From cc58928593c3952679181b6bf8e4113080ffa867 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 18 Sep 2020 13:34:40 -0500 Subject: meta-security: subtree update:787ba6faea..d6baccc068 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Armin Kuster (20): trousers: update to tip upload-error-report: add script to upload errors kas/kas-security-base.yml: lets enable error reporting .gitlab: send error reports cryptsetup-tpm-incubator: drop recipe sssd: Avoid nss function conflicts with glibc nss.h cryptsetup-tpm-incubator: remove reference from other files packagegroup-core-security: dont include suricata on riscv or ppc kas-security-base: add testimage kas: add test config kas: add one dm-verify image build gitlab-ci: add dm-verify-image gitlab-ci: add testimage meta-harden: Add a layer to demo harding OE/YP kas-security-base: define sections as base packagegroup-core-security: add more pkgs to base group apparmor: exclude mips64, not supported kas: add alt and mutli build images kas-security-base: set RPM and disable ptest qemu test: set ptest Charlie Davies (1): clamav: update SO_VER to 9.0.4 Jens Rehsack (2): ibmswtpm2: update to 1637 ibmtpm2tss: add recipe Jonatan Pålsson (1): sssd: Make manpages buildable Qi.Chen@windriver.com (1): nss: update patch to fix do_patch error Zheng Ruoqin (1): trousers: Fix the problem that do_package fails when multilib is enabled. niko.mauno@vaisala.com (12): dm-verity-img.bbclass: Fix bashisms dm-verity-img.bbclass: Reorder parse-time check dm-verity-image-initramfs: Ensure verity hash sync dm-verity-image-initramfs: Bind at do_image instead linux-yocto(-dev): Add dm-verity fragment as needed dm-verity-img.bbclass: Stage verity.env file initramfs-framework: Add dmverity module dm-verity-image-initramfs: Use initramfs-framework dm-verity-initramfs-image: Cosmetic improvements dm-verity-image-initramfs: Add base-passwd package dm-verity-image-initramfs: Drop locales from image beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR Signed-off-by: Andrew Geissler Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7 --- meta-security/.gitlab-ci.yml | 58 +++++++++- meta-security/classes/dm-verity-img.bbclass | 22 ++-- meta-security/kas/kas-security-base.yml | 12 +- meta-security/kas/kas-security-dm.yml | 13 +++ meta-security/kas/qemuarm64-alt.yml | 10 ++ meta-security/kas/qemuarm64-multi.yml | 12 ++ meta-security/kas/qemumips64-alt.yml | 10 ++ meta-security/kas/qemumips64-multi.yml | 14 +++ meta-security/kas/qemux86-64-alt.yml | 10 ++ meta-security/kas/qemux86-64-dm-verify.yml | 6 + meta-security/kas/qemux86-64-multi.yml | 12 ++ meta-security/kas/qemux86-test.yml | 11 ++ meta-security/meta-hardening/README | 86 ++++++++++++++ .../meta-hardening/conf/distro/harden.conf | 11 ++ meta-security/meta-hardening/conf/layer.conf | 13 +++ .../openssh/openssh_%.bbappend | 13 +++ .../recipes-core/base-files/base-files_%.bbappend | 4 + .../recipes-core/images/harden-image-minimal.bb | 25 +++++ .../recipes-core/initscripts/files/mountall.sh | 41 +++++++ .../initscripts/initscripts_1.0.bbappend | 8 ++ .../packagegroups/packagegroup-hardening.bb | 19 ++++ .../recipes-extended/shadow/shadow_%.bbappend | 10 ++ .../recipes-extended/sudo/sudo_%.bbappend | 7 ++ .../meta-tpm/conf/distro/include/maintainers.inc | 1 - .../packagegroup/packagegroup-security-tpm2.bb | 2 - ...tiple-security-issues-that-are-present-if.patch | 94 ---------------- .../meta-tpm/recipes-tpm/trousers/trousers_git.bb | 5 +- .../cryptsetup-tpm-incubator_0.9.9.bb | 47 -------- .../files/configure_fix.patch | 16 --- .../ibmswtpm2/files/fix-wrong-cast.patch | 27 +++++ .../ibmswtpm2/files/remove_optimization.patch | 26 ----- .../ibmswtpm2/files/tune-makefile.patch | 50 +++++++++ .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb | 26 ----- .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb | 39 +++++++ ...2-Makefile.am-expand-wildcards-in-prereqs.patch | 125 +++++++++++++++++++++ .../recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb | 27 +++++ .../images/dm-verity-image-initramfs.bb | 28 +++-- .../initrdscripts/initramfs-dm-verity.bb | 13 --- .../initramfs-dm-verity/init-dm-verity.sh | 46 -------- .../initrdscripts/initramfs-framework/dmverity | 53 +++++++++ .../initrdscripts/initramfs-framework_1.0.bbappend | 16 +++ .../packagegroup/packagegroup-core-security.bb | 19 +++- .../recipes-kernel/linux/linux-yocto-dev.bbappend | 1 + .../recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 + .../recipes-mac/AppArmor/apparmor_2.13.4.bb | 2 + .../recipes-scanners/clamav/clamav_0.101.5.bb | 2 +- ...-use-AC_CHECK_FILE-when-building-manpages.patch | 34 ++++++ ...01-nss-Collision-with-external-nss-symbol.patch | 78 +++++++++++++ meta-security/recipes-security/sssd/sssd_1.16.4.bb | 5 +- meta-security/scripts/upload-error-report | 26 +++++ meta-security/wic/beaglebone-yocto-verity.wks.in | 2 +- 51 files changed, 931 insertions(+), 307 deletions(-) create mode 100644 meta-security/kas/kas-security-dm.yml create mode 100644 meta-security/kas/qemuarm64-alt.yml create mode 100644 meta-security/kas/qemuarm64-multi.yml create mode 100644 meta-security/kas/qemumips64-alt.yml create mode 100644 meta-security/kas/qemumips64-multi.yml create mode 100644 meta-security/kas/qemux86-64-alt.yml create mode 100644 meta-security/kas/qemux86-64-dm-verify.yml create mode 100644 meta-security/kas/qemux86-64-multi.yml create mode 100644 meta-security/kas/qemux86-test.yml create mode 100644 meta-security/meta-hardening/README create mode 100644 meta-security/meta-hardening/conf/distro/harden.conf create mode 100644 meta-security/meta-hardening/conf/layer.conf create mode 100644 meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb create mode 100755 meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh create mode 100644 meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb create mode 100644 meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend delete mode 100644 meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb delete mode 100644 meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb delete mode 100644 meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity create mode 100644 meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend create mode 100644 meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch create mode 100644 meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch create mode 100755 meta-security/scripts/upload-error-report (limited to 'meta-security') diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 132eb785c..46468fd1c 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -5,17 +5,21 @@ stages: stage: build image: crops/poky before_script: + - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error - export PATH=~/.local/bin:$PATH - wget https://bootstrap.pypa.io/get-pip.py - python3 get-pip.py - python3 -m pip install kas - - wget -q 'https://downloads.rclone.org/rclone-current-linux-amd64.zip' - - unzip -q rclone-current-linux-amd64.zip - - mv rclone-*-linux-amd64/rclone ~/.local/bin/ - - rm -rf rclone-*-linux-amd64* after_script: + - cd $CI_PROJECT_DIR/poky + - . ./oe-init-build-env $CI_PROJECT_DIR/build + - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do + - send-error-report -y tmp/log/error-report/$x + - done + - cd $CI_PROJECT_DIR - rm -rf build - - ./scripts/ci-cleanup.sh + - $CI_PROJECT_DIR/scripts/ci-cleanup.sh cache: paths: - layers @@ -84,3 +88,47 @@ qemuarm64-ima: extends: .build script: - kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml + +qemux86-64-dm-verify: + extends: .build + script: + - kas build --target core-image-minimal kas/qemux86-64.yml + - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml + + +qemuarm64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemuarm64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemumips64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-alt: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + +qemux86-64-multi: + extends: .build + script: + - kas build --target security-build-image kas/$CI_JOB_NAME.yml + + +qemux86-test: + extends: .build + script: + - kas build --target security-test-image kas/$CI_JOB_NAME.yml + - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 1c0e29b6e..16d395b55 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -18,12 +18,18 @@ # The resulting image can then be used to implement the device mapper block # integrity checking on the target device. +# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash +# is stored where it can be installed into associated initramfs rootfs. +STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity" + # Process the output from veritysetup and generate the corresponding .env # file. The output from veritysetup is not very machine-friendly so we need to # convert it to some better format. Let's drop the first line (doesn't contain # any useful info) and feed the rest to a script. process_verity() { - local ENV="$OUTPUT.env" + local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env" + install -d ${STAGING_VERITY_DIR} + rm -f $ENV # Each line contains a key and a value string delimited by ':'. Read the # two parts into separate variables and process them separately. For the @@ -32,15 +38,13 @@ process_verity() { # just trim all white-spaces. IFS=":" while read KEY VAL; do - echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV - echo -ne "=" >> $ENV - echo "$VAL" | tr -d " \t" >> $ENV + printf '%s=%s\n' \ + "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \ + "$(echo "$VAL" | tr -d ' \t')" >> $ENV done # Add partition size echo "DATA_SIZE=$SIZE" >> $ENV - - ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env } verity_setup() { @@ -68,13 +72,13 @@ python __anonymous() { image_fstypes = d.getVar('IMAGE_FSTYPES') pn = d.getVar('PN') - if verity_image != pn: - return # This doesn't concern this image - if not verity_image or not verity_type: bb.warn('dm-verity-img class inherited but not used') return + if verity_image != pn: + return # This doesn't concern this image + if len(verity_type.split()) is not 1: bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index 768390e25..cd87d1d40 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -29,7 +29,7 @@ repos: meta-networking: local_conf_header: - meta-security: | + base: | CONF_VERSION = "1" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" @@ -37,6 +37,14 @@ local_conf_header: DL_DIR = "/home/srv/downloads/master" BB_HASHSERVE = "auto" BB_SIGNATURE_HANDLER = "OEEquivHash" + INHERIT += "buildstats buildstats-summary buildhistory" + INHERIT += "report-error" + INHERIT += "testimage" + TEST_QEMUBOOT_TIMEOUT = "1500" + EXTRA_IMAGE_FEATURES ?= "debug-tweaks" + DISTRO_FEATURES_remove = " ptest" + PACKAGE_CLASSES = "package_rpm" + diskmon: | BB_DISKMON_DIRS = "\ @@ -50,7 +58,7 @@ local_conf_header: ABORT,/tmp,10M,1K" bblayers_conf_header: - meta-security: | + base: | POKY_BBLAYERS_CONF_VERSION = "2" BBPATH = "${TOPDIR}" BBFILES ?= "" diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml new file mode 100644 index 000000000..7ce0e9d72 --- /dev/null +++ b/meta-security/kas/kas-security-dm.yml @@ -0,0 +1,13 @@ +header: + version: 9 + includes: + - kas-security-base.yml + +local_conf_header: + dm-verify: | + DM_VERITY_IMAGE = "core-image-minimal" + DM_VERITY_IMAGE_TYPE = "ext4" + IMAGE_CLASSES += "dm-verity-img" + INITRAMFS_IMAGE_BUNDLE = "1" + INITRAMFS_IMAGE = "dm-verity-image-initramfs" + diff --git a/meta-security/kas/qemuarm64-alt.yml b/meta-security/kas/qemuarm64-alt.yml new file mode 100644 index 000000000..d23e38e0f --- /dev/null +++ b/meta-security/kas/qemuarm64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam systemd" + +machine: qemuarm64 diff --git a/meta-security/kas/qemuarm64-multi.yml b/meta-security/kas/qemuarm64-multi.yml new file mode 100644 index 000000000..d79142c37 --- /dev/null +++ b/meta-security/kas/qemuarm64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon" + +machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml new file mode 100644 index 000000000..923c21370 --- /dev/null +++ b/meta-security/kas/qemumips64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " pam systmed" + +machine: qemumips64 diff --git a/meta-security/kas/qemumips64-multi.yml b/meta-security/kas/qemumips64-multi.yml new file mode 100644 index 000000000..c8cf94b71 --- /dev/null +++ b/meta-security/kas/qemumips64-multi.yml @@ -0,0 +1,14 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib64 multilib:lib32" + DEFAULTTUNE = "mips64-n32" + DEFAULTTUNE_virtclass-multilib-lib64 = "mips64" + DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2" + +machine: qemumips64 diff --git a/meta-security/kas/qemux86-64-alt.yml b/meta-security/kas/qemux86-64-alt.yml new file mode 100644 index 000000000..4364bf57e --- /dev/null +++ b/meta-security/kas/qemux86-64-alt.yml @@ -0,0 +1,10 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + alt: | + DISTRO_FEATURES_append = " apparmor pam systmed" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-dm-verify.yml b/meta-security/kas/qemux86-64-dm-verify.yml new file mode 100644 index 000000000..1f2600887 --- /dev/null +++ b/meta-security/kas/qemux86-64-dm-verify.yml @@ -0,0 +1,6 @@ +header: + version: 8 + includes: + - kas-security-dm.yml + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-multi.yml b/meta-security/kas/qemux86-64-multi.yml new file mode 100644 index 000000000..711ce2863 --- /dev/null +++ b/meta-security/kas/qemux86-64-multi.yml @@ -0,0 +1,12 @@ +header: + version: 8 + includes: + - kas-security-base.yml + +local_conf_header: + multi: | + require conf/multilib.conf + MULTILIBS = "multilib:lib32" + DEFAULTTUNE_virtclass-multilib-lib32 = "x86" + +machine: qemux86-64 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml new file mode 100644 index 000000000..823a8b235 --- /dev/null +++ b/meta-security/kas/qemux86-test.yml @@ -0,0 +1,11 @@ +header: + version: 8 + includes: + - kas-security-base.yml + + +local_conf_header: + meta-security: | + DISTRO_FEATURES_append = " ptest apparmor pam" + +machine: qemux86 diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README new file mode 100644 index 000000000..37a0b7ec8 --- /dev/null +++ b/meta-security/meta-hardening/README @@ -0,0 +1,86 @@ +# This is an example for Security hardening an OE or Poky image + + +Meta-hardening +============= + +This layer provides examples for hardening OE/Yocto images. +This layer does not provide 100% security protection. This is only +a framework from which a user can build from and can possible contribute to. +The goal here is to capture use cases and examples the community decided shares for +everyones benefit. + +Building the meta-hardening layer +------------------------------- +In order to add hardening support to the poky/OE build this layer should be added +to your projects bblayers.conf file. + +By default the hardening components are disabled. This conforms to the +Yocto Project compatible guideline that indicate that simply including a +layer should not change the system behavior. + +In order to use the components in this layer to take affect the 'harden' keyword must +set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework. + +If one wants the a more complete example of a hardened image, one must also build the image: +harden-image-minimal + +There are default example userid and passwards: +These can be over written in your local.conf via: +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" + +example: +local.conf +DISTRO = "harden" + +The default user and password are: +User: "myadmin" +Password: "1SimplePw!" + +bitbake {qemu machine} harden-image-minimal + +Dependencies +============ + +Branch: master + +This layer depends on: + +URI: git://git.yoctoproject.org/poky + +or this normal combo: + +URI: git://git.openembedded.org/meta-openembedded/meta-oe + +URI: git://git.openembedded.org/bitbake + +plus: + +URI: git://git.openembedded.org/meta-openembedded +layers: meta-oe + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-hardening][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf new file mode 100644 index 000000000..66db9b797 --- /dev/null +++ b/meta-security/meta-hardening/conf/distro/harden.conf @@ -0,0 +1,11 @@ +DISTRO = "harden" +DISTRO_NAME = "Simple Security hardening example" +DISTRO_VERSION = "1.0" + +DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost" + +VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog" +IMAGE_ROOTFS_EXTRA_SPACE = "524288" +EXTRA_IMAGE_FEATURES_remove = "debug-tweaks" + +DISABLE_ROOT ?= "True" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf new file mode 100644 index 000000000..589621440 --- /dev/null +++ b/meta-security/meta-hardening/conf/layer.conf @@ -0,0 +1,13 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have a recipes directory, add to BBFILES +BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" + +BBFILE_COLLECTIONS += "harden-layer" +BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" +BBFILE_PRIORITY_harden-layer = "10" + +LAYERSERIES_COMPAT_harden-layer = "dunfell" + +LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 000000000..67be3f313 --- /dev/null +++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,13 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config + fi +} diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..395630460 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,4 @@ + +do_install_append_harden () { + sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile +} diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb new file mode 100644 index 000000000..daed3fbcc --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -0,0 +1,25 @@ +SUMMARY = "A small image for an example hardening OE." + +IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening" +IMAGE_INSTALL_append = " os-release" + +IMAGE_FEATURES = "" +IMAGE_LINGUAS = " " + +LICENSE = "MIT" + +IMAGE_ROOTFS_SIZE ?= "8192" + +inherit core-image extrausers + +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" +DEFAULT_ADMIN_GROUP ?= "wheel" +DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" + +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" + +EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh new file mode 100755 index 000000000..e093f9621 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh @@ -0,0 +1,41 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: mountall +# Required-Start: mountvirtfs +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Mount all filesystems. +# Description: +### END INIT INFO + +. /etc/default/rcS + +# +# Mount local filesystems in /etc/fstab. For some reason, people +# might want to mount "proc" several times, and mount -v complains +# about this. So we mount "proc" filesystems without -v. +# +test "$VERBOSE" != no && echo "Mounting local filesystems..." +mkdir -p /home +mkdir -p /var +mount -at nonfs,nosmbfs,noncpfs 2>/dev/null + +# +# We might have mounted something over /dev, see if /dev/initctl is there. +# +if test ! -p /dev/initctl +then + rm -f /dev/initctl + mknod -m 600 /dev/initctl p +fi +kill -USR1 1 + +# +# Execute swapon command again, in case we want to swap to +# a file on a now mounted filesystem. +# +[ -x /sbin/swapon ] && swapon -a + +: exit 0 + diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend new file mode 100644 index 000000000..896b03973 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_harden = " file://mountall.sh" + +do_install_append_harden() { + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d +} diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb new file mode 100644 index 000000000..1dcd5fc3d --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb @@ -0,0 +1,19 @@ +# +# +# + +SUMMARY = "Hardening example group" + +inherit packagegroup + +PROVIDES = "${PACKAGES}" +PACKAGES = "${PN} \ + packagegroup-${PN} \ +" + +RDEPENDS_${PN} = "\ + init-ifupdown \ + ${VIRTUAL-RUNTIME_base-utils-syslog} \ + sudo \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \ +" diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 000000000..3f363f069 --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend @@ -0,0 +1,10 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs + sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs +} diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 000000000..a31c081fe --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend @@ -0,0 +1,7 @@ + +PACKAGECONFIG_append_harden = " pam-wheel" +do_install_append_harden () { + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers + fi +} diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc index 74c1a1812..dcf53d0cc 100644 --- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc +++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc @@ -33,7 +33,6 @@ RECIPE_MAINTAINER_pn-tpm2-tcti-uefi = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster " -RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster " RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster " RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster " diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index a553a63d8..8b6f03023 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -7,7 +7,6 @@ inherit packagegroup PACKAGES = "${PN}" -PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator" SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support" RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-tools \ @@ -20,5 +19,4 @@ RDEPENDS_packagegroup-security-tpm2 = " \ tpm2-abrmd \ tpm2-pkcs11 \ ibmswtpm2 \ - ${PREFERRED_PROVIDER_cryptsetup} \ " diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch deleted file mode 100644 index 72c81d11a..000000000 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch +++ /dev/null @@ -1,94 +0,0 @@ -From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 -From: Matthias Gerstner -Date: Fri, 14 Aug 2020 22:14:36 -0700 -Subject: [PATCH] Correct multiple security issues that are present if the tcsd - is started by root instead of the tss user. - -Patch fixes the following 3 CVEs: - -CVE-2020-24332 -If the tcsd daemon is started with root privileges, -the creation of the system.data file is prone to symlink attacks - -CVE-2020-24330 -If the tcsd daemon is started with root privileges, -it fails to drop the root gid after it is no longer needed - -CVE-2020-24331 -If the tcsd daemon is started with root privileges, -the tss user has read and write access to the /etc/tcsd.conf file - -Authored-by: Matthias Gerstner -Signed-off-by: Debora Velarde Babb - -Upstream-Status: Backport -CVE: CVE-2020-24332 -CVE: CVE-2020-24330 -CVE: CVE-2020-24331 - -Signed-off-by: Armin Kuster - ---- - src/tcs/ps/tcsps.c | 2 +- - src/tcsd/svrside.c | 1 + - src/tcsd/tcsd_conf.c | 10 +++++----- - 3 files changed, 7 insertions(+), 6 deletions(-) - -Index: git/src/tcs/ps/tcsps.c -=================================================================== ---- git.orig/src/tcs/ps/tcsps.c -+++ git/src/tcs/ps/tcsps.c -@@ -72,7 +72,7 @@ get_file() - } - - /* open and lock the file */ -- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); -+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); - if (system_ps_fd < 0) { - LogError("system PS: open() of %s failed: %s", - tcsd_options.system_ps_file, strerror(errno)); -Index: git/src/tcsd/svrside.c -=================================================================== ---- git.orig/src/tcsd/svrside.c -+++ git/src/tcsd/svrside.c -@@ -473,6 +473,7 @@ main(int argc, char **argv) - } - return TCSERR(TSS_E_INTERNAL_ERROR); - } -+ setgid(pwd->pw_gid); - setuid(pwd->pw_uid); - #endif - #endif -Index: git/src/tcsd/tcsd_conf.c -=================================================================== ---- git.orig/src/tcsd/tcsd_conf.c -+++ git/src/tcsd/tcsd_conf.c -@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) - #ifndef SOLARIS - struct group *grp; - struct passwd *pw; -- mode_t mode = (S_IRUSR|S_IWUSR); -+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); - #endif /* SOLARIS */ - TSS_RESULT result; - -@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) - } - - /* make sure user/group TSS owns the conf file */ -- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { -+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { - LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, -- TSS_USER_NAME, TSS_GROUP_NAME); -+ "root", TSS_GROUP_NAME); - return TCSERR(TSS_E_INTERNAL_ERROR); - } - -- /* make sure only the tss user can manipulate the config file */ -+ /* make sure only the tss user can read (but not manipulate) the config file */ - if (((stat_buf.st_mode & 0777) ^ mode) != 0) { -- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); -+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); - return TCSERR(TSS_E_INTERNAL_ERROR); - } - #endif /* SOLARIS */ diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb index 95e821bfa..27b4e2f51 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb @@ -6,7 +6,7 @@ SECTION = "security/tpm" DEPENDS = "openssl" -SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0" +SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b" PV = "0.3.14+git${SRCPV}" SRC_URI = " \ @@ -16,7 +16,6 @@ SRC_URI = " \ file://tcsd.service \ file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \ file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \ - file://0001-Correct-multiple-security-issues-that-are-present-if.patch \ " S = "${WORKDIR}/git" @@ -105,6 +104,8 @@ FILES_${PN}-doc = " \ ${mandir}/man8 \ " +FILES_${PN} += "${systemd_unitdir}/*" + INITSCRIPT_NAME = "trousers" INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ." diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb deleted file mode 100644 index 261716235..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb +++ /dev/null @@ -1,47 +0,0 @@ -SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss" -DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module." - -SECTION = "security/tpm" -LICENSE = "LGPL-2.1 | GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \ - file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \ - " - -DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c" - -SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \ - file://configure_fix.patch " - -SRCREV = "15c283195f19f1d980e39ba45448683d5e383179" - -S = "${WORKDIR}/git" - -inherit autotools pkgconfig gettext - -PACKAGECONFIG ??= "openssl" -PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl" -PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt" - -EXTRA_OECONF = "--enable-static" - -RRECOMMENDS_${PN} = "kernel-module-aes-generic \ - kernel-module-dm-crypt \ - kernel-module-md5 \ - kernel-module-cbc \ - kernel-module-sha256-generic \ - kernel-module-xts \ - " - -FILES_${PN} += "${libdir}/tmpfiles.d" -RDEPENDS_${PN} += "lvm2 libdevmapper" -RRECOMMENDS_${PN} += "lvm2-udevrules" - -RPROVIDES_${PN} = "cryptsetup" -RREPLACES_${PN} = "cryptsetup" -RCONFLICTS_${PN} ="cryptsetup" - -RPROVIDES_${PN}-dev = "cryptsetup-dev" -RREPLACES_${PN}-dev = "cryptsetup-dev" -RCONFLICTS_${PN}-dev ="cryptsetup-dev" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch deleted file mode 100644 index 8c7b6da41..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch +++ /dev/null @@ -1,16 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster - -Index: git/configure.ac -=================================================================== ---- git.orig/configure.ac -+++ git/configure.ac -@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in] - - # For old automake use this - #AM_INIT_AUTOMAKE(dist-xz subdir-objects) --AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects]) -+AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign]) - - if test "x$prefix" = "xNONE"; then - sysconfdir=/etc diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch new file mode 100644 index 000000000..f2938e0e0 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch @@ -0,0 +1,27 @@ +Fix strict aliasing issue of gcc10 + +fixes: + +TpmFail.c: In function 'TpmLogFailure': +TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] + 217 | s_failFunction = *(UINT32 *)&function; /* kgold */ + | ^~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +Upstream-Status: Submitted + +Signed-off-by: Jens Rehsack + +Index: src/TpmFail.c +=================================================================== +--- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200 ++++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200 +@@ -214,7 +214,7 @@ + // On a 64-bit machine, this may truncate the address of the string + // of the function name where the error occurred. + #if FAIL_TRACE +- s_failFunction = *(UINT32 *)&function; /* kgold */ ++ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */ + s_failLine = line; + #else + s_failFunction = 0; diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch deleted file mode 100644 index 2919e2e54..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch +++ /dev/null @@ -1,26 +0,0 @@ -Allow recipe to overide optimization. - -fixes: - -397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) -| | ^~~~~~~ -| cc1: all warnings being treated as errors - - -Upstream-Status: OE specific - -Signed-off-by: Armin Kuster - -Index: src/makefile -=================================================================== ---- src.orig/makefile -+++ src/makefile -@@ -43,7 +43,7 @@ CC = /usr/bin/gcc - CCFLAGS = -Wall \ - -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ - -Werror -Wsign-compare \ -- -c -ggdb -O0 \ -+ -c -ggdb -O \ - -DTPM_POSIX \ - -D_POSIX_ \ - -DTPM_NUVOTON diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch new file mode 100644 index 000000000..eebddb9e7 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch @@ -0,0 +1,50 @@ +1) Allow recipe to overide optimization. + +fixes: + +397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) +| | ^~~~~~~ +| cc1: all warnings being treated as errors + +2) Allow recipe to override OE related compile-/link-flags + +fixes: + +ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags] + +Upstream-Status: OE specific + +Signed-off-by: Jens Rehsack + +Index: src/makefile +=================================================================== +--- src.orig/makefile ++++ src/makefile +@@ -38,12 +38,10 @@ + ################################################################################# + + +-CC = /usr/bin/gcc +- + CCFLAGS = -Wall \ + -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \ + -Werror -Wsign-compare \ +- -c -ggdb -O0 \ ++ -c -ggdb -O \ + -DTPM_POSIX \ + -D_POSIX_ \ + -DTPM_NUVOTON +@@ -79,11 +77,11 @@ + .PRECIOUS: %.o + + tpm_server: $(OBJFILES) +- $(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server ++ $(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server + + clean: + rm -f *.o tpm_server *~ + + %.o: %.c +- $(CC) $(CCFLAGS) $< -o $@ ++ $(CC) $(CCFLAGS) $(CFLAGS) $< -o $@ + diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb deleted file mode 100644 index 3373a307f..000000000 --- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "IBM's Software TPM 2.0" -LICENSE = "BSD" -SECTION = "securty/tpm" -LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" - -DEPENDS = "openssl" - -SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ - file://remove_optimization.patch \ - " -SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259" -SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3" -SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f" -SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91" -SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0" - -S = "${WORKDIR}/src" - -do_compile () { - make CC='${CC}' -} - -do_install () { - install -d ${D}/${bindir} - install -m 0755 tpm_server ${D}/${bindir} -} diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb new file mode 100644 index 000000000..32afd377d --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb @@ -0,0 +1,39 @@ +SUMMARY = "IBM's Software TPM 2.0" +DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \ +education, and virtualization. \ +\ +The intent is that an application can be developed using the software TPM. \ +The application should then run using a hardware TPM without changes. \ +Advantages of this approach: \ +* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \ +* Application software errors are easily reversed by simply removing the TPM state and starting over. \ +* Difficult crypto errors are quickly debugged by looking inside the TPM." +HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl" + +SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \ + file://tune-makefile.patch \ + file://fix-wrong-cast.patch \ + " +SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c" +SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327" +SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e" +SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d" +SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed" + +S = "${WORKDIR}/src" + +CFLAGS += "-Wno-error=maybe-uninitialized" + +do_compile () { + make CC='${CC}' +} + +do_install () { + install -d ${D}/${bindir} + install -m 0755 tpm_server ${D}/${bindir} +} diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch new file mode 100644 index 000000000..8b13fb66c --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch @@ -0,0 +1,125 @@ +From 26091b7830d84a12308442b238652ee9475d407b Mon Sep 17 00:00:00 2001 +From: Jens Rehsack +Date: Fri, 11 Sep 2020 07:46:41 +0200 +Subject: [PATCH] utils{,12}/Makefile.am: expand wildcards in prereqs + +Expand wildcards of required sources to avoid errors like: +make[2]: *** No rule to make target 'man/man1/*.1', needed by 'all-am'. Stop. +make[2]: *** Waiting for unfinished jobs.... + +Upstream-Status: Submitted + +Signed-off-by: Jens Rehsack +--- + utils/Makefile.am | 75 +++++++++++++++++++++++++++++++++++++++++++-- + utils12/Makefile.am | 8 ++++- + 2 files changed, 79 insertions(+), 4 deletions(-) + +diff --git a/utils/Makefile.am b/utils/Makefile.am +index 1e51fe3..170a26e 100644 +--- a/utils/Makefile.am ++++ b/utils/Makefile.am +@@ -81,9 +81,78 @@ libibmtssutils_la_LIBADD = libibmtss.la $(LIBCRYPTO_LIBS) + + noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h tssccattributes.h + # install every header in ibmtss +-nobase_include_HEADERS = ibmtss/*.h +- +-notrans_man_MANS = man/man1/*.1 ++nobase_include_HEADERS = ibmtss/ActivateCredential_fp.h ibmtss/ActivateIdentity_fp.h ibmtss/BaseTypes.h \ ++ ibmtss/CertifyCreation_fp.h ibmtss/Certify_fp.h ibmtss/CertifyX509_fp.h ibmtss/ChangeEPS_fp.h \ ++ ibmtss/ChangePPS_fp.h ibmtss/ClearControl_fp.h ibmtss/Clear_fp.h ibmtss/ClockRateAdjust_fp.h \ ++ ibmtss/ClockSet_fp.h ibmtss/Commit_fp.h ibmtss/ContextLoad_fp.h ibmtss/ContextSave_fp.h \ ++ ibmtss/CreateEndorsementKeyPair_fp.h ibmtss/Create_fp.h ibmtss/CreateLoaded_fp.h \ ++ ibmtss/CreatePrimary_fp.h ibmtss/CreateWrapKey_fp.h ibmtss/DictionaryAttackLockReset_fp.h \ ++ ibmtss/DictionaryAttackParameters_fp.h ibmtss/Duplicate_fp.h ibmtss/ECC_Parameters_fp.h \ ++ ibmtss/ECDH_KeyGen_fp.h ibmtss/ECDH_ZGen_fp.h ibmtss/EC_Ephemeral_fp.h ibmtss/EncryptDecrypt2_fp.h \ ++ ibmtss/EncryptDecrypt_fp.h ibmtss/EventSequenceComplete_fp.h ibmtss/EvictControl_fp.h ibmtss/Extend_fp.h \ ++ ibmtss/FlushContext_fp.h ibmtss/FlushSpecific_fp.h ibmtss/GetCapability12_fp.h ibmtss/GetCapability_fp.h \ ++ ibmtss/GetCommandAuditDigest_fp.h ibmtss/GetRandom_fp.h ibmtss/GetSessionAuditDigest_fp.h \ ++ ibmtss/GetTestResult_fp.h ibmtss/GetTime_fp.h ibmtss/Hash_fp.h ibmtss/HashSequenceStart_fp.h \ ++ ibmtss/HierarchyChangeAuth_fp.h ibmtss/HierarchyControl_fp.h ibmtss/HMAC_fp.h ibmtss/HMAC_Start_fp.h \ ++ ibmtss/Implementation.h ibmtss/Import_fp.h ibmtss/IncrementalSelfTest_fp.h ibmtss/LoadExternal_fp.h \ ++ ibmtss/Load_fp.h ibmtss/LoadKey2_fp.h ibmtss/MakeCredential_fp.h ibmtss/MakeIdentity_fp.h ibmtss/NTC_fp.h \ ++ ibmtss/NV_Certify_fp.h ibmtss/NV_ChangeAuth_fp.h ibmtss/NV_DefineSpace12_fp.h ibmtss/NV_DefineSpace_fp.h \ ++ ibmtss/NV_Extend_fp.h ibmtss/NV_GlobalWriteLock_fp.h ibmtss/NV_Increment_fp.h ibmtss/NV_Read_fp.h \ ++ ibmtss/NV_ReadLock_fp.h ibmtss/NV_ReadPublic_fp.h ibmtss/NV_ReadValueAuth_fp.h ibmtss/NV_ReadValue_fp.h \ ++ ibmtss/NV_SetBits_fp.h ibmtss/NV_UndefineSpace_fp.h ibmtss/NV_UndefineSpaceSpecial_fp.h ibmtss/NV_Write_fp.h \ ++ ibmtss/NV_WriteLock_fp.h ibmtss/NV_WriteValueAuth_fp.h ibmtss/NV_WriteValue_fp.h ibmtss/ObjectChangeAuth_fp.h \ ++ ibmtss/OIAP_fp.h ibmtss/OSAP_fp.h ibmtss/OwnerReadInternalPub_fp.h ibmtss/OwnerSetDisable_fp.h \ ++ ibmtss/Parameters12.h ibmtss/Parameters.h ibmtss/PCR_Allocate_fp.h ibmtss/PCR_Event_fp.h ibmtss/PCR_Extend_fp.h \ ++ ibmtss/PcrRead12_fp.h ibmtss/PCR_Read_fp.h ibmtss/PCR_Reset12_fp.h ibmtss/PCR_Reset_fp.h ibmtss/PCR_SetAuthPolicy_fp.h \ ++ ibmtss/PCR_SetAuthValue_fp.h ibmtss/PolicyAuthorize_fp.h ibmtss/PolicyAuthorizeNV_fp.h ibmtss/PolicyAuthValue_fp.h \ ++ ibmtss/PolicyCommandCode_fp.h ibmtss/PolicyCounterTimer_fp.h ibmtss/PolicyCpHash_fp.h ibmtss/PolicyDuplicationSelect_fp.h \ ++ ibmtss/PolicyGetDigest_fp.h ibmtss/PolicyLocality_fp.h ibmtss/PolicyNameHash_fp.h ibmtss/PolicyNV_fp.h \ ++ ibmtss/PolicyNvWritten_fp.h ibmtss/PolicyOR_fp.h ibmtss/PolicyPassword_fp.h ibmtss/PolicyPCR_fp.h \ ++ ibmtss/PolicyPhysicalPresence_fp.h ibmtss/PolicyRestart_fp.h ibmtss/PolicySecret_fp.h ibmtss/PolicySigned_fp.h \ ++ ibmtss/PolicyTemplate_fp.h ibmtss/PolicyTicket_fp.h ibmtss/PP_Commands_fp.h ibmtss/Quote2_fp.h ibmtss/Quote_fp.h \ ++ ibmtss/ReadClock_fp.h ibmtss/ReadPubek_fp.h ibmtss/ReadPublic_fp.h ibmtss/Rewrap_fp.h ibmtss/RSA_Decrypt_fp.h \ ++ ibmtss/RSA_Encrypt_fp.h ibmtss/SelfTest_fp.h ibmtss/SequenceComplete_fp.h ibmtss/SequenceUpdate_fp.h \ ++ ibmtss/SetAlgorithmSet_fp.h ibmtss/SetCommandCodeAuditStatus_fp.h ibmtss/SetPrimaryPolicy_fp.h ibmtss/Shutdown_fp.h \ ++ ibmtss/Sign12_fp.h ibmtss/Sign_fp.h ibmtss/StartAuthSession_fp.h ibmtss/Startup12_fp.h ibmtss/Startup_fp.h \ ++ ibmtss/StirRandom_fp.h ibmtss/TakeOwnership_fp.h ibmtss/TestParms_fp.h ibmtss/TPMB.h ibmtss/TpmBuildSwitches.h \ ++ ibmtss/tpmconstants12.h ibmtss/tpmstructures12.h ibmtss/tpmtypes12.h ibmtss/TPM_Types.h ibmtss/tsscrypto.h \ ++ ibmtss/tsscryptoh.h ibmtss/tsserror12.h ibmtss/tsserror.h ibmtss/tssfile.h ibmtss/tss.h ibmtss/tssmarshal12.h \ ++ ibmtss/tssmarshal.h ibmtss/tssprintcmd.h ibmtss/tssprint.h ibmtss/tssresponsecode.h ibmtss/tsstransmit.h \ ++ ibmtss/tssutils.h ibmtss/Unmarshal12_fp.h ibmtss/Unmarshal_fp.h ibmtss/Unseal_fp.h ibmtss/VerifySignature_fp.h \ ++ ibmtss/ZGen_2Phase_fp.h ++ ++notrans_man_MANS = man/man1/tssactivatecredential.1 man/man1/tsscertify.1 man/man1/tsscertifycreation.1 \ ++ man/man1/tsscertifyx509.1 man/man1/tsschangeeps.1 man/man1/tsschangepps.1 man/man1/tssclear.1 \ ++ man/man1/tssclearcontrol.1 man/man1/tssclockrateadjust.1 man/man1/tssclockset.1 man/man1/tsscommit.1 \ ++ man/man1/tsscontextload.1 man/man1/tsscontextsave.1 man/man1/tsscreate.1 man/man1/tsscreateek.1 \ ++ man/man1/tsscreateekcert.1 man/man1/tsscreateloaded.1 man/man1/tsscreateprimary.1 \ ++ man/man1/tssdictionaryattacklockreset.1 man/man1/tssdictionaryattackparameters.1 man/man1/tssduplicate.1 \ ++ man/man1/tsseccparameters.1 man/man1/tssecephemeral.1 man/man1/tssencryptdecrypt.1 man/man1/tsseventextend.1 \ ++ man/man1/tsseventsequencecomplete.1 man/man1/tssevictcontrol.1 man/man1/tssflushcontext.1 man/man1/tssgetcapability.1 \ ++ man/man1/tssgetcommandauditdigest.1 man/man1/tssgetcryptolibrary.1 man/man1/tssgetrandom.1 \ ++ man/man1/tssgetsessionauditdigest.1 man/man1/tssgettestresult.1 man/man1/tssgettime.1 man/man1/tsshash.1 \ ++ man/man1/tsshashsequencestart.1 man/man1/tsshierarchychangeauth.1 man/man1/tsshierarchycontrol.1 \ ++ man/man1/tsshmac.1 man/man1/tsshmacstart.1 man/man1/tssimaextend.1 man/man1/tssimport.1 man/man1/tssimportpem.1 \ ++ man/man1/tssload.1 man/man1/tssloadexternal.1 man/man1/tssmakecredential.1 man/man1/tssntc2getconfig.1 \ ++ man/man1/tssntc2lockconfig.1 man/man1/tssntc2preconfig.1 man/man1/tssnvcertify.1 man/man1/tssnvchangeauth.1 \ ++ man/man1/tssnvdefinespace.1 man/man1/tssnvextend.1 man/man1/tssnvglobalwritelock.1 man/man1/tssnvincrement.1 \ ++ man/man1/tssnvread.1 man/man1/tssnvreadlock.1 man/man1/tssnvreadpublic.1 man/man1/tssnvsetbits.1 \ ++ man/man1/tssnvundefinespace.1 man/man1/tssnvundefinespacespecial.1 man/man1/tssnvwrite.1 man/man1/tssnvwritelock.1 \ ++ man/man1/tssobjectchangeauth.1 man/man1/tsspcrallocate.1 man/man1/tsspcrevent.1 man/man1/tsspcrextend.1 \ ++ man/man1/tsspcrread.1 man/man1/tsspcrreset.1 man/man1/tsspolicyauthorize.1 man/man1/tsspolicyauthorizenv.1 \ ++ man/man1/tsspolicyauthvalue.1 man/man1/tsspolicycommandcode.1 man/man1/tsspolicycountertimer.1 \ ++ man/man1/tsspolicycphash.1 man/man1/tsspolicyduplicationselect.1 man/man1/tsspolicygetdigest.1 \ ++ man/man1/tsspolicymaker.1 man/man1/tsspolicymakerpcr.1 man/man1/tsspolicynamehash.1 man/man1/tsspolicynv.1 \ ++ man/man1/tsspolicynvwritten.1 man/man1/tsspolicyor.1 man/man1/tsspolicypassword.1 man/man1/tsspolicypcr.1 \ ++ man/man1/tsspolicyrestart.1 man/man1/tsspolicysecret.1 man/man1/tsspolicysigned.1 man/man1/tsspolicytemplate.1 \ ++ man/man1/tsspolicyticket.1 man/man1/tsspowerup.1 man/man1/tssprintattr.1 man/man1/tsspublicname.1 \ ++ man/man1/tssquote.1 man/man1/tssreadclock.1 man/man1/tssreadpublic.1 man/man1/tssreturncode.1 \ ++ man/man1/tssrewrap.1 man/man1/tssrsadecrypt.1 man/man1/tssrsaencrypt.1 man/man1/tsssequencecomplete.1 \ ++ man/man1/tsssequenceupdate.1 man/man1/tsssetcommandcodeauditstatus.1 man/man1/tsssetprimarypolicy.1 \ ++ man/man1/tssshutdown.1 man/man1/tsssign.1 man/man1/tsssignapp.1 man/man1/tssstartauthsession.1 \ ++ man/man1/tssstartup.1 man/man1/tssstirrandom.1 man/man1/tsstimepacket.1 man/man1/tsstpm2pem.1 \ ++ man/man1/tsstpmcmd.1 man/man1/tsstpmpublic2eccpoint.1 man/man1/tssunseal.1 man/man1/tssverifysignature.1 \ ++ man/man1/tsswriteapp.1 man/man1/tsszgen2phase.1 + + if CONFIG_TPM20 + noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h +diff --git a/utils12/Makefile.am b/utils12/Makefile.am +index a01f47c..e9fe61e 100644 +--- a/utils12/Makefile.am ++++ b/utils12/Makefile.am +@@ -9,7 +9,13 @@ libibmtssutils12_la_CFLAGS = -I$(top_srcdir)/utils + # result: [current-age].age.revision + libibmtssutils12_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ ../utils/libibmtss.la + +-notrans_man_MANS = man/man1/*.1 ++notrans_man_MANS = man/man1/tss1activateidentity.1 man/man1/tss1createekcert.1 man/man1/tss1createendorsementkeypair.1 \ ++ man/man1/tss1createwrapkey.1 man/man1/tss1eventextend.1 man/man1/tss1extend.1 man/man1/tss1flushspecific.1 \ ++ man/man1/tss1getcapability.1 man/man1/tss1imaextend.1 man/man1/tss1loadkey2.1 man/man1/tss1makeekblob.1 \ ++ man/man1/tss1makeidentity.1 man/man1/tss1nvdefinespace.1 man/man1/tss1nvreadvalue.1 man/man1/tss1nvreadvalueauth.1 \ ++ man/man1/tss1nvwritevalue.1 man/man1/tss1nvwritevalueauth.1 man/man1/tss1oiap.1 man/man1/tss1osap.1 \ ++ man/man1/tss1ownerreadinternalpub.1 man/man1/tss1ownersetdisable.1 man/man1/tss1pcrread.1 man/man1/tss1quote2.1 \ ++ man/man1/tss1sign.1 man/man1/tss1startup.1 man/man1/tss1takeownership.1 man/man1/tss1tpminit.1 + noinst_HEADERS = ekutils12.h + + bin_PROGRAMS = activateidentity createendorsementkeypair createwrapkey extend flushspecific getcapability loadkey2 makeidentity nvdefinespace nvreadvalueauth nvreadvalue nvwritevalueauth nvwritevalue oiap osap ownerreadinternalpub ownersetdisable pcrread quote2 sign startup takeownership tpminit createekcert makeekblob eventextend imaextend +-- +2.17.1 + diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb new file mode 100644 index 000000000..18ad7eb43 --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb @@ -0,0 +1,27 @@ +SUMMARY = "IBM's Software TPM 2.0 TSS" +DESCRIPTION = "This is a user space TSS for TPM 2.0. It implements the \ +functionality equivalent to (but not API compatible with) the TCG TSS \ +working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a \ +hopefully simpler interface. \ +It comes with over 110 'TPM tools' samples that can be used for scripted \ +apps, rapid prototyping, education, and debugging. \ +It also comes with a web based TPM interface, suitable for a demo to an \ +audience that is unfamiliar with TCG technology. It is also useful for \ +basic TPM management." +HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html" +LICENSE = "BSD" +SECTION = "securty/tpm" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f" + +DEPENDS = "openssl ibmswtpm2" + +inherit autotools pkgconfig + +SRCREV = "aa6c6ec83793ba21782033c03439977c26d3cc87" +SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \ + file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \ + " + +EXTRA_OECONF = "--disable-tpm-1.2" + +S = "${WORKDIR}/git" diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb index f9ea3762d..187aeaee2 100644 --- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb +++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -1,26 +1,34 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." -# We want a clean, minimal image. -IMAGE_FEATURES = "" +inherit core-image PACKAGE_INSTALL = " \ - initramfs-dm-verity \ base-files \ + base-passwd \ busybox \ - util-linux-mount \ - udev \ cryptsetup \ + initramfs-module-dmverity \ + initramfs-module-udev \ lvm2-udevrules \ + udev \ + util-linux-mount \ " +# We want a clean, minimal image. +IMAGE_FEATURES = "" +IMAGE_LINGUAS = "" + # Can we somehow inspect reverse dependencies to avoid these variables? -do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" +do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" -IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" +# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE +do_image[nostamp] = "1" -inherit core-image +IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}" deploy_verity_hash() { - install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env + install -D -m 0644 \ + ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ + ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env } -ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;" +IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb deleted file mode 100644 index b61495655..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb +++ /dev/null @@ -1,13 +0,0 @@ -SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -SRC_URI = "file://init-dm-verity.sh" - -do_install() { - install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init - install -d ${D}/dev - mknod -m 622 ${D}/dev/console c 5 1 -} - -FILES_${PN} = "/init /dev/console" diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh deleted file mode 100644 index 307d2c74b..000000000 --- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -PATH=/sbin:/bin:/usr/sbin:/usr/bin -RDEV="" -ROOT_DIR="/new_root" - -mkdir -p /proc -mkdir -p /sys -mkdir -p /run -mkdir -p /tmp -mount -t proc proc /proc -mount -t sysfs sysfs /sys -mount -t devtmpfs none /dev - -udevd --daemon -udevadm trigger --type=subsystems --action=add -udevadm trigger --type=devices --action=add -udevadm settle --timeout=10 - -for PARAM in $(cat /proc/cmdline); do - case $PARAM in - root=*) - RDEV=${PARAM#root=} - ;; - esac -done - -if ! [ -b $RDEV ]; then - echo "Missing root command line argument!" - exit 1 -fi - -case $RDEV in - UUID=*) - RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=}) - ;; -esac - -. /usr/share/dm-verity.env - -echo "Mounting $RDEV over dm-verity as the root filesystem" - -veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH -mkdir -p $ROOT_DIR -mount -o ro /dev/mapper/rootfs $ROOT_DIR -exec switch_root $ROOT_DIR /sbin/init diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity new file mode 100644 index 000000000..bb07aab58 --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity @@ -0,0 +1,53 @@ +#!/bin/sh + +dmverity_enabled() { + return 0 +} + +dmverity_run() { + DATA_SIZE="__not_set__" + ROOT_HASH="__not_set__" + + . /usr/share/misc/dm-verity.env + + case "${bootparam_root}" in + ID=*) + RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})" + ;; + LABEL=*) + RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})" + ;; + PARTLABEL=*) + RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})" + ;; + PARTUUID=*) + RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})" + ;; + PATH=*) + RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})" + ;; + UUID=*) + RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})" + ;; + *) + RDEV="${bootparam_root}" + esac + + if ! [ -b "${RDEV}" ]; then + echo "Root device resolution failed" + exit 1 + fi + + veritysetup \ + --data-block-size=1024 \ + --hash-offset=${DATA_SIZE} \ + create rootfs \ + ${RDEV} \ + ${RDEV} \ + ${ROOT_HASH} + + mount \ + -o ro \ + /dev/mapper/rootfs \ + ${ROOTFS_DIR} || exit 2 +} diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend new file mode 100644 index 000000000..dad9c967c --- /dev/null +++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend @@ -0,0 +1,16 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = "\ + file://dmverity \ +" + +do_install_append() { + # dm-verity + install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity +} + +PACKAGES_append = " initramfs-module-dmverity" + +SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support" +RDEPENDS_initramfs-module-dmverity = "${PN}-base" +FILES_initramfs-module-dmverity = "/init.d/80-dmverity" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index c6342fdb2..1d0180052 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -9,6 +9,8 @@ PACKAGES = "\ packagegroup-core-security \ packagegroup-security-utils \ packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ " @@ -16,6 +18,8 @@ PACKAGES = "\ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-utils \ packagegroup-security-scanners \ + packagegroup-security-audit \ + packagegroup-security-hardening \ packagegroup-security-ids \ packagegroup-security-mac \ " @@ -23,18 +27,23 @@ RDEPENDS_packagegroup-core-security = "\ SUMMARY_packagegroup-security-utils = "Security utilities" RDEPENDS_packagegroup-security-utils = "\ checksec \ + ding-libs \ + ecryptfs-utils \ + fscryptctl \ + keyutils \ nmap \ pinentry \ + python3-privacyidea \ + python3-fail2ban \ python3-scapy \ - ding-libs \ - keyutils \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ " SUMMARY_packagegroup-security-scanners = "Security scanners" RDEPENDS_packagegroup-security-scanners = "\ + isic \ nikto \ checksecurity \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \ @@ -55,7 +64,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS_packagegroup-security-ids = " \ tripwire \ samhain-standalone \ - suricata \ + ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \ " SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend index 39d4e6f50..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend index 39d4e6f50..fa536d095 100644 --- a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend +++ b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -1,2 +1,3 @@ KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}" KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb index 552cac70a..dcdc1f7e6 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb @@ -30,6 +30,8 @@ S = "${WORKDIR}/git" PARALLEL_MAKE = "" +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check REQUIRED_DISTRO_FEATURES = "apparmor" diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb index 770186ad4..47fbae49f 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb @@ -23,7 +23,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \ S = "${WORKDIR}/git" LEAD_SONAME = "libclamav.so" -SO_VER = "9.0.2" +SO_VER = "9.0.4" inherit autotools pkgconfig useradd systemd multilib_header multilib_script diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch new file mode 100644 index 000000000..b64670c17 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch @@ -0,0 +1,34 @@ +From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= +Date: Fri, 21 Aug 2020 14:45:10 +0200 +Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AC_CHECK_FILE does not support cross-compilation, and will only check +the host rootfs. Replace AC_CHECK_FILE with a 'test -f ' instead, +to allow building manpages when cross-compiling. + +Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289] +Signed-off-by: Jonatan Pålsson +--- + src/external/docbook.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 +index deb8632fa..acdc89a68 100644 +--- a/src/external/docbook.m4 ++++ b/src/external/docbook.m4 +@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and + dnl if a particular URI appears in the XML catalog + AC_DEFUN([CHECK_STYLESHEET], + [ +- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) ++ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])]) + + AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) + if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then +-- +2.26.1 + diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch new file mode 100644 index 000000000..c319269e9 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch @@ -0,0 +1,78 @@ +From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= +Date: Thu, 27 Feb 2020 06:50:40 +0100 +Subject: [PATCH] nss: Collision with external nss symbol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +One of our internal static function names started +to collide with external nss symbol. Additional +sss_ suffix was added to avoid the collision. + +This is needed to unblock Fedora Rawhide's +SSSD build. + +Reviewed-by: Pavel Březina + +Upstream-Status: Backport [https://github.com/SSSD/sssd.git] +Signed-off-by: Hongxu.jia@windriver.com +Signed-off-by: Qi.Chen@windriver.com +--- + src/responder/nss/nss_cmd.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c +index 25e663ed5..a4d4cfc0b 100644 +--- a/src/responder/nss/nss_cmd.c ++++ b/src/responder/nss/nss_cmd.c +@@ -728,11 +728,13 @@ done: + talloc_free(cmd_ctx); + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq); ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq); + +-static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, +- enum cache_req_type type, +- nss_protocol_fill_packet_fn fill_fn) ++/* This function's name started to collide with external nss symbol, ++ * so it has additional sss_* prefix unlike other functions here. */ ++static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx, ++ enum cache_req_type type, ++ nss_protocol_fill_packet_fn fill_fn) + { + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; +@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, + goto done; + } + +- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); ++ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx); + + ret = EOK; + +@@ -787,7 +789,7 @@ done: + return EOK; + } + +-static void nss_setnetgrent_done(struct tevent_req *subreq) ++static void sss_nss_setnetgrent_done(struct tevent_req *subreq) + { + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; +@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) + + static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) + { +- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, +- nss_protocol_fill_setnetgrent); ++ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, ++ nss_protocol_fill_setnetgrent); + } + + static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) +-- +2.21.0 + diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb index 2c3c8032e..e54fa98e9 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -17,6 +17,8 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ file://fix-ldblibdir.patch \ + file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \ + file://0001-nss-Collision-with-external-nss-symbol.patch \ " SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" @@ -41,7 +43,7 @@ PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," @@ -60,6 +62,7 @@ EXTRA_OECONF += " \ --enable-pammoddir=${base_libdir}/security \ --without-python2-bindings \ --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ " do_configure_prepend() { diff --git a/meta-security/scripts/upload-error-report b/meta-security/scripts/upload-error-report new file mode 100755 index 000000000..56bd24e47 --- /dev/null +++ b/meta-security/scripts/upload-error-report @@ -0,0 +1,26 @@ +#!/bin/bash + +ERR_REPORT_USERNAME=$1 +ERR_REPORT_EMAIL=$2 +BUILDDIR=$3 + +shift +shift +shift + +if [ ! -e $BUILDDIR ]; then + exit 0 +fi + +cd $BUILDDIR/../poky + +if [ -d $BUILDDIR/tmp/log/error-report/ ]; then + echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error + echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error + + . ./oe-init-build-env $BUILDDIR + + for x in `ls $BUILDDIR/tmp/log/error-report/ | grep error_report_`; do + send-error-report -y tmp/log/error-report/$x + done +fi diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in index cd1702e1b..658018bac 100644 --- a/meta-security/wic/beaglebone-yocto-verity.wks.in +++ b/meta-security/wic/beaglebone-yocto-verity.wks.in @@ -11,5 +11,5 @@ # This .wks only works with the dm-verity-img class. part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid -part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" +part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" bootloader --append="console=ttyS0,115200" -- cgit v1.2.3