From f1e440673465aa768f31e78c0c201002f9f767b7 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Thu, 15 Apr 2021 15:52:46 -0500 Subject: meta-security: subtree update:775870980b..ca9264b1e1 Anton Antonov (4): Use libest "main" branch instead of "master". Add meta-parsec layer into meta-security. Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI Clearly define clang toolchain in Parsec recipes Armin Kuster (16): packagegroup-core-security: drop clamav-cvd clamav: upgrade 104.0 python3-privacyidea: upgrade 3.5.1 -> 3.5.2 clamav: fix systemd service install swtpm: now need python-cryptography, pull in layer swtpm: file pip3 issue swtpm: fix check for tscd deamon on host python3-suricata-update: update to 1.2.1 suricata: update to 6.0.2 layer.conf: add dynamic-layer for rust pkg README: cleanup .gitlab-ci.yml: reorder to speed up builds kas-security-base.yml: tweek build vars gitlab-ci: fine tune order clamav: remove rest of mirror.dat ref lkrg-module: Add Linux Kernel Runtime Guard Ming Liu (2): meta: drop IMA_POLICY from policy recipes initramfs-framework-ima: introduce IMA_FORCE Signed-off-by: Andrew Geissler Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9 --- .../lkrg/files/makefile_cleanup.patch | 73 ++++++++++++++++++++++ .../recipes-kernel/lkrg/lkrg-module_0.9.0.bb | 33 ++++++++++ 2 files changed, 106 insertions(+) create mode 100644 meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch create mode 100644 meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb (limited to 'meta-security/recipes-kernel/lkrg') diff --git a/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch new file mode 100644 index 000000000..106dc3f1e --- /dev/null +++ b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch @@ -0,0 +1,73 @@ +Upstream-Status: Pending + +This needs more work. Its my starting point. + +Signed-off-by: Armin Kuster + +Index: lkrg-0.9.0/Makefile +=================================================================== +--- lkrg-0.9.0.orig/Makefile ++++ lkrg-0.9.0/Makefile +@@ -4,28 +4,10 @@ + # Author: + # - Adam 'pi3' Zabrocki (http://pi3.com.pl) + ## +- +-P_OUTPUT = output + P_PWD ?= $(shell pwd) +-P_KVER ?= $(shell uname -r) +-P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh +-TARGET := p_lkrg +-ifneq ($(KERNELRELEASE),) +- KERNEL := /lib/modules/$(KERNELRELEASE)/build +-else +- ## KERNELRELEASE not set. +- KERNEL := /lib/modules/$(P_KVER)/build +-endif +- +-# +-# Uncomment for debug compilation +-# +-# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions +-# ccflags-y := ${ccflags-m} +-# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o + +-obj-m += $(TARGET).o +-$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \ ++obj-m := p_lkrg.o ++p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \ + src/modules/hashing/p_lkrg_fast_hash.o \ + src/modules/comm_channel/p_comm_channel.o \ + src/modules/integrity_timer/p_integrity_timer.o \ +@@ -91,23 +73,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re + src/p_lkrg_main.o + + +-all: +-# $(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y +- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules +- mkdir -p $(P_OUTPUT) +- cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT) +- +-install: +- $(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install +- depmod -a +- $(P_PWD)/$(P_BOOTUP_SCRIPT) install + +-uninstall: +- $(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall ++modules: ++ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules ++ ++modules_install: ++ $(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install + + clean: +- $(MAKE) -C $(KERNEL) M=$(P_PWD) clean +- $(RM) Module.markers modules.order +- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers +- $(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order +- $(RM) -rf $(P_OUTPUT) ++ rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c ++ rm -f Module.markers Module.symvers modules.order ++ rm -rf .tmp_versions Modules.symvers diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb new file mode 100644 index 000000000..dbc195d35 --- /dev/null +++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.0.bb @@ -0,0 +1,33 @@ +SUMMARY = "Linux Kernel Runtime Guard" +DESCRIPTION="LKRG performs runtime integrity checking of the Linux \ +kernel and detection of security vulnerability exploits against the kernel." +SECTION = "security" +HOMEPAGE = "https://www.openwall.com/lkrg/" +LICENSE = "GPLv2" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=d931f44a1f4be309bcdac742d7ed92f9" + +DEPENDS = "virtual/kernel elfutils" + +SRC_URI = "https://www.openwall.com/lkrg/lkrg-${PV}.tar.gz \ + file://makefile_cleanup.patch " + +SRC_URI[sha256sum] = "a997e4d98962c359f3af163bbcfa38a736d2a50bfe35c15065b74cb57f8742bf" + +S = "${WORKDIR}/lkrg-${PV}" + +inherit module kernel-module-split + +MAKE_TARGETS = "modules" + +MODULE_NAME = "p_lkrg" + +module_do_install() { + install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} + install -m 0644 ${MODULE_NAME}.ko \ + ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko +} + +RPROVIDES_${PN} += "kernel-module-lkrg" + +COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" -- cgit v1.2.3