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no]) +- AS_IF([test "x$tpm2_import" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])]) +- +-AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no]) +- AS_IF([test "x$tpm2_changeauth" != "xyes"], +- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])]) +- + AC_DEFUN([integration_test_checks], [ + + PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],, +-- +2.17.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb deleted file mode 100644 index ce2dac0a5..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.2.0.bb +++ /dev/null @@ -1,20 +0,0 @@ -SUMMARY = "A PKCS#11 interface for TPM2 hardware" -DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." -SECTION = "security/tpm" -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" - -DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml" - -SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \ - file://bootstrap_fixup.patch " - -SRCREV = "8d8f137f65f1d61d66cc191947b59c378f23e97d" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig - -do_configure_prepend () { - ${S}/bootstrap -} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb new file mode 100644 index 000000000..486573341 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.4.0.bb @@ -0,0 +1,23 @@ +SUMMARY = "A PKCS#11 interface for TPM2 hardware" +DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token." +SECTION = "security/tpm" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab" + +DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml" + +SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \ + file://bootstrap_fixup.patch \ + file://0001-remove-local-binary-checkes.patch" + +SRCREV = "78bbf6a0237351830d0c3923b25ba0b57ae0b7e9" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig + +do_configure_prepend () { + ${S}/bootstrap +} + +RDEPNDS_${PN} = "tpm2-tools" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb deleted file mode 100644 index ae01d5e1d..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.1.3.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "Tools for TPM2." -DESCRIPTION = "tpm2-tools" -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=0eb1216e46938bd723098d93a23c3bcc" -SECTION = "tpm" - -DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" - -SRC_URI[sha256sum] = "bb5d3310620e75468fe33dbd530bd73dd648c70ec707b4579c74d9f63fc82704" - -inherit autotools pkgconfig bash-completion diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb new file mode 100644 index 000000000..5bd26ab98 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_4.3.0.bb @@ -0,0 +1,13 @@ +SUMMARY = "Tools for TPM2." +DESCRIPTION = "tpm2-tools" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a846608d090aa64494c45fc147cc12e3" +SECTION = "tpm" + +DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "ae009b3495b44a16faa3d94d41ac9c9d99c71723482efad53c5eea17eeed80fc" + +inherit autotools pkgconfig bash-completion diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb deleted file mode 100644 index 0dad67306..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.0.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" - -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" - -SECTION = "security/tpm" - -DEPENDS = "autoconf-archive libtss2-dev qrencode" - -PE = "1" - -SRCREV = "994b4203e4769baefa6e7719915629bc8210e90a" -SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x \ - " - -inherit autotools-brokensep pkgconfig - -S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb new file mode 100644 index 000000000..264484f7a --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.2.1.bb @@ -0,0 +1,17 @@ +SUMMARY = "Attest the trustworthiness of a device against a human using time-based one-time passwords" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ed23833e93c95173c8d8913745e4b4e1" + +SECTION = "security/tpm" + +DEPENDS = "autoconf-archive libtss2-dev qrencode" + +PE = "1" + +SRCREV = "bfd581986353edc1058604e77cac804bd8b0d30a" +SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=v0.2.x" + +inherit autotools-brokensep pkgconfig + +S = "${WORKDIR}/git" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb deleted file mode 100644 index 22b961d1c..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.1.bb +++ /dev/null @@ -1,78 +0,0 @@ -SUMMARY = "Software stack for TPM2." -DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " -LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -SECTION = "tpm" - -DEPENDS = "autoconf-archive-native libgcrypt openssl" - -SRCREV = "a99e733ba66c359502689a9c42fd5e02ed1dd7d6" - -SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" -SRC_URI[sha256sum] = "58d7afcab9ff3daaafb5316e57d2c211118334b470d5a5bc6ceace6f89a1e60d" - -inherit autotools pkgconfig systemd extrausers - -PACKAGECONFIG ??= "" -PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " -PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " - -EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" -EXTRA_OECONF_remove = " --disable-static" - - -EXTRA_USERS_PARAMS = "\ - useradd -p '' tss; \ - groupadd tss; \ - " - -PROVIDES = "${PACKAGES}" -PACKAGES = " \ - ${PN} \ - ${PN}-dbg \ - ${PN}-doc \ - libtss2-mu \ - libtss2-mu-dev \ - libtss2-mu-staticdev \ - libtss2-tcti-device \ - libtss2-tcti-device-dev \ - libtss2-tcti-device-staticdev \ - libtss2-tcti-mssim \ - libtss2-tcti-mssim-dev \ - libtss2-tcti-mssim-staticdev \ - libtss2 \ - libtss2-dev \ - libtss2-staticdev \ -" - -FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" -FILES_libtss2-tcti-device-dev = " \ - ${includedir}/tss2/tss2_tcti_device.h \ - ${libdir}/pkgconfig/tss2-tcti-device.pc \ - ${libdir}/libtss2-tcti-device.so" -FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" - -FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" -FILES_libtss2-tcti-mssim-dev = " \ - ${includedir}/tss2/tss2_tcti_mssim.h \ - ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ - ${libdir}/libtss2-tcti-mssim.so" -FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" - -FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" -FILES_libtss2-mu-dev = " \ - ${includedir}/tss2/tss2_mu.h \ - ${libdir}/pkgconfig/tss2-mu.pc \ - ${libdir}/libtss2-mu.so" -FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" - -FILES_libtss2 = "${libdir}/libtss2*so.*" -FILES_libtss2-dev = " \ - ${includedir} \ - ${libdir}/pkgconfig \ - ${libdir}/libtss2*so" -FILES_libtss2-staticdev = "${libdir}/libtss*a" - -FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" - -RDEPENDS_libtss2 = "libgcrypt" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb new file mode 100644 index 000000000..78be51359 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_2.4.3.bb @@ -0,0 +1,76 @@ +SUMMARY = "Software stack for TPM2." +DESCRIPTION = "OSS implementation of the TCG TPM2 Software Stack (TSS2) " +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" +SECTION = "tpm" + +DEPENDS = "autoconf-archive-native libgcrypt openssl" + +SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" +SRC_URI[sha256sum] = "e294677f8993234d0adfa191a5cbf9c5b83cc60c724c233e3d631c26712abea0" + +inherit autotools pkgconfig systemd extrausers + +PACKAGECONFIG ??= "" +PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " +PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c " + +EXTRA_OECONF += "--enable-static --with-udevrulesdir=${base_prefix}/lib/udev/rules.d/" +EXTRA_OECONF_remove = " --disable-static" + + +EXTRA_USERS_PARAMS = "\ + useradd -p '' tss; \ + groupadd tss; \ + " + +PROVIDES = "${PACKAGES}" +PACKAGES = " \ + ${PN} \ + ${PN}-dbg \ + ${PN}-doc \ + libtss2-mu \ + libtss2-mu-dev \ + libtss2-mu-staticdev \ + libtss2-tcti-device \ + libtss2-tcti-device-dev \ + libtss2-tcti-device-staticdev \ + libtss2-tcti-mssim \ + libtss2-tcti-mssim-dev \ + libtss2-tcti-mssim-staticdev \ + libtss2 \ + libtss2-dev \ + libtss2-staticdev \ +" + +FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*" +FILES_libtss2-tcti-device-dev = " \ + ${includedir}/tss2/tss2_tcti_device.h \ + ${libdir}/pkgconfig/tss2-tcti-device.pc \ + ${libdir}/libtss2-tcti-device.so" +FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a" + +FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*" +FILES_libtss2-tcti-mssim-dev = " \ + ${includedir}/tss2/tss2_tcti_mssim.h \ + ${libdir}/pkgconfig/tss2-tcti-mssim.pc \ + ${libdir}/libtss2-tcti-mssim.so" +FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a" + +FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*" +FILES_libtss2-mu-dev = " \ + ${includedir}/tss2/tss2_mu.h \ + ${libdir}/pkgconfig/tss2-mu.pc \ + ${libdir}/libtss2-mu.so" +FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a" + +FILES_libtss2 = "${libdir}/libtss2*so.*" +FILES_libtss2-dev = " \ + ${includedir} \ + ${libdir}/pkgconfig \ + ${libdir}/libtss2*so" +FILES_libtss2-staticdev = "${libdir}/libtss*a" + +FILES_${PN} = "${libdir}/udev ${base_prefix}/lib/udev" + +RDEPENDS_libtss2 = "libgcrypt" diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb index c71d7267d..54d89787f 100644 --- a/meta-security/recipes-core/images/security-test-image.bb +++ b/meta-security/recipes-core/images/security-test-image.bb @@ -1,33 +1,18 @@ DESCRIPTION = "A small image for testing meta-security packages" +require security-build-image.bb + IMAGE_FEATURES += "ssh-server-openssh" TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" INSTALL_CLAMAV_CVD = "1" -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image +IMAGE_OVERHEAD_FACTOR = "1.0" +IMAGE_ROOTFS_EXTRA_SPACE = "1124288" -export IMAGE_BASENAME = "security-test-image" +# ptests need more memory than standard to avoid the OOM killer +# also lttng-tools needs /tmp that has at least 1G +QB_MEM = "-m 2048" -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" +PTEST_EXPECT_FAILURE = "1" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity index bb07aab58..888052ccd 100644 --- a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -10,33 +10,43 @@ dmverity_run() { . /usr/share/misc/dm-verity.env - case "${bootparam_root}" in - ID=*) - RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" - ;; - LABEL=*) - RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" - ;; - PARTLABEL=*) - RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" - ;; - PARTUUID=*) - RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" - ;; - PATH=*) - RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" - ;; - UUID=*) - RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" - ;; - *) - RDEV="${bootparam_root}" - esac - - if ! [ -b "${RDEV}" ]; then - echo "Root device resolution failed" - exit 1 - fi + C=0 + delay=${bootparam_rootdelay:-1} + timeout=${bootparam_roottimeout:-5} + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + while [ ! -b "${RDEV}" ]; do + if [ $(( $C * $delay )) -gt $timeout ]; then + fatal "Root device resolution failed" + exit 1 + fi + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + debug "Sleeping for $delay second(s) to wait root to settle..." + sleep $delay + C=$(( $C + 1 )) + + done veritysetup \ --data-block-size=1024 \ diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index cf34ded19..000000000 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 1d0180052..0a4452eea 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -13,6 +13,7 @@ PACKAGES = "\ packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -22,6 +23,7 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ + ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -36,6 +38,9 @@ RDEPENDS_packagegroup-security-utils = "\ python3-privacyidea \ python3-fail2ban \ python3-scapy \ + softhsm \ + libest \ + opendnssec \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ @@ -48,6 +53,7 @@ RDEPENDS_packagegroup-security-scanners = "\ checksecurity \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ " +RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd" SUMMARY_packagegroup-security-audit = "Security Audit tools " RDEPENDS_packagegroup-security-audit = " \ @@ -73,3 +79,14 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " + +RDEPENDS_packagegroup-meta-security-ptest-packages = "\ + ptest-runner \ + samhain-standalone-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python3-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ +" diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.33.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.33.bb deleted file mode 100644 index 8305f7010..000000000 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.33.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -DEPENDS = "zlib" - -inherit autotools pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -S = "${WORKDIR}/suricata-${VER}/${BPN}" - -RDEPENDS_${PN} += "zlib" diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.35.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.35.bb new file mode 100644 index 000000000..8305f7010 --- /dev/null +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.35.bb @@ -0,0 +1,15 @@ +SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." + +require suricata.inc + +LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +DEPENDS = "zlib" + +inherit autotools pkgconfig + +CFLAGS += "-D_DEFAULT_SOURCE" + +S = "${WORKDIR}/suricata-${VER}/${BPN}" + +RDEPENDS_${PN} += "zlib" diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index c9dd9aa81..b94285f0d 100644 --- a/meta-security/recipes-ids/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -2,7 +2,7 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.1.8" +VER = "4.1.9" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[sha256sum] = "c8a83a05f57cedc0ef81d833ddcfdbbfdcdb6f459a91b1b15dc2d5671f1aecbb" +SRC_URI[sha256sum] = "3440cd1065b1b3999dc101a37c49321fab2791b38f16e2f7fe27369dd007eea7" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.8.bb b/meta-security/recipes-ids/suricata/suricata_4.1.8.bb deleted file mode 100644 index 9b7122b9e..000000000 --- a/meta-security/recipes-ids/suricata/suricata_4.1.8.bb +++ /dev/null @@ -1,97 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://tmpfiles.suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " - -inherit autotools-brokensep pkgconfig python3-dir systemd ptest - -CFLAGS += "-D_DEFAULT_SOURCE" - -CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ - ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " - -EXTRA_OECONF += " --disable-debug \ - --enable-non-bundled-htp \ - --disable-gccmarch-native \ - --disable-suricata-update \ - " - -PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -do_install_append () { - - install -d ${D}${sysconfdir}/suricata - - oe_runmake install-conf DESTDIR=${D} - - oe_runmake install-rules DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - -} - -pkg_postinst_ontarget_${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-socketcontrol" -FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" - -RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.9.bb b/meta-security/recipes-ids/suricata/suricata_4.1.9.bb new file mode 100644 index 000000000..135871cc7 --- /dev/null +++ b/meta-security/recipes-ids/suricata/suricata_4.1.9.bb @@ -0,0 +1,97 @@ +SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRC_URI += " \ + file://volatiles.03_suricata \ + file://tmpfiles.suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + " + +inherit autotools-brokensep pkgconfig python3-dir systemd ptest + +CFLAGS += "-D_DEFAULT_SOURCE -fcommon" + +CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ + ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " + +EXTRA_OECONF += " --disable-debug \ + --enable-non-bundled-htp \ + --disable-gccmarch-native \ + --disable-suricata-update \ + " + +PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" +PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" + +PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," +PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," +PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," +PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," +PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " +PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," +PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," +PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," + +PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" +PACKAGECONFIG[file] = ",,file, file" +PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," +PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3" +PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," + +export logdir = "${localstatedir}/log" + +do_install_append () { + + install -d ${D}${sysconfdir}/suricata + + oe_runmake install-conf DESTDIR=${D} + + oe_runmake install-rules DESTDIR=${D} + + install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata + + install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf +elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi +} + +SYSTEMD_PACKAGES = "${PN}" + +PACKAGES =+ "${PN}-socketcontrol" +FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" +FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" + +CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" + +RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend index 76b5df55b..6bc40cd96 100644 --- a/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-%_5.%.bbappend @@ -1,4 +1,4 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}" - +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb deleted file mode 100644 index dcdc1f7e6..000000000 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ /dev/null @@ -1,201 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://0001-Makefile.am-suppress-perllocal.pod.patch \ - file://run-ptest \ - " - -SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" - -COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check -REQUIRED_DISTRO_FEATURES = "apparmor" - -PACKAGECONFIG ??= "python perl aa-decode" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," -PACKAGECONFIG[aa-decode] = ",,,bash" - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - # Fixes: - # | sed -ie 's///g' Makefile.perl - # | sed: -e expression #1, char 0: no previous regular expression - #| Makefile:478: recipe for target 'Makefile.perl' failed - sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile - - - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - # If perl is disabled this script won't be any good - if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then - rm -f ${D}${sbindir}/aa-notify - fi - - if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then - rm -f ${D}${sbindir}/aa-decode - fi - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions - sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} - fi -} - -#Building ptest on arm fails. -do_compile_ptest_aarch64 () { - : -} - -do_compile_ptest_arm () { - : -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -#Building ptest on arm fails. -do_install_ptest_aarch64 () { - : -} - -do_install_ptest_arm() { - : -} - -pkg_postinst_ontarget_${PN} () { -if [ ! -d /etc/apparmor.d/cache ] ; then - mkdir /etc/apparmor.d/cache -fi -} - -# We need the init script so don't rm it -RMINITDIR_class-target_remove = " rm_sysvinit_initddir" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE ?= "enable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -# Add coreutils and findutils only if sysvinit scripts are in use -RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" - -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb new file mode 100644 index 000000000..35e95a0a2 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb @@ -0,0 +1,193 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://run-ptest \ + file://0001-apparmor-fix-manpage-order.patch \ + file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \ + file://0001-libapparmor-add-missing-include-for-socklen_t.patch \ + file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \ + file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \ + file://0001-aa_status-Fix-build-issue-with-musl.patch \ + file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \ + " + +SRCREV = "5d51483bfecf556183558644dc8958135397a7e2" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion + +REQUIRED_DISTRO_FEATURES = "apparmor" + +PACKAGECONFIG ?= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, " +PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + install -d ${D}/lib/security + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + fi +} + +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + +do_compile_ptest () { + sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile + oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0 + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE ?= "enable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +DEPENDS_append_libc-musl = " fts " +RDEPENDS_${PN}_libc-musl += "musl-utils" +RDEPENDS_${PN}_libc-glibc += "glibc-utils" + +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +INSANE_SKIP_${PN} = "ldflags" +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch new file mode 100644 index 000000000..791437d1d --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch @@ -0,0 +1,91 @@ +From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Sat, 3 Oct 2020 11:26:46 -0700 +Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based + on USE_SYSTEM" + +This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e. + +Upstream-Statue: OE specific +These changes cause during packaging with perms changing. + +Signed-off-by: Armin Kuster + +--- + profiles/Makefile | 50 ++++++++++------------------------------------- + 1 file changed, 10 insertions(+), 40 deletions(-) + +diff --git a/profiles/Makefile b/profiles/Makefile +index ba47fc16..5384cb05 100644 +--- a/profiles/Makefile ++++ b/profiles/Makefile +@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/ + SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print) + TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*)) + +-ifdef USE_SYSTEM +- PYTHONPATH= +- PARSER?=apparmor_parser +- LOGPROF?=aa-logprof +-else +- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am +- PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))") +- LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/ +- LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH) +- PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH) +- PARSER?=../parser/apparmor_parser +- # use ../utils logprof +- LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof +-endif +- + # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value + PWD=$(shell pwd) + +-.PHONY: test-dependencies +-test-dependencies: __parser __libapparmor +- +- +-.PHONY: __parser __libapparmor +-__parser: +-ifndef USE_SYSTEM +- @if [ ! -f $(PARSER) ]; then \ +- echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \ +- echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \ +- echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \ +- exit 1; \ +- fi +-endif +- +-__libapparmor: +-ifndef USE_SYSTEM +- @if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \ +- echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \ +- echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \ +- echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \ +- exit 1; \ +- fi +-endif +- + local: + for profile in ${TOPLEVEL_PROFILES}; do \ + fn=$$(basename $$profile); \ +@@ -109,6 +69,16 @@ else + Q= + endif + ++ifndef PARSER ++# use system parser ++PARSER=../parser/apparmor_parser ++endif ++ ++ifndef LOGPROF ++# use ../utils logprof ++LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof ++endif ++ + .PHONY: docs + # docs: should we have some here? + docs: +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch new file mode 100644 index 000000000..239562a45 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch @@ -0,0 +1,31 @@ +From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Wed, 7 Oct 2020 08:27:11 -0700 +Subject: [PATCH] aa_status: Fix build issue with musl + +add limits.h + +aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? +| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char)); + +Upstream-Status: Pending +Signed-off-by: Armin Kuster +--- + binutils/aa_status.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/binutils/aa_status.c b/binutils/aa_status.c +index 78b03409..41f1954e 100644 +--- a/binutils/aa_status.c ++++ b/binutils/aa_status.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch new file mode 100644 index 000000000..9f3dce426 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch @@ -0,0 +1,43 @@ +From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Fri, 2 Oct 2020 19:43:44 -0700 +Subject: [PATCH] apparmor: fix manpage order + +It trys to create a symlink before the man pages are installed. + + ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8 + | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +... + +install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8; + +Signed-off-by: Armin Kuster +--- + binutils/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/binutils/Makefile b/binutils/Makefile +index 99e54875..3f1d0011 100644 +--- a/binutils/Makefile ++++ b/binutils/Makefile +@@ -156,12 +156,12 @@ install-arch: arch + install -m 755 -d ${SBINDIR} + ln -sf aa-status ${SBINDIR}/apparmor_status + install -m 755 ${SBINTOOLS} ${SBINDIR} +- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 + + .PHONY: install-indep + install-indep: indep + $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} + $(MAKE) install_manpages DESTDIR=${DESTDIR} ++ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 + + ifndef VERBOSE + .SILENT: clean +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch new file mode 100644 index 000000000..2a56d8b85 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch @@ -0,0 +1,36 @@ +From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Sat, 3 Oct 2020 20:37:55 +0200 +Subject: [PATCH] libapparmor: add missing include for `socklen_t` + +While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't +include the `` header to make its declaration available. +While this works on systems using glibc via transitive includes, it +breaks compilation on musl libc. + +Fix the issue by including the header. + +Signed-off-by: Patrick Steinhardt + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + libraries/libapparmor/include/sys/apparmor.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h +index 32892d06..d70eff94 100644 +--- a/libraries/libapparmor/include/sys/apparmor.h ++++ b/libraries/libapparmor/include/sys/apparmor.h +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #ifdef __cplusplus +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch new file mode 100644 index 000000000..9f7ad3c55 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch @@ -0,0 +1,37 @@ +From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Wed, 7 Oct 2020 20:50:38 -0700 +Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray + +In cross build environments, using the hosts cpp gives incorrect +detection of reallocarray. Change cpp to a variable. + +fixes: +parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)': +| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope +| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1); + +Signed-off-by: Armin Kuster + +Upstream-Status: Pending + +--- + parser/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser/Makefile b/parser/Makefile +index acef3d77..8250ac45 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -54,7 +54,7 @@ endif + CPPFLAGS += -D_GNU_SOURCE + + STDLIB_INCLUDE:="\#include " +-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true) ++HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true) + + WARNINGS = -Wall + CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS} +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch new file mode 100644 index 000000000..333f40fbd --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch @@ -0,0 +1,37 @@ +From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Sat, 3 Oct 2020 20:58:45 +0200 +Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public + symbols + +With AppArmor release 3.0, a new function `aa_features_new_from_file` +was added, but not added to the list of public symbols. As a result, +it's not possible to make use of this function when linking against +libapparmor.so. + +Fix the issue by adding it to the symbol map. + +Signed-off-by: Patrick Steinhardt + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + libraries/libapparmor/src/libapparmor.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map +index bbff51f5..1579509a 100644 +--- a/libraries/libapparmor/src/libapparmor.map ++++ b/libraries/libapparmor/src/libapparmor.map +@@ -117,6 +117,7 @@ APPARMOR_2.13.1 { + + APPARMOR_3.0 { + global: ++ aa_features_new_from_file; + aa_features_write_to_fd; + aa_features_value; + local: +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch new file mode 100644 index 000000000..543c7a185 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch @@ -0,0 +1,34 @@ +From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Sat, 3 Oct 2020 21:04:57 +0200 +Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols + +While `_aa_asprintf` is supposed to be of private visibility, it's used +by apparmor_parser and thus required to be visible when linking. This +commit thus adds it to the list of private symbols to make it available +for linking in apparmor_parser. + +Signed-off-by: Patrick Steinhardt + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + libraries/libapparmor/src/libapparmor.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map +index 1579509a..41e541ac 100644 +--- a/libraries/libapparmor/src/libapparmor.map ++++ b/libraries/libapparmor/src/libapparmor.map +@@ -127,6 +127,7 @@ APPARMOR_3.0 { + PRIVATE { + global: + _aa_is_blacklisted; ++ _aa_asprintf; + _aa_autofree; + _aa_autoclose; + _aa_autofclose; +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions index cef8cfe7d..e9e2bbfbf 100644 --- a/meta-security/recipes-mac/AppArmor/files/functions +++ b/meta-security/recipes-mac/AppArmor/files/functions @@ -144,7 +144,7 @@ clear_cache_var() { read_features_dir() { - for f in `ls -AU "$1"` ; do + for f in `ls -A "$1"` ; do if [ -f "$1/$f" ] ; then read -r KF < "$1/$f" || true echo -n "$f {$KF } " diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index d8cd06f8d..4a99b5af4 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -16,6 +16,7 @@ SRC_URI = "\ file://ecryptfs-utils-CVE-2016-6224.patch \ file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ + file://define_musl_sword_type.patch \ " SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" diff --git a/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch new file mode 100644 index 000000000..3b29be038 --- /dev/null +++ b/meta-security/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch @@ -0,0 +1,15 @@ +Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +=================================================================== +--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c ++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +@@ -45,6 +45,10 @@ + #include + #include "../include/ecryptfs.h" + ++#ifndef __SWORD_TYPE ++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE; ++#endif ++ + /* Perhaps a future version of this program will allow these to be configurable + * by the system administrator (or user?) at run time. For now, these are set + * to reasonable values to reduce the burden of input validation. diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb new file mode 100644 index 000000000..f993bd65e --- /dev/null +++ b/meta-security/recipes-security/libest/libest_3.2.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "EST is used for secure certificate \ +enrollment and is compatible with Suite B certs (as well as RSA \ +and DSA certificates)" + +LICENSE = "OpenSSL" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" + +SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" +SRC_URI = "git://github.com/cisco/libest" + +DEPENDS = "openssl" + +#fatal error: execinfo.h: No such file or directory +DEPENDS_append_libc-musl = " libexecinfo" + +inherit autotools-brokensep + +EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" + +CFLAGS += "-fcommon" +LDFLAGS_append_libc-musl = " -lexecinfo" + +S = "${WORKDIR}/git" + +PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" + +FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb index 35365d5b4..0cf2d70b8 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.5.0.bb @@ -45,4 +45,4 @@ do_install_ptest() { FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" -RDEPENDS_${PN}-ptest = "bash" +RDEPENDS_${PN}-ptest = "coreutils bash" diff --git a/meta-security/recipes-security/opendnssec/files/fix_fprint.patch b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch new file mode 100644 index 000000000..da0bcfe74 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/fix_fprint.patch @@ -0,0 +1,25 @@ +format not a string literal and no format arguments + +missing module_str in call + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +../../../git/enforcer/src/keystate/keystate_ds.c:192:7: error: format not a string literal and no format arguments [-Werror=format-security] +| 192 | ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); +| | ^~~~~~~~~~~~~~~~~~~~~~~~ + + +Index: git/enforcer/src/keystate/keystate_ds.c +=================================================================== +--- git.orig/enforcer/src/keystate/keystate_ds.c ++++ git/enforcer/src/keystate/keystate_ds.c +@@ -189,7 +189,7 @@ exec_dnskey_by_id(int sockfd, struct dbw + status = 0; + } + else { +- ods_log_error_and_printf(sockfd, "Failed to run %s", cp_ds); ++ ods_log_error_and_printf(sockfd, module_str, "Failed to run %s", cp_ds); + status = 7; + } + } diff --git a/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch new file mode 100644 index 000000000..126e197f3 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -0,0 +1,217 @@ +Configure does not work with OE pkg-config for the ldns option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster + +Index: opendnssec-2.1.6/m4/acx_ldns.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_ldns.m4 ++++ opendnssec-2.1.6/m4/acx_ldns.m4 +@@ -1,128 +1,65 @@ +-AC_DEFUN([ACX_LDNS],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- LIBS="$LIBS $LDNS_LIBS" +- +- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])]) +- LIBS=$tmp_LIBS +- +- AC_MSG_CHECKING([for ldns version]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION >= $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([>= $1.$2.$3]) +- ],[ +- AC_MSG_RESULT([< $1.$2.$3]) +- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)]) +- ],[]) +- AC_LANG_POP([C]) ++#serial 11 + +- CPPFLAGS=$tmp_CPPFLAGS +- +- AC_SUBST(LDNS_INCLUDES) +- AC_SUBST(LDNS_LIBS) +-]) +- +- +-AC_DEFUN([ACX_LDNS_NOT],[ +- AC_ARG_WITH(ldns, +- [AC_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- +- AC_MSG_CHECKING([for ldns version not $1.$2.$3]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION != $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([ok]) +- ],[ +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS ++AU_ALIAS([CHECK_LDNS], [ACX_LDNS]) ++AC_DEFUN([ACX_LDNS], [ ++ found=false ++ AC_ARG_WITH([ldns], ++ [AS_HELP_STRING([--with-ldns=DIR], ++ [root of the lnds directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-lnds value]) ++ ;; ++ *) ldnsdirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and lnds has installed a .pc file, ++ # then use that information and don't search ldnsdirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null` ++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi ++ ++ # no such luck; use some default ldnsdirs ++ if ! $found; then ++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ if ! $found; then ++ LDNS_INCLUDES= ++ for ldnsdir in $ldnsdirs; do ++ AC_MSG_CHECKING([for LDNS in $ldnsdir]) ++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then ++ LDNS_INCLUDES="-I$ldnsdir/include" ++ LDNS_LDFLAGS="-L$ldnsdir/lib" ++ LDNS_LIBS="-lldns" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" ++ LIBS="$LDNS_LIBS $LIBS" ++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST([LDNS_INCLUDES]) ++ AC_SUBST([LDNS_LIBS]) ++ AC_SUBST([LDNS_LDFLAGS]) + ]) +Index: opendnssec-2.1.6/configure.ac +=================================================================== +--- opendnssec-2.1.6.orig/configure.ac ++++ opendnssec-2.1.6/configure.ac +@@ -138,9 +138,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_ + + # common dependencies + ACX_LIBXML2 +-ACX_LDNS(1,6,17) +-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html]) +-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html]) ++ACX_LDNS(1.6.17) + ACX_PKCS11_MODULES + ACX_RT + ACX_LIBC diff --git a/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch new file mode 100644 index 000000000..b4ed4306d --- /dev/null +++ b/meta-security/recipes-security/opendnssec/files/libxml2_conf.patch @@ -0,0 +1,112 @@ +configure does not work with OE pkg-config for the libxml2 option + +Upstream-Status: OE specific + +Signed-off-by: Armin Kuster + +Index: opendnssec-2.1.6/m4/acx_libxml2.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4 ++++ opendnssec-2.1.6/m4/acx_libxml2.m4 +@@ -1,37 +1,67 @@ ++#serial 11 ++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2]) + AC_DEFUN([ACX_LIBXML2],[ +- AC_ARG_WITH(libxml2, +- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])], +- [ +- XML2_PATH="$withval" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin) +- ],[ +- XML2_PATH="/usr/local" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH) +- ]) +- if test -x "$XML2_CONFIG" +- then +- AC_MSG_CHECKING(what are the xml2 includes) +- XML2_INCLUDES="`$XML2_CONFIG --cflags`" +- AC_MSG_RESULT($XML2_INCLUDES) +- +- AC_MSG_CHECKING(what are the xml2 libs) +- XML2_LIBS="`$XML2_CONFIG --libs`" +- AC_MSG_RESULT($XML2_LIBS) +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES" +- LIBS="$LIBS $XML2_LIBS" +- +- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- LIBS=$tmp_LIBS +- else +- AC_MSG_ERROR([libxml2 required, but not found.]) +- fi ++ found=false ++ AC_ARG_WITH([libxml2], ++ [AS_HELP_STRING([--with-libxml2=DIR], ++ [root of the libxml directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-libxml2 value]) ++ ;; ++ *) xml2dirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and openssl has installed a .pc file, ++ # then use that information and don't search ssldirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null` ++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi + +- AC_SUBST(XML2_INCLUDES) +- AC_SUBST(XML2_LIBS) ++ # no such luck; use some default ssldirs ++ if ! $found; then ++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ # note that we #include , so the libxml2 headers have to be in ++ # an 'libxml' subdirectory ++ ++ if ! $found; then ++ XML2_INCLUDES= ++ for xml2dir in $xml2dirs; do ++ AC_MSG_CHECKING([for XML2 in $xml2dir]) ++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then ++ XML2_INCLUDES="-I$xml2dir/include/libxml2" ++ XML2_LDFLAGS="-L$xml2dir/lib" ++ XML2_LIBS="-lxml2" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS" ++ LIBS="$XML2_LIBS $LIBS" ++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST(XML2_INCLUDES) ++ AC_SUBST(XML2_LIBS) ++ AC_SUBST(XML2_LDFLAGS) + ]) diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb new file mode 100644 index 000000000..5e42ca8f7 --- /dev/null +++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.6.bb @@ -0,0 +1,37 @@ +SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" + +DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " + +SRC_URI = "git://github.com/opendnssec/opendnssec;branch=develop \ + file://libxml2_conf.patch \ + file://libdns_conf_fix.patch \ + file://fix_fprint.patch \ + " + +SRCREV = "5876bccb38428790e2e9afc806ca68b029879874" + +inherit autotools pkgconfig perlnative + +S = "${WORKDIR}/git" + +EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ + --with-ssl=${STAGING_DIR_HOST}/usr " + +CFLAGS += "-fcommon" + +PACKAGECONFIG ?= "sqlite3" + +PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" +PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" +PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" +PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" + +do_install_append () { + rm -rf ${D}${localstatedir}/run +} + +RDEPENDS_${PN} = "softhsm" diff --git a/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb new file mode 100644 index 000000000..74e837aa5 --- /dev/null +++ b/meta-security/recipes-security/softHSM/softhsm_2.6.1.bb @@ -0,0 +1,30 @@ +SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface." +HOMEPAGE = "www.opendnssec.org" + +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210" + +DEPENDS = "sqlite3" + +SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz" +SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2" + +inherit autotools pkgconfig siteinfo + +EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr" +EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}" + +PACKAGECONFIG ?= "pk11 openssl" + +PACKAGECONFIG[npm] = ",--disable-non-paged-memory" +PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc" +PACKAGECONFIG[gost] = "--enable-gost,--disable-gost" +PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa" +PACKAGECONFIG[fips] = "--enable-fips, --disable-fips" +PACKAGECONFIG[notvisable] = "--disable-visibility" +PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl" +PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan" +PACKAGECONFIG[migrate] = "--with-migrate" +PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit" + +RDEPENDS_${PN} = "sqlite3" diff --git a/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch new file mode 100644 index 000000000..1a2233209 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0002-Provide-missing-defines-which-otherwise-are-availabl.patch @@ -0,0 +1,32 @@ +From 37a0999e5a9f54e1c61a02a7fbab6fcd04738b3c Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Thu, 8 Oct 2020 05:54:13 -0700 +Subject: [PATCH] Provide missing defines which otherwise are available on + glibc system headers + +Signed-off-by: Armin Kuster + +Upsteam-Status: Pending + +--- + src/util/util.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/util.h b/src/util/util.h +index 8a754dbfd..6e55b4bdc 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -76,6 +76,10 @@ + #define MAX(a, b) (((a) > (b)) ? (a) : (b)) + #endif + ++#ifndef ALLPERMS ++# define ALLPERMS (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)/* 07777 */ ++#endif ++ + #define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS + + #define SSSD_SERVER_OPTS(uid, gid) \ +-- +2.17.1 + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb deleted file mode 100644 index e54fa98e9..000000000 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ /dev/null @@ -1,126 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -# If no crypto has been selected, default to DEPEND on nss, since that's what -# sssd will pick if no active choice is made during configure -DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ - bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ - file://sssd.conf \ - file://volatiles.99_sssd \ - file://fix-ldblibdir.patch \ - file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ - file://0001-nss-Collision-with-external-nss-symbol.patch \ - " - -SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" -SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" - -inherit autotools pkgconfig gettext python3-dir features_check systemd - -REQUIRED_DISTRO_FEATURES = "pam" - -SSSD_UID ?= "root" -SSSD_GID ?= "root" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" - -EXTRA_OECONF += " \ - --disable-cifs-idmap-plugin \ - --without-nfsv4-idmapd-plugin \ - --without-ipa-getkeytab \ - --without-python2-bindings \ - --enable-pammoddir=${base_libdir}/security \ - --without-python2-bindings \ - --without-secrets \ - --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ -" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} - install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ - sssd-nss.service \ - sssd-nss.socket \ - sssd-pam-priv.socket \ - sssd-pam.service \ - sssd-pam.socket \ - sssd.service \ -" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/meta-security/recipes-security/sssd/sssd_1.16.5.bb b/meta-security/recipes-security/sssd/sssd_1.16.5.bb new file mode 100644 index 000000000..9784ec77d --- /dev/null +++ b/meta-security/recipes-security/sssd/sssd_1.16.5.bb @@ -0,0 +1,128 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +DEPENDS_append_libc-musl = " musl-nscd" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://0001-nss-Collision-with-external-nss-symbol.patch \ + file://0002-Provide-missing-defines-which-otherwise-are-availabl.patch \ + " + +SRC_URI[sha256sum] = "2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ +" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in new file mode 100644 index 000000000..ef114cab0 --- /dev/null +++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in @@ -0,0 +1,15 @@ +# A dm-verity variant of the regular wks for IA machines. We need to fetch +# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will +# not recreate the exact block device corresponding with the hash tree. We must +# not alter the label or any other setting on the image. +# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file +# +# This .wks only works with the dm-verity-img class. + +part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid + +part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid + +part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid + +bootloader --ptable gpt --timeout=5 --append=" " -- cgit v1.2.3 From 157744bac930642ebf7952ec8dc3df2faffd0928 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 30 Oct 2020 15:42:05 -0500 Subject: meta-security: subtree update:4c2f7ffd49..e8c9e69c80 Armin Kuster (3): meta-security: Add gatesgarth to LAYERSERIES_COMPAT gitlab-ci: add meta-hardening build image gitlab-ci: add building meta-security-compliance pkgs Sajjad Ahmed (1): layer.conf: use += instead of := to update BBFILES Signed-off-by: Andrew Geissler Change-Id: Id5439f3fdfc88fe3c987ee3c8cb7d3ed6a5a6a22 --- meta-security/.gitlab-ci.yml | 10 ++++++++++ meta-security/conf/layer.conf | 2 +- meta-security/kas/kas-security-base.yml | 1 + meta-security/kas/qemux86-comp.yml | 11 +++++++++++ meta-security/kas/qemux86-harden.yml | 10 ++++++++++ meta-security/meta-hardening/conf/layer.conf | 2 +- meta-security/meta-integrity/conf/layer.conf | 5 ++--- meta-security/meta-security-compliance/conf/layer.conf | 2 +- meta-security/meta-security-isafw/conf/layer.conf | 2 +- meta-security/meta-tpm/conf/layer.conf | 2 +- 10 files changed, 39 insertions(+), 8 deletions(-) create mode 100644 meta-security/kas/qemux86-comp.yml create mode 100644 meta-security/kas/qemux86-harden.yml (limited to 'meta-security/meta-tpm') diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 50bfe4fa3..3a1687cca 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -136,6 +136,16 @@ qemuarm64-musl: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml +qemux86-harden: + extends: .build + script: + - kas build --target harden-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-comp: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + qemux86-test: extends: .build allow_failure: true diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 2c3bd9654..8c0254b82 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "dunfell" +LAYERSERIES_COMPAT_security = "gatesgarth" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index 6a77af599..ba0e0f81f 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -10,6 +10,7 @@ repos: meta-tpm: meta-integrity: meta-security-compliance: + meta-hardening: poky: url: https://git.yoctoproject.org/git/poky diff --git a/meta-security/kas/qemux86-comp.yml b/meta-security/kas/qemux86-comp.yml new file mode 100644 index 000000000..14c5dcabf --- /dev/null +++ b/meta-security/kas/qemux86-comp.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-compliance: | + IMAGE_INSTALL_append = " lynis" + IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-harden.yml b/meta-security/kas/qemux86-harden.yml new file mode 100644 index 000000000..fb59ddab2 --- /dev/null +++ b/meta-security/kas/qemux86-harden.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO = "harden" + +machine: qemux86 diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 589621440..22d88749d 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "10" -LAYERSERIES_COMPAT_harden-layer = "dunfell" +LAYERSERIES_COMPAT_harden-layer = "gatesgarth" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index f905b0be4..76374eb9b 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -2,8 +2,7 @@ BBPATH =. "${LAYERDIR}:" # We have a packages directory, add to BBFILES -BBFILES := "${BBFILES} \ - ${LAYERDIR}/recipes-*/*/*.bb \ +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" BBFILE_COLLECTIONS += "integrity" @@ -21,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "dunfell" +LAYERSERIES_COMPAT_integrity = "gatesgarth" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 965c83797..db243f710 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "dunfell" +LAYERSERIES_COMPAT_scanners-layer = "gatesgarth" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf index 63f990a8b..b8ee1c013 100644 --- a/meta-security/meta-security-isafw/conf/layer.conf +++ b/meta-security/meta-security-isafw/conf/layer.conf @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1" LAYERDEPENDS_security-isafw = "core" -LAYERSERIES_COMPAT_security-isafw = "dunfell" +LAYERSERIES_COMPAT_security-isafw = "gatesgarth" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 46d0279cc..cd62fbac2 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "dunfell" +LAYERSERIES_COMPAT_tpm-layer = "gatesgarth" LAYERDEPENDS_tpm-layer = " \ core \ -- cgit v1.2.3