From 157744bac930642ebf7952ec8dc3df2faffd0928 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 30 Oct 2020 15:42:05 -0500 Subject: meta-security: subtree update:4c2f7ffd49..e8c9e69c80 Armin Kuster (3): meta-security: Add gatesgarth to LAYERSERIES_COMPAT gitlab-ci: add meta-hardening build image gitlab-ci: add building meta-security-compliance pkgs Sajjad Ahmed (1): layer.conf: use += instead of := to update BBFILES Signed-off-by: Andrew Geissler Change-Id: Id5439f3fdfc88fe3c987ee3c8cb7d3ed6a5a6a22 --- meta-security/.gitlab-ci.yml | 10 ++++++++++ meta-security/conf/layer.conf | 2 +- meta-security/kas/kas-security-base.yml | 1 + meta-security/kas/qemux86-comp.yml | 11 +++++++++++ meta-security/kas/qemux86-harden.yml | 10 ++++++++++ meta-security/meta-hardening/conf/layer.conf | 2 +- meta-security/meta-integrity/conf/layer.conf | 5 ++--- meta-security/meta-security-compliance/conf/layer.conf | 2 +- meta-security/meta-security-isafw/conf/layer.conf | 2 +- meta-security/meta-tpm/conf/layer.conf | 2 +- 10 files changed, 39 insertions(+), 8 deletions(-) create mode 100644 meta-security/kas/qemux86-comp.yml create mode 100644 meta-security/kas/qemux86-harden.yml (limited to 'meta-security') diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 50bfe4fa3..3a1687cca 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -136,6 +136,16 @@ qemuarm64-musl: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml +qemux86-harden: + extends: .build + script: + - kas build --target harden-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-comp: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + qemux86-test: extends: .build allow_failure: true diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 2c3bd9654..8c0254b82 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "dunfell" +LAYERSERIES_COMPAT_security = "gatesgarth" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index 6a77af599..ba0e0f81f 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -10,6 +10,7 @@ repos: meta-tpm: meta-integrity: meta-security-compliance: + meta-hardening: poky: url: https://git.yoctoproject.org/git/poky diff --git a/meta-security/kas/qemux86-comp.yml b/meta-security/kas/qemux86-comp.yml new file mode 100644 index 000000000..14c5dcabf --- /dev/null +++ b/meta-security/kas/qemux86-comp.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-compliance: | + IMAGE_INSTALL_append = " lynis" + IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide" + +machine: qemux86 diff --git a/meta-security/kas/qemux86-harden.yml b/meta-security/kas/qemux86-harden.yml new file mode 100644 index 000000000..fb59ddab2 --- /dev/null +++ b/meta-security/kas/qemux86-harden.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + meta-security: | + DISTRO = "harden" + +machine: qemux86 diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 589621440..22d88749d 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "10" -LAYERSERIES_COMPAT_harden-layer = "dunfell" +LAYERSERIES_COMPAT_harden-layer = "gatesgarth" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index f905b0be4..76374eb9b 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -2,8 +2,7 @@ BBPATH =. "${LAYERDIR}:" # We have a packages directory, add to BBFILES -BBFILES := "${BBFILES} \ - ${LAYERDIR}/recipes-*/*/*.bb \ +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" BBFILE_COLLECTIONS += "integrity" @@ -21,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "dunfell" +LAYERSERIES_COMPAT_integrity = "gatesgarth" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 965c83797..db243f710 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "dunfell" +LAYERSERIES_COMPAT_scanners-layer = "gatesgarth" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-isafw/conf/layer.conf b/meta-security/meta-security-isafw/conf/layer.conf index 63f990a8b..b8ee1c013 100644 --- a/meta-security/meta-security-isafw/conf/layer.conf +++ b/meta-security/meta-security-isafw/conf/layer.conf @@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1" LAYERDEPENDS_security-isafw = "core" -LAYERSERIES_COMPAT_security-isafw = "dunfell" +LAYERSERIES_COMPAT_security-isafw = "gatesgarth" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 46d0279cc..cd62fbac2 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "10" -LAYERSERIES_COMPAT_tpm-layer = "dunfell" +LAYERSERIES_COMPAT_tpm-layer = "gatesgarth" LAYERDEPENDS_tpm-layer = " \ core \ -- cgit v1.2.3