summaryrefslogtreecommitdiffstats
path: root/meta-integrity
Commit message (Collapse)AuthorAgeFilesLines
...
* init.ima: Fix up the syntax errorJia Zhang2018-03-191-1/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* ima/linux-yocto: Enable CONFIG_IMA_READ_POLICY and CONFIG_IMA_APPRAISE_BOOTPARAMJia Zhang2018-03-191-1/+2
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* integrity/linux-yocto: Enable CONFIG_SYSTEM_BLACKLIST_KEYRINGJia Zhang2018-03-191-0/+1
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* init.ima: Fix the failure when importing the external policy from real rootfsJia Zhang2018-03-191-1/+3
| | | | Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
* meta-integrity: Ensure that we have CONFIG_SECURITY enabled in the kernelTom Rini2018-02-221-0/+1
| | | | | | | | To make it easier to use this layer with various BSP layers we need to ensure that we set CONFIG_SECURITY=y as that is in turn required by the rest of our features, except for CONFIG_SECURITYFS Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: Fix build problem on ima-inspectTom Rini2018-02-171-1/+1
| | | | | | | The sources require that we have pkgconfig support as well, add missing inherit. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: Add ima-inspect utilityTom Rini2018-02-162-0/+12
| | | | | | | | ima_inspect is a small program that allows to give a human-readable representation of the contents of the extended attributes (xattrs) that the Linux IMA security subsystem creates and manages for files. Signed-off-by: Tom Rini <trini@konsulko.com>
* meta-integrity: Drop RPM patches that are upstream nowTom Rini2018-02-1412-796/+0
| | | | | | | | As of OE-Core rev b4613b6ce07c295c5d6de6861acf19315acaccb2 we are using rpm-4.14.0 as the base version. This includes all of the patches we had been applying. Signed-off-by: Tom Rini <trini@konsulko.com>
* util-linux: Fix package name extensionHolger Dengler2017-12-092-3/+3
| | | | | | | | | Yocto (pyro) uses the character "_" to separate the package name from the version number. If this character is used in the package name or in a package name extension, the build will fail. Replacing the "_" with one of the allowed characters fixes the problem. Signed-off-by: Holger Dengler <dengler@linutronix.de>
* linux-yocto: fix loading kernel module due to being strippedJia Zhang2017-11-261-0/+2
| | | | | | | | | The kernel module will be stripped during do_package, including the modsign signature. Use INHIBIT_PACKAGE_STRIP=1 if modsign is configured. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-integrity: enable modsign support in kernelJia Zhang2017-11-213-5/+30
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* initrdscripts: rename expected ima certificate (#28)Yunguo Wei2017-11-121-1/+1
| | | | | | | | evmctl is able to import DER format certificate only. Although *.crt doesn't mean its a PEM certificate, but *.der makes more sense. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* rpm: always include rpm-integrity.inc for RPM signingJia Zhang2017-10-271-1/+1
| | | | | | rpm-integrity is required for RPM signing which is enabled by default. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* meta-integrity: fix build failure caused by 6aa83f98bJia Zhang2017-10-271-1/+1
| | | | Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
* rpm: only apply bbappend file when ima in DISTRO_FEATURES (#27)Kai2017-10-272-22/+23
| | | | | | | | | | Rename bbappend file of rpm and only include it when image in DISTRO_FEATURES. Plugin 'systemd' of rpm-native causes warning during do rootfs: | WARNING: wrlinux-image-glibc-std-1.0-r5 do_rootfs: [log_check] wrlinux-image-glibc-std: found 1 warning message in the logfile: | [log_check] warning: Unable to get systemd shutdown inhibition lock: Socket name too long Signed-off-by: Kai Kang <kai.kang@windriver.com>
* keyutils: update to 1.5.10 (#22)Wenzong Fan2017-09-273-49/+57
| | | | | | | | | | | | | | | * rebase patches: - keyutils_fix_library_install.patch - keyutils-remove-m32-m64.patch * append '-Wall' to CFLAGS for fixing: .../recipe-sysroot/usr/include/features.h:376:4: error: \ #warning _FORTIFY_SOURCE requires compiling with \ optimization (-O) [-Werror=cpp] * cleanup alternative targets, the *keyring*.7 files have been removed from keyutils 1.5.10. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* meta-secure-core: clean up ${COREBASE}/LICENSE and ${COREBASE}/meta/COPYING.MITJia Zhang2017-09-023-4/+3
| | | | | | | | ${COREBASE}/LICENSE is not a valid license file. So it is recommended to use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* Update BB_HASHBASE_WHITELISTJia Zhang2017-09-011-0/+4
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: add tpm2, tpm as LAYERRECOMMENDS (#9)Wenzong Fan2017-08-241-0/+3
| | | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
* sign_rpm_ext: make sure all target recipes are signedJia Zhang2017-08-242-24/+26
| | | | | | | | Placing the key import logic under signing-keys cannot ensure all target recipes are always signed. Instead, place it before do_package_write_rpm. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* meta-integrity: remove INHERIT += "sign_rpm_ext"Jia Zhang2017-08-231-2/+0
| | | | | | This definition should be placed in local.conf. Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix the race condition when concurrent import operations occurJia Zhang2017-08-201-0/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* encrypted-storage: use luks as the feature name for current implementationJia Zhang2017-08-201-3/+3
| | | | | | | | encrypted-storage layer will include more security features about encrypted storage so the term "encrypted-storage" won't be used to specify a dedicated technology term such as "LUKS". Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failure due to wrong option positionJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: clean upJia Zhang2017-08-201-3/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: define the location of default gpg keyring to TMPDIRJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: fix permission warningJia Zhang2017-08-201-1/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* signing-keys: fix gpg key import failureJia Zhang2017-08-201-2/+2
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext.bbclass: clean upJia Zhang2017-08-191-9/+1
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: Fix the GPG_PATH directory not exist issue (#4)Guojian2017-08-191-8/+7
| | | | | | | | | | | | | | | If "GPG_PATH" is set in the init script, then "signing-keys" get_public_keys task will execute failed. So the "GPG_PATH" directory would be created when "GPG_PATH" is set. The do_get_public_keys failed to import gpg key error information is as following: ---------------------------------------------------------------------------------------- ERROR: signing-keys-1.0-r0 do_get_public_keys: Function failed: Failed to import gpg key (layers/meta-secure-core/meta-signing-key/files/rpm_keys/RPM-GPG-PRIVKEY-SecureCore): gpg: fatal: can't create directory `tmp/deploy/images/intel-corei7-64/.gnupg': No such file or directory Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* keyutils: Fix keyutils man7 files conflict with man-pages same name files (#3)Guojian2017-08-191-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The keyutils-doc package supply some same name man7 files with man-pages, it will cause the rpm package installation or upgrade failed. The keyutils-doc and man-pages rpm packages' transction check error information is as following: -------------------------------------------------------------------- Running transaction test Error: Transaction check error: file /usr/share/man/man7/keyrings.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/persistent-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/process-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/thread-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 file /usr/share/man/man7/user-session-keyring.7 from install of keyutils-doc-1.5.9+git0+9209a0c8fd-r0.0.core2_64 conflicts with file from package man-pages-4.11-r0.0.core2_64 Signed-off-by: Guojian Zhou <guojian.zhou@windriver.com>
* sign_rpm_ext.bbclass: use the default setting from meta-signing-keyJia Zhang2017-08-192-14/+3
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: set default GPG_PATH if it is not specified (#2)yunguowei2017-08-191-0/+15
| | | | | | | | | | | commit 52bf3b6636f95a(meta-integrity: move gpg keyring initialization to signing-keys) tried to initialize keyring in the task check_public_keys of the recipe signing-keys. However, it does work with the recipe signing-keys only, and GPG_PATH can't be passed to other recipes. We bring the python anonymous function back, and it makes sure GPG_PATH is set before signing the packages for every recipe. Signed-off-by: Yunguo Wei <yunguo.wei@windriver.com>
* meta-integrity: move gpg keyring initialization to signing-keysJia Zhang2017-08-172-38/+37
| | | | Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
* sign_rpm_ext: support RPM signingLans Zhang2017-08-171-6/+45
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* ima-evm-utils: support to build with openssl-1.1.xLans Zhang2017-08-162-0/+300
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* README.md: update reference linksLans Zhang2017-08-161-2/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-161-12/+25
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* init.ima: clean up and allow to load extra IMA policies from the real rootfsLans Zhang2017-08-151-10/+18
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* ima_policy: update the commentLans Zhang2017-08-151-1/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-151-15/+14
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-integrity/README.md: updateLans Zhang2017-08-151-30/+38
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: fix the conditions of PACKAGECONFIG for ima and cryptsetupLans Zhang2017-08-041-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* systemd: enable ima and cryptsetupLans Zhang2017-08-041-0/+4
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* rpm: remove PACKAGECONFIG[imaevm]Lans Zhang2017-07-281-1/+0
| | | | | | This setting is already merged to oe-core. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-secure-core: code style fixupLans Zhang2017-07-282-16/+19
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* IMA: move the default policy file to /etc/ima directoryLans Zhang2017-07-252-8/+10
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* IMA: allow to write policy but deny to read policyLans Zhang2017-07-201-1/+1
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* meta-secure-core: define the oe index nameLans Zhang2017-07-201-0/+2
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
* sign_rpm_ext: remove the test linesLans Zhang2017-07-191-4/+0
| | | | Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-09 16:01:37 +0000