diff options
| author | Andrew Geissler <geissonator@yahoo.com> | 2023-05-19 17:38:37 +0300 |
|---|---|---|
| committer | Andrew Geissler <geissonator@yahoo.com> | 2023-05-19 21:39:02 +0300 |
| commit | dc9d614711d1f205166fa42a0af05054fe06b26d (patch) | |
| tree | b96ac45842c6be65a4967ef904dfd95ab307e10c /meta-security | |
| parent | b8485a60bce61ef2c5e6337a2f7b677871565a01 (diff) | |
| download | openbmc-dc9d614711d1f205166fa42a0af05054fe06b26d.tar.xz | |
subtree updates
meta-security: 53c5cc794f..ddf301c45c:
Adrian Zaharia (1):
libmhash: fix multilib header conflict - mutils/mhash_config.h
Alexander Kanavin (1):
maintainers.inc: rename to avoid clashes with oe-core
Armin Kuster (15):
meta-tpm: rename recipes-tpm to recipes-tpm1
recipes-tpm: use this for common tpm recipes
swtpm: update to 0.8.0
libtpm: update to 0.9.6
ossec-hids: update to tip of 3.7.0
libhtp: update to 0.5.43
suricata: update to 6.0.11
fscryptctl: update to 1.0.1
oeqa: fix hash test to match new changes
integrity-image-minimal: adapt QEMU cmdline to new changes
lynis: Add decoding OE and Poky
os-release.bbappend: drop now CPE_NAME is in core
openembedded-release: drop as os-release does this now
tpm2-tss: drop vendor from PACKAGECONFIG
packagegroup-security-tpm2: restore pkgs removed earlier
Paul Gortmaker (4):
dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
dm-verity: don't make read-only-rootfs sound like a requirement
dm-verity: document the meta-intel dependency in the systemd example
dm-verity: add x86-64 systemd based example instructions
Peter Hoyes (1):
meta-parsec/layer.conf: Insert addpylib declaration
Peter Kjellerstedt (1):
tpm2-tools: Remove unnecessary and optional dependencies
Stefan Berger (12):
ima: Document and replace keys and adapt scripts for EC keys
ima: Fix the ima_policy_appraise_all to appraise executables & libraries
ima: Fix the IMA kernel feature
ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
ima: Sign all executables and the ima-policy in the root filesystem
integrity: Update the README for IMA support
linux: overlayfs: Add kernel patch resolving a file change notification issue
ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
linux: overlayfs: Drop kernel patch resolving a file change notification issue
ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
integrity: Fix the do_configure function
integrity: Rename linux-%.bbappend to linux-yocto%.bbappend
meta-raspberrypi: bf948e0aa8..928bb234bb:
Martin Jansa (3):
rpi-libcamera-apps: fix flags used in aarch64 builds
rpi-libcamera-apps: fix version generation on hosts with older python
rpi-libcamera-apps: bump to latest SRCREV and set PV
meta-arm: 0b5724266a..f9d80e1a14:
Emekcan Aras (2):
arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
Diffstat (limited to 'meta-security')
62 files changed, 372 insertions, 389 deletions
diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers-meta-security.inc index f623d7058c..f623d7058c 100644 --- a/meta-security/conf/distro/include/maintainers.inc +++ b/meta-security/conf/distro/include/maintainers-meta-security.inc diff --git a/meta-security/docs/dm-verity-systemd-x86-64.txt b/meta-security/docs/dm-verity-systemd-x86-64.txt new file mode 100644 index 0000000000..a47b02c853 --- /dev/null +++ b/meta-security/docs/dm-verity-systemd-x86-64.txt @@ -0,0 +1,77 @@ +dm-verity and x86-64 and systemd +-------------------------------- +In this example, we'll target combining qemux86-64 with dm-verity and +also systemd - systemd has dm-verity bindings and is more likely to be +used on x86. + +While dm-verity in a qemu environment doesn't make practial sense as a +deployment - it can be a useful stepping stone for testing and getting to +a final physical deployment. + +Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet. It +should be the default if unspecified, but check to be sure. As of this +writing (kernel v6.1) the resulting qemux86-64 build can also be booted +successfully on physical hardware, but if you don't intend to use qemu, +you might instead want to choose "genericx86-64" + +This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it +contains a dependency on the meta-intel layer for microcode, so you'll need +to fetch and add that layer in addition to the meta-security related layers. + +In addition to the basic dm-verity settings, choose systemd in local.conf: + +DISTRO_FEATURES:append = " security systemd" +VIRTUAL-RUNTIME_init_manager = "systemd" +EFI_PROVIDER = "systemd-boot" +PACKAGECONFIG:append:pn-systemd = " cryptsetup" + +Note the last line - you won't typically see that in on-line instructions +for enabling systemd. It is important for dm-verity, since it triggers +the build and installation of components like this onto the rootfs: + + /lib/systemd/system-generators/systemd-veritysetup-generator + /lib/systemd/systemd-veritysetup + +Now build the components for the wic image: + + bitbake intel-microcode + bitbake core-image-minimal + +Assemble the image: + + ------------------------------ +build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal +INFO: Building wic-tools... + +[...] + +INFO: Creating image(s)... + +INFO: The new image(s) can be found here: + ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct + +The following build artifacts were used to create the image(s): + BOOTIMG_DIR: /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share + KERNEL_DIR: /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64 + NATIVE_SYSROOT: /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native + +INFO: The image(s) were created using OE kickstart file: + /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in +build-qemu-x86_64$ + ------------------------------ + +The "runqemu" script defaults were acceptable for testing with only the +verity image needing to be specified, i.e. + + runqemu \ + nographic \ + qemux86-64 \ + tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity + +You will see the above "direct" image file and also similarly named +individual partition images. To boot on UEFI enabled physical hardware, +you need to simply write the "direct" image file to a USB stick with dd +and the partition images can largely be ignored. + +Further information on interacting with the systemd UEFI loader is here: +https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ diff --git a/meta-security/docs/dm-verity.txt b/meta-security/docs/dm-verity.txt index 602a826939..c2dce73979 100644 --- a/meta-security/docs/dm-verity.txt +++ b/meta-security/docs/dm-verity.txt @@ -31,6 +31,8 @@ Kernel Configuration Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES which will source features/device-mapper/dm-verity.scc when dm-verity-img is used. [See commit d9feafe991c] +IMPORTANT: As per the top level README, you *must* put security in the +DISTRO_FEATURES, or else you won't get the dm-verity kernel settings. Supported Platforms ------------------- @@ -51,11 +53,18 @@ conf/local.conf and conf/bblayers.conf from the oe-init-build-env Firstly, you need the meta-security layer to conf/bblayers.conf along with the dependencies it has -- see the top level meta-security README for that. -Next, assuming you'll be using dm-verity for validation of your rootfs, -you'll need to enable read-only rootfs support in your local.conf with: +Note that if you are using dm-verity for your rootfs, then it enforces a +read-only mount right at the kernel level, so be prepared for issues such +as failed creation of temporary files and similar. + +Yocto does support additional checks and changes via setting: EXTRA_IMAGE_FEATURES = "read-only-rootfs" +...but since read-only is enforced at the kernel level already, using +this feature isn't a hard requirement. It may be best to delay/defer +making use of this until after you've established basic booting. + For more details, see the associated documentation: https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index eae1c57ea2..1a37280a9e 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -76,7 +76,7 @@ other layers needed. e.g.: It has some dependencies on a suitable BSP; in particular the kernel must have a recent enough IMA/EVM subsystem. The layer was tested with -Linux 3.19 and uses some features (like loading X509 certificates +Linux 6.1 and uses some features (like loading X509 certificates directly from the kernel) which were added in that release. Your mileage may vary with older kernels. @@ -89,10 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: + DISTRO_FEATURES:append = " integrity ima" + IMAGE_CLASSES += "ima-evm-rootfs" + IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" + IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" + + # The following policy enforces IMA & EVM signatures + IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -113,10 +120,7 @@ for that are included in the layer. This is also how the cd $IMA_EVM_KEY_DIR # In that shell, create the keys. Several options exist: - # 1. Self-signed keys. - $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh - - # 2. Keys signed by a new CA. + # 1. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. # Signing images then will not require entering that passphrase, # only creating new certificates does. Most likely the default @@ -125,13 +129,11 @@ for that are included in the layer. This is also how the # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh - # 3. Keys signed by an existing CA. + # 2. Keys signed by an existing CA. # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv> exit -When using ``ima-self-signed.sh`` as described above, self-signed keys -are created. Alternatively, one can also use keys signed by a CA. The -``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then supports adding tha CA's public key to the kernel's system keyring by compiling it directly into the kernel. Because it is unknown whether @@ -187,7 +189,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 57de2f60a6..98c4bc1f26 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" # with a .x509 suffix. See linux-%.bbappend for details. # # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. -IMA_EVM_ROOT_CA ?= "" +IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" # Sign all regular files by default. IMA_EVM_ROOTFS_SIGNED ?= ". -type f" @@ -31,6 +31,9 @@ IMA_EVM_ROOTFS_IVERSION ?= "" # Avoid re-generating fstab when ima is enabled. WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" +# Add necessary tools (e.g., keyctl) to image +IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}" + ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} @@ -59,17 +62,32 @@ ima_evm_sign_rootfs () { perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab fi - # Sign file with private IMA key. EVM not supported at the moment. - bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" - find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} - bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" - find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash + # Detect 32bit target to pass --m32 to evmctl by looking at libc + tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')" + if [ "${tmp}" = "ELF 32-bit" ]; then + evmctl_param="--m32" + elif [ "${tmp}" = "ELF 64-bit" ]; then + evmctl_param="" + else + bberror "Unknown target architecture bitness: '${tmp}'" >&2 + exit 1 + fi + + bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" + + # check signing key and signature verification key + evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 + evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 # Optionally install custom policy for loading by systemd. - if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then + if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy - install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy + + bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi } diff --git a/meta-security/meta-integrity/data/debug-keys/README.md b/meta-security/meta-integrity/data/debug-keys/README.md new file mode 100644 index 0000000000..e61396892f --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/README.md @@ -0,0 +1,17 @@ +# EVM & IMA keys + +The following IMA & EVM debug/test keys are in this directory + +- ima-local-ca.priv: The CA's private key (password: 1234) +- ima-local-ca.pem: The CA's self-signed certificate +- privkey_ima.pem: IMA & EVM private key used for signing files +- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures + +The CA's (self-signed) certificate can be used to verify the validity of +the x509_ima.der certificate. Since the CA certificate will be built into +the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must +pass this test: + +``` + openssl verify -CAfile ima-local-ca.pem x509_ima.der +```` diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem new file mode 100644 index 0000000000..4b48be4f02 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9 +MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt +c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG +SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP +MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD +DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp +Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU +rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG +A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud +IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO +PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu +clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw== +-----END CERTIFICATE----- diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv new file mode 100644 index 0000000000..e13de233d1 --- /dev/null +++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv @@ -0,0 +1,7 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw +DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK +x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems +lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY +LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem index 502a0b68d7..8362cfeb4d 100644 --- a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem +++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem @@ -1,16 +1,5 @@ -----BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU -Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 -IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p -OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 -lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW -HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV -aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA -TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue -WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb -SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 -xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ -CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q -1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ -3vVaxg2EfqB1 +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm +SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj +cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv -----END PRIVATE KEY----- diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der Binary files differindex 087ca6bea5..3f6f24e613 100644 --- a/meta-security/meta-integrity/data/debug-keys/x509_ima.der +++ b/meta-security/meta-integrity/data/debug-keys/x509_ima.der diff --git a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py index 0c8617a567..6b361cabc5 100644 --- a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py +++ b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -58,21 +58,19 @@ class IMACheck(OERuntimeTestCase): @OETestDepends(['ima.IMACheck.test_ima_enabled']) def test_ima_hash(self): ''' Test if IMA stores correct file hash ''' - filename = "/etc/filetest" + filename = "/etc/ld.so.cache" ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" - status, output = self.target.run("echo test > %s" % filename) - self.assertEqual(status, 0, "Cannot create file %s on target" % filename) # wait for the IMA system to update the entry - maximum_tries = 30 + maximum_tries = 3 tries = 0 - status, output = self.target.run("sha1sum %s" %filename) + status, output = self.target.run("sha256sum %s" %filename) sleep(2) current_hash = output.split()[0] ima_hash = "" while tries < maximum_tries: - status, output = self.target.run("cat %s | grep %s" \ + status, output = self.target.run("cat %s | grep -e '%s'" \ % (ima_measure_file, filename)) # get last entry, 4th field if status == 0: diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb index f40e8670f4..502217063b 100644 --- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -18,4 +18,4 @@ export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" +QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend index be60bfeac4..be60bfeac4 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch deleted file mode 100644 index 64016dd3e0..0000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Tue, 8 Mar 2016 16:43:55 -0500 -Subject: [PATCH] ima: fix ima_inode_post_setattr - -Changing file metadata (eg. uid, guid) could result in having to -re-appraise a file's integrity, but does not change the "new file" -status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and -IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch -only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. - -With this patch, changing the file timestamp will not remove the -file signature on new files. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] - -Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> ---- - security/integrity/ima/ima_appraise.c | 2 +- - security/integrity/integrity.h | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..a384ba1 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) - if (iint) { - iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | - IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | -- IMA_ACTION_FLAGS); -+ IMA_ACTION_RULE_FLAGS); - if (must_appraise) - iint->flags |= IMA_APPRAISE; - } -diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h -index 0fc9519..f9decae 100644 ---- a/security/integrity/integrity.h -+++ b/security/integrity/integrity.h -@@ -28,6 +28,7 @@ - - /* iint cache flags */ - #define IMA_ACTION_FLAGS 0xff000000 -+#define IMA_ACTION_RULE_FLAGS 0x06000000 - #define IMA_DIGSIG 0x01000000 - #define IMA_DIGSIG_REQUIRED 0x02000000 - #define IMA_PERMIT_DIRECTIO 0x04000000 --- -2.5.0 - diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch deleted file mode 100644 index 6ab7ce277c..0000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch +++ /dev/null @@ -1,138 +0,0 @@ -From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 -From: Mimi Zohar <zohar@linux.vnet.ibm.com> -Date: Thu, 10 Mar 2016 18:19:20 +0200 -Subject: [PATCH] ima: add support for creating files using the mknodat - syscall - -Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" -stopped identifying empty files as new files. However new empty files -can be created using the mknodat syscall. On systems with IMA-appraisal -enabled, these empty files are not labeled with security.ima extended -attributes properly, preventing them from subsequently being opened in -order to write the file data contents. This patch marks these empty -files, created using mknodat, as new in order to allow the file data -contents to be written. - -Files with security.ima xattrs containing a file signature are considered -"immutable" and can not be modified. The file contents need to be -written, before signing the file. This patch relaxes this requirement -for new files, allowing the file signature to be written before the file -contents. - -Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] - -Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> ---- - fs/namei.c | 2 ++ - include/linux/ima.h | 7 ++++++- - security/integrity/ima/ima_appraise.c | 3 +++ - security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- - 4 files changed, 42 insertions(+), 2 deletions(-) - -diff --git a/fs/namei.c b/fs/namei.c -index ccd7f98..19502da 100644 ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -3526,6 +3526,8 @@ retry: - switch (mode & S_IFMT) { - case 0: case S_IFREG: - error = vfs_create(path.dentry->d_inode,dentry,mode,true); -+ if (!error) -+ ima_post_path_mknod(dentry); - break; - case S_IFCHR: case S_IFBLK: - error = vfs_mknod(path.dentry->d_inode,dentry,mode, -diff --git a/include/linux/ima.h b/include/linux/ima.h -index 120ccc5..7f51971 100644 ---- a/include/linux/ima.h -+++ b/include/linux/ima.h -@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); - extern int ima_file_mmap(struct file *file, unsigned long prot); - extern int ima_module_check(struct file *file); - extern int ima_fw_from_file(struct file *file, char *buf, size_t size); -- -+extern void ima_post_path_mknod(struct dentry *dentry); - #else - static inline int ima_bprm_check(struct linux_binprm *bprm) - { -@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) - return 0; - } - -+static inline void ima_post_path_mknod(struct dentry *dentry) -+{ -+ return; -+} -+ - #endif /* CONFIG_IMA */ - - #ifdef CONFIG_IMA_APPRAISE -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4df493e..20806ea 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -274,6 +274,11 @@ out: - xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { - if (!ima_fix_xattr(dentry, iint)) - status = INTEGRITY_PASS; -+ } else if ((inode->i_size == 0) && -+ (iint->flags & IMA_NEW_FILE) && -+ (xattr_value && -+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { -+ status = INTEGRITY_PASS; - } - integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, - op, cause, rc, 0); -diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c -index eeee00dc..705bf78 100644 ---- a/security/integrity/ima/ima_main.c -+++ b/security/integrity/ima/ima_main.c -@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, - ima_audit_measurement(iint, pathname); - - out_digsig: -- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) -+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && -+ !(iint->flags & IMA_NEW_FILE)) - rc = -EACCES; - kfree(xattr_value); - out_free: -@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) - EXPORT_SYMBOL_GPL(ima_file_check); - - /** -+ * ima_post_path_mknod - mark as a new inode -+ * @dentry: newly created dentry -+ * -+ * Mark files created via the mknodat syscall as new, so that the -+ * file data can be written later. -+ */ -+void ima_post_path_mknod(struct dentry *dentry) -+{ -+ struct integrity_iint_cache *iint; -+ struct inode *inode; -+ int must_appraise; -+ -+ if (!dentry || !dentry->d_inode) -+ return; -+ -+ inode = dentry->d_inode; -+ if (inode->i_size != 0) -+ return; -+ -+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); -+ if (!must_appraise) -+ return; -+ -+ iint = integrity_inode_get(inode); -+ if (iint) -+ iint->flags |= IMA_NEW_FILE; -+} -+ -+/** - * ima_module_check - based on policy, collect/store/appraise measurement. - * @file: pointer to the file to be measured/appraised - * --- -2.5.0 - diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch deleted file mode 100644 index 157c007ba0..0000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch +++ /dev/null @@ -1,60 +0,0 @@ -From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 -From: Patrick Ohly <patrick.ohly@intel.com> -Date: Tue, 15 Nov 2016 10:10:23 +0100 -Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log - modes" - -This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. - -The original motivation was security hardening ("File hashes are -automatically set and updated and should not be manually set.") - -However, that hardening ignores and breaks some valid use cases: -- File hashes might not be set because the file is currently - outside of the policy and therefore have to be set by the - creator. Examples: - - Booting into an initramfs with an IMA-enabled kernel but - without setting an IMA policy, then installing - the OS onto the target partition by unpacking a rootfs archive - which has the file hashes pre-computed. - - Unpacking a file into a staging area with meta data (like owner) - that leaves the file outside of the current policy, then changing - the meta data such that it becomes part of the current policy. -- "should not be set manually" implies that the creator is aware - of IMA semantic, the current system's configuration, and then - skips setting file hashes in security.ima if (and only if) the - kernel would prevent it. That's not the case for standard, unmodified - tools. Example: unpacking an archive with security.ima xattrs with - bsdtar or GNU tar. - -Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> ---- - security/integrity/ima/ima_appraise.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c -index 4b9b4a4..b8b2dd9 100644 ---- a/security/integrity/ima/ima_appraise.c -+++ b/security/integrity/ima/ima_appraise.c -@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, - result = ima_protect_xattr(dentry, xattr_name, xattr_value, - xattr_value_len); - if (result == 1) { -- bool digsig; -- - if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) - return -EINVAL; -- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); -- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) -- return -EPERM; -- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); -+ ima_reset_appraise_flags(d_backing_inode(dentry), -+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); - result = 0; - } - return result; --- -2.1.4 - diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg new file mode 100644 index 0000000000..d7d80a62aa --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -0,0 +1,45 @@ +CONFIG_KEYS=y +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" +CONFIG_SECONDARY_TRUSTED_KEYRING=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS8_PRIVATE_KEY_PARSER=y +CONFIG_CRYPTO_ECDSA=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +# CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_NG_TEMPLATE is not set +CONFIG_IMA_SIG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set +CONFIG_IMA_DEFAULT_HASH="sha256" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA_APPRAISE_BUILD_POLICY=y +CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y +# CONFIG_IMA_APPRAISE_BOOTPARAM is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_BLACKLIST_KEYRING is not set +# CONFIG_IMA_LOAD_X509 is not set +CONFIG_IMA_APPRAISE_SIGNED_INIT=y +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y +# CONFIG_IMA_DISABLE_HTABLE is not set +CONFIG_EVM=y +# CONFIG_EVM_LOAD_X509 is not set diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc new file mode 100644 index 0000000000..6eb84b06dd --- /dev/null +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable IMA" + +kconf non-hardware ima.cfg + diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc index 3ab53e5de7..701680014f 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,4 +1,14 @@ -KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" +FILESEXTRAPATHS:append := "${THISDIR}/linux:" + +SRC_URI += " \ + ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ +" + +do_configure:append() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config + fi +} KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch new file mode 100644 index 0000000000..3624576ff9 --- /dev/null +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch @@ -0,0 +1,35 @@ +From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 +From: Stefan Berger <stefanb@linux.ibm.com> +Date: Tue, 18 Apr 2023 11:43:55 -0400 +Subject: [PATCH] Do not get generation using ioctl when evm_portable is true + +If a signatures is detected as being portable do not attempt to read the +generation with the ioctl since in some cases this may not be supported +by the filesystem and is also not needed for computing a portable +signature. + +This avoids the current work-around of passing --generation 0 when the +ioctl is not supported by the filesystem. + +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> +--- + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 6d2bb67..c35a28c 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + if (mode_str) + st.st_mode = strtoul(mode_str, NULL, 10); + +- if (!evm_immutable) { ++ if (!evm_immutable && !evm_portable) { + if (S_ISREG(st.st_mode) && !generation_str) { + int fd = open(file, 0); + +--- +2.39.2 + + diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb index 873aeeb855..8ac080c236 100644 --- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb +++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb @@ -6,8 +6,13 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" -SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" +FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" + +SRC_URI = " \ + https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ +" +SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" inherit pkgconfig autotools features_check diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all index 36e71a7d65..3498025dd3 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x6e736673 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 +# Cgroup +dont_appraise fsmagic=0x27e0eb +# Cgroup2 +dont_appraise fsmagic=0x63677270 -appraise +# Appraise libraries +appraise func=MMAP_CHECK mask=MAY_EXEC +# Appraise executables +appraise func=BPRM_CHECK diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh index 5f3a728fa0..b10b1ba27d 100755 --- a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh +++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh @@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv} cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem -openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ +openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \ -CA $CA -CAkey $CAKEY -CAcreateserial \ -outform DER -out x509_ima.der diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh index b6007614ab..339d3e3c5b 100755 --- a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh +++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh @@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -33,10 +32,11 @@ emailAddress = john.doe@example.com basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh deleted file mode 100755 index 5ee876c052..0000000000 --- a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# -# Copied from ima-evm-utils. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# version 2 as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -GENKEY=ima.genkey - -cat << __EOF__ >$GENKEY -[ req ] -default_bits = 1024 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -O = example.com -CN = meta-intel-iot-security example signing key -emailAddress = john.doe@example.com - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -__EOF__ - -openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ - -x509 -config $GENKEY \ - -outform DER -out x509_ima.der -keyout privkey_ima.pem diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 0a71694cd6..7d272a2858 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -12,3 +12,5 @@ LAYERSERIES_COMPAT_parsec-layer = "mickledore" LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" + +addpylib ${LAYERDIR}/lib oeqa diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch b/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch new file mode 100644 index 0000000000..d365ec11b8 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch @@ -0,0 +1,51 @@ +From 4b1de197ee0dd259cc05d5faf7fd38b580d841d2 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Tue, 2 May 2023 16:22:13 -0400 +Subject: [PATCH] osdetection: add OpenEmbedded and Poky + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Upstream-Status: Pending +https://github.com/CISOfy/lynis/pull/1390 + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + include/osdetection | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/include/osdetection b/include/osdetection +index 989b1b3..e5974e5 100644 +--- a/include/osdetection ++++ b/include/osdetection +@@ -308,6 +308,12 @@ + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; ++ "nodistro") ++ LINUX_VERSION="openembedded" ++ OS_NAME="OpenEmbedded" ++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ ;; + "opensuse-tumbleweed") + LINUX_VERSION="openSUSE Tumbleweed" + # It's rolling release but has a snapshot version (the date of the snapshot) +@@ -330,6 +336,14 @@ + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; ++ "poky") ++ LINUX_VERSION="Poky" ++ OS_NAME="openembedded" ++ LINUX_VERSION_LIKE="openembedded" ++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ ++ ;; + "pop") + LINUX_VERSION="Pop!_OS" + LINUX_VERSION_LIKE="Ubuntu" +-- +2.25.1 + diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb index d38c17a3f8..0a4981245c 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb @@ -6,7 +6,9 @@ HOMEDIR = "https://cisofy.com/" LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" -SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz" +SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz \ + file://0001-osdetection-add-OpenEmbedded-and-Poky.patch \ + " SRC_URI[sha256sum] = "98373a4cc9d0471ab9bebb249e442fcf94b6bf6d4e9c6fc0b22bca1506646c63" diff --git a/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb b/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb deleted file mode 100644 index 0ad427dff8..0000000000 --- a/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb +++ /dev/null @@ -1,32 +0,0 @@ -inherit allarch - -SUMMARY = "Operating release identification" -DESCRIPTION = "The /etc/openembedded-release file contains operating system identification data." -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -INHIBIT_DEFAULT_DEPS = "1" - -do_fetch[noexec] = "1" -do_unpack[noexec] = "1" -do_patch[noexec] = "1" -do_configure[noexec] = "1" - -VERSION = "0" -RELEASE_NAME = "${DISTRO_NAME} ${DISTRO} ${VERSION}" - -def sanitise_version(ver): - ret = ver.replace('+', '-').replace(' ','_') - return ret.lower() - -python do_compile () { - import shutil - release_name = d.getVar('RELEASE_NAME') - with open(d.expand('${B}/openemebedded-release'), 'w') as f: - f.write('%s\n' % release_name) -} -do_compile[vardeps] += "${RELEASE_NAME}" - -do_install () { - install -d ${D}${sysconfdir} - install -m 0644 openemebedded-release ${D}${sysconfdir}/ -} diff --git a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend deleted file mode 100644 index 604bacb1a0..0000000000 --- a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend +++ /dev/null @@ -1 +0,0 @@ -CPE_NAME="cpe:/o:openembedded:nodistro:0" diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc index e7b216d8f0..e7b216d8f0 100644 --- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc +++ b/meta-security/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index fb36fab3a1..fb0105e29d 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -3,6 +3,8 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +PACKAGE_ARCH = "${TUNE_PKGARCH}" + inherit packagegroup PACKAGES = "${PN}" @@ -12,6 +14,9 @@ RDEPENDS:packagegroup-security-tpm2 = " \ tpm2-tools \ trousers \ tpm2-tss \ + libtss2-mu \ + libtss2-tcti-device \ + libtss2-tcti-mssim \ libtss2 \ tpm2-abrmd \ tpm2-pkcs11 \ diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb index cf800649a1..a86031922e 100644 --- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb +++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb @@ -2,7 +2,7 @@ SUMMARY = "LIBPM - Software TPM Library" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9" -SRCREV = "df1c3e98d697f3c1f09262d2ba161a7db784d6cc" +SRCREV = "f8c2dc7e12a730dcca4220d7ac5ad86d13dfd630" SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https" PE = "1" diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb index 55d83f9597..614b07fa01 100644 --- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb +++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb @@ -6,8 +6,8 @@ SECTION = "apps" # expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib" -SRCREV = "f2268eebb0d1adf89bad83fa4cf91e37b4e3fa53" -SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.7-next;protocol=https \ +SRCREV = "2ae7b019370760e17f4f2675195a91ca53950eda" +SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=master;protocol=https \ " PE = "1" diff --git a/meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb b/meta-security/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb index a3ebce7e8c..a3ebce7e8c 100644 --- a/meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb +++ b/meta-security/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch index bed8b92a2a..bed8b92a2a 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch +++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch index 2caaaf0543..2caaaf0543 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch +++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch index cc8772d20c..cc8772d20c 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch +++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch index 535472a20e..535472a20e 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch +++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch index 2f8eb81272..2f8eb81272 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch +++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb index e3e643e005..e3e643e005 100644 --- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb +++ b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-security/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch index cf2d437801..cf2d437801 100644 --- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch +++ b/meta-security/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb index 45da416a78..45da416a78 100644 --- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb +++ b/meta-security/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb index 4672bba518..4672bba518 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb +++ b/meta-security/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch index 5018d45b21..5018d45b21 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch +++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch index 9ae3f72a3e..9ae3f72a3e 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch +++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch index 40150af87d..40150af87d 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch +++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb index b47d53a689..b47d53a689 100644 --- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb +++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-security/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch index 7b3cc77c50..7b3cc77c50 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch +++ b/meta-security/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-security/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch index 3f5a144d9a..3f5a144d9a 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch +++ b/meta-security/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/meta-security/meta-tpm/recipes-tpm1/trousers/files/tcsd.service index 787d4e97b8..787d4e97b8 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service +++ b/meta-security/meta-tpm/recipes-tpm1/trousers/files/tcsd.service diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules index 256babd73a..256babd73a 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules +++ b/meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh index d0d6cb3c41..d0d6cb3c41 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh +++ b/meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm1/trousers/trousers_git.bb index 192c66c9f4..192c66c9f4 100644 --- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb +++ b/meta-security/meta-tpm/recipes-tpm1/trousers/trousers_git.bb diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb index ef73238927..8119bb11d8 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3" SECTION = "tpm" -DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive" +DEPENDS = "tpm2-tss openssl curl" SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" @@ -13,6 +13,3 @@ SRC_URI[sha256sum] = "1fdb49c730537bfdaed088884881a61e3bfd121e957ec0bdceeec02612 UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases" inherit autotools pkgconfig bash-completion - -# need tss-esys -RDEPENDS:${PN} = "libtss2 tpm2-abrmd" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb index cc7e6ae277..6386105cd3 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb @@ -18,7 +18,7 @@ CVE_PRODUCT = "tpm2_software_stack" inherit autotools pkgconfig systemd useradd -PACKAGECONFIG ??= "vendor" +PACKAGECONFIG ??= "" PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, " PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c util-linux-libuuid " PACKAGECONFIG[policy] = "--enable-policy,--disable-policy,json-c util-linux-libuuid " diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb index c211f03212..55c10fa1a9 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb @@ -9,7 +9,7 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master;protocol=https \ file://0002-Makefile-don-t-set-uid-gid.patch \ " -SRCREV = "1ecffb1b884607cb12e619f9ab3c04f530801083" +SRCREV = "bf797c759994015274f3bc31fe2bed278cce67ee" UPSTREAM_CHECK_COMMITS = "1" diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.42.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.43.bb index e2866c8307..582541958b 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.42.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.43.bb @@ -5,7 +5,7 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" -SRCREV = "b14f81bfddbc7206ea713177fcf1e1090257dcd2" +SRCREV = "be0063a6138f795fc1af76cc5340bcb11d3b0b87" DEPENDS = "zlib" diff --git a/meta-security/recipes-ids/suricata/suricata_6.0.10.bb b/meta-security/recipes-ids/suricata/suricata_6.0.11.bb index 9d533568c7..914278ea2a 100644 --- a/meta-security/recipes-ids/suricata/suricata_6.0.10.bb +++ b/meta-security/recipes-ids/suricata/suricata_6.0.11.bb @@ -5,7 +5,7 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz" -SRC_URI[sha256sum] = "59bfd1bf5d9c1596226fa4815bf76643ce59698866c107a26269c481f125c4d7" +SRC_URI[sha256sum] = "4da5e4e91e49992633a6024ce10afe6441255b2775a8f20f1ef188bd1129ac66" DEPENDS = "lz4 libhtp" diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb index d319e48dbe..3de2bfac86 100644 --- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb +++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb @@ -9,11 +9,16 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRCREV = "56b898c896240328adef7407090215abbe9ee03d" +SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23" SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https" S = "${WORKDIR}/git" +do_compile:prepend() { + sed -i 's/fscryptctl\.1//g' ${S}/Makefile + sed -i 's/install-man//g' ${S}/Makefile +} + do_install() { oe_runmake DESTDIR=${D} PREFIX=/usr install } diff --git a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb index 4d1f5843a6..49139d27e5 100644 --- a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb +++ b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb @@ -23,7 +23,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mhash/mhash-${PV}.tar.bz2 \ SRC_URI[md5sum] = "f91c74f9ccab2b574a98be5bc31eb280" SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab248dfef0" -inherit autotools-brokensep ptest +inherit autotools-brokensep ptest multilib_header + +do_install:append() { + oe_multilib_header mutils/mhash_config.h +} do_compile_ptest() { if [ ! -d ${S}/demo ]; then mkdir ${S}/demo; fi diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in index ef114cab03..a275a48891 100644 --- a/meta-security/wic/systemd-bootdisk-dmverity.wks.in +++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in @@ -5,6 +5,7 @@ # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file # # This .wks only works with the dm-verity-img class. +# Also note that the use of microcode.cpio introduces a meta-intel layer dependency. part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid |