From cc58928593c3952679181b6bf8e4113080ffa867 Mon Sep 17 00:00:00 2001
From: Andrew Geissler <geissonator@yahoo.com>
Date: Fri, 18 Sep 2020 13:34:40 -0500
Subject: meta-security: subtree update:787ba6faea..d6baccc068
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Armin Kuster (20):
      trousers: update to tip
      upload-error-report: add script to upload errors
      kas/kas-security-base.yml: lets enable error reporting
      .gitlab: send error reports
      cryptsetup-tpm-incubator: drop recipe
      sssd: Avoid nss function conflicts with glibc nss.h
      cryptsetup-tpm-incubator: remove reference from other files
      packagegroup-core-security: dont include suricata on riscv or ppc
      kas-security-base: add testimage
      kas: add test config
      kas: add one dm-verify image build
      gitlab-ci: add dm-verify-image
      gitlab-ci: add testimage
      meta-harden: Add a layer to demo harding OE/YP
      kas-security-base: define sections as base
      packagegroup-core-security: add more pkgs to base group
      apparmor: exclude mips64, not supported
      kas: add alt and mutli build images
      kas-security-base: set RPM and disable ptest
      qemu test: set ptest

Charlie Davies (1):
      clamav: update SO_VER to 9.0.4

Jens Rehsack (2):
      ibmswtpm2: update to 1637
      ibmtpm2tss: add recipe

Jonatan Pålsson (1):
      sssd: Make manpages buildable

Qi.Chen@windriver.com (1):
      nss: update patch to fix do_patch error

Zheng Ruoqin (1):
      trousers: Fix the problem that do_package fails when multilib is enabled.

niko.mauno@vaisala.com (12):
      dm-verity-img.bbclass: Fix bashisms
      dm-verity-img.bbclass: Reorder parse-time check
      dm-verity-image-initramfs: Ensure verity hash sync
      dm-verity-image-initramfs: Bind at do_image instead
      linux-yocto(-dev): Add dm-verity fragment as needed
      dm-verity-img.bbclass: Stage verity.env file
      initramfs-framework: Add dmverity module
      dm-verity-image-initramfs: Use initramfs-framework
      dm-verity-initramfs-image: Cosmetic improvements
      dm-verity-image-initramfs: Add base-passwd package
      dm-verity-image-initramfs: Drop locales from image
      beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7
---
 .../images/dm-verity-image-initramfs.bb            | 28 ++++++++----
 .../initrdscripts/initramfs-dm-verity.bb           | 13 ------
 .../initramfs-dm-verity/init-dm-verity.sh          | 46 -------------------
 .../initrdscripts/initramfs-framework/dmverity     | 53 ++++++++++++++++++++++
 .../initrdscripts/initramfs-framework_1.0.bbappend | 16 +++++++
 .../packagegroup/packagegroup-core-security.bb     | 19 ++++++--
 6 files changed, 101 insertions(+), 74 deletions(-)
 delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb
 delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
 create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
 create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend

(limited to 'meta-security/recipes-core')

diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb
index f9ea3762d..187aeaee2 100644
--- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb
@@ -1,26 +1,34 @@
 DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
 
-# We want a clean, minimal image.
-IMAGE_FEATURES = ""
+inherit core-image
 
 PACKAGE_INSTALL = " \
-    initramfs-dm-verity \
     base-files \
+    base-passwd \
     busybox \
-    util-linux-mount \
-    udev \
     cryptsetup \
+    initramfs-module-dmverity \
+    initramfs-module-udev \
     lvm2-udevrules \
+    udev \
+    util-linux-mount \
 "
 
+# We want a clean, minimal image.
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""
+
 # Can we somehow inspect reverse dependencies to avoid these variables?
-do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
 
-IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
+# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
+do_image[nostamp] = "1"
 
-inherit core-image
+IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 
 deploy_verity_hash() {
-    install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env
+    install -D -m 0644 \
+        ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
+        ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
 }
-ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;"
+IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb
deleted file mode 100644
index b61495655..000000000
--- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-SRC_URI = "file://init-dm-verity.sh"
-
-do_install() {
-    install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init
-    install -d ${D}/dev
-    mknod -m 622 ${D}/dev/console c 5 1
-}
-
-FILES_${PN} = "/init /dev/console"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
deleted file mode 100644
index 307d2c74b..000000000
--- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-RDEV=""
-ROOT_DIR="/new_root"
-
-mkdir -p /proc
-mkdir -p /sys
-mkdir -p /run
-mkdir -p /tmp
-mount -t proc proc /proc
-mount -t sysfs sysfs /sys
-mount -t devtmpfs none /dev
-
-udevd --daemon
-udevadm trigger --type=subsystems --action=add
-udevadm trigger --type=devices --action=add
-udevadm settle --timeout=10
-
-for PARAM in $(cat /proc/cmdline); do
-	case $PARAM in
-		root=*)
-			RDEV=${PARAM#root=}
-			;;
-	esac
-done
-
-if ! [ -b $RDEV ]; then
-	echo "Missing root command line argument!"
-	exit 1
-fi
-
-case $RDEV in
-	UUID=*)
-		RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=})
-		;;
-esac
-
-. /usr/share/dm-verity.env
-
-echo "Mounting $RDEV over dm-verity as the root filesystem"
-
-veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH
-mkdir -p $ROOT_DIR
-mount -o ro /dev/mapper/rootfs $ROOT_DIR
-exec switch_root $ROOT_DIR /sbin/init
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
new file mode 100644
index 000000000..bb07aab58
--- /dev/null
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+dmverity_enabled() {
+    return 0
+}
+
+dmverity_run() {
+    DATA_SIZE="__not_set__"
+    ROOT_HASH="__not_set__"
+
+    . /usr/share/misc/dm-verity.env
+
+    case "${bootparam_root}" in
+        ID=*)
+            RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+            ;;
+        LABEL=*)
+            RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+            ;;
+        PARTLABEL=*)
+            RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+            ;;
+        PARTUUID=*)
+            RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+            ;;
+        PATH=*)
+            RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+            ;;
+        UUID=*)
+            RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+            ;;
+        *)
+            RDEV="${bootparam_root}"
+    esac
+
+    if ! [ -b "${RDEV}" ]; then
+        echo "Root device resolution failed"
+        exit 1
+    fi
+
+    veritysetup \
+        --data-block-size=1024 \
+        --hash-offset=${DATA_SIZE} \
+        create rootfs \
+        ${RDEV} \
+        ${RDEV} \
+        ${ROOT_HASH}
+
+    mount \
+        -o ro \
+        /dev/mapper/rootfs \
+        ${ROOTFS_DIR} || exit 2
+}
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
new file mode 100644
index 000000000..dad9c967c
--- /dev/null
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -0,0 +1,16 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append = "\
+    file://dmverity \
+"
+
+do_install_append() {
+    # dm-verity
+    install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+
+PACKAGES_append = " initramfs-module-dmverity"
+
+SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS_initramfs-module-dmverity = "${PN}-base"
+FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index c6342fdb2..1d0180052 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -9,6 +9,8 @@ PACKAGES = "\
     packagegroup-core-security \
     packagegroup-security-utils \
     packagegroup-security-scanners \
+    packagegroup-security-audit \
+    packagegroup-security-hardening \
     packagegroup-security-ids  \
     packagegroup-security-mac  \
     "
@@ -16,6 +18,8 @@ PACKAGES = "\
 RDEPENDS_packagegroup-core-security = "\
     packagegroup-security-utils \
     packagegroup-security-scanners \
+    packagegroup-security-audit \
+    packagegroup-security-hardening \
     packagegroup-security-ids  \
     packagegroup-security-mac  \
     "
@@ -23,18 +27,23 @@ RDEPENDS_packagegroup-core-security = "\
 SUMMARY_packagegroup-security-utils = "Security utilities"
 RDEPENDS_packagegroup-security-utils = "\
     checksec \
+    ding-libs \
+    ecryptfs-utils \
+    fscryptctl \
+    keyutils \
     nmap \
     pinentry \
+    python3-privacyidea \
+    python3-fail2ban \
     python3-scapy \
-    ding-libs \
-    keyutils \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
     "
 
 SUMMARY_packagegroup-security-scanners = "Security scanners"
 RDEPENDS_packagegroup-security-scanners = "\
+    isic \
     nikto \
     checksecurity \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
@@ -55,7 +64,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS_packagegroup-security-ids = " \
     tripwire \
     samhain-standalone \
-    suricata \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \
     "
 
 SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
-- 
cgit v1.2.3