diff options
author | Armin Kuster <akuster808@gmail.com> | 2019-05-19 09:52:37 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-05-28 07:38:52 -0700 |
commit | e7771ce287028a21d8eec23ae2145be8f234b671 (patch) | |
tree | 7f304f9abaa0ccc818e6090d2d5e4962ea6f6d78 /meta-integrity | |
parent | f26869aef36bd278d14cfe48101cdf5f7189a7c4 (diff) | |
download | meta-security-e7771ce287028a21d8eec23ae2145be8f234b671.tar.gz |
linux: update bbappend
remove untested code
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-integrity')
-rw-r--r-- | meta-integrity/recipes-kernel/linux/linux-%.bbappend | 117 |
1 files changed, 2 insertions, 115 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 48560b1..931854e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend | |||
@@ -1,116 +1,3 @@ | |||
1 | IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' in d.getVar('DISTRO_FEATURES', True).split() else 'no'}" | 1 | FILESEXTRAPATHS_prepend := "${THISDIR}/linux:" |
2 | 2 | ||
3 | IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:" | 3 | SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}" |
4 | IMA_FILESEXTRAPATHS_no := "" | ||
5 | FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}" | ||
6 | |||
7 | # These two patches are necessary to unpack archives with security.ima xattr | ||
8 | # such that security.ima is taken from the archive. If the policy | ||
9 | # allows hashing, unpatched kernels (at least up to 4.3) will replace | ||
10 | # a signed hash in security.ima with a locally computed hash. | ||
11 | # | ||
12 | # Note that only bsdtar/libarchive are known to work; GNU tar sets | ||
13 | # the security.ima on an empty file and the tries re-opening it for | ||
14 | # writing its content, which then fails due to the IMA hash mismatch. | ||
15 | # | ||
16 | # Kernels >= 4.7 have the patches, while older kernels are likely to | ||
17 | # need the patches. So apply them by default. To avoid that, | ||
18 | # set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version) | ||
19 | # to an empty string (to avoid patching) or some other patch files | ||
20 | # suitable for that kernel. | ||
21 | def ima_evm_setattr_patch(d): | ||
22 | result = [] | ||
23 | linux_version = d.getVar('LINUX_VERSION', True) or '' | ||
24 | # These two patches are known to be included upstream. | ||
25 | if bb.utils.vercmp_string_op(linux_version, '4.7', '<'): | ||
26 | patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True) | ||
27 | if patches != None: | ||
28 | # Patches explicitly chosen, may be empty. | ||
29 | result.append(patches) | ||
30 | else: | ||
31 | # Enabled by default. | ||
32 | result.append('file://0001-ima-fix-ima_inode_post_setattr.patch file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch') | ||
33 | # This one addresses a problem added in 4.2. The upstream revert will land | ||
34 | # in some future kernel. We need to extend version check once we know | ||
35 | # which kernels have the patch. | ||
36 | if bb.utils.vercmp_string_op(linux_version, '4.2', '>='): | ||
37 | patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, True) | ||
38 | if patches != None: | ||
39 | # Patches explicitly chosen, may be empty. | ||
40 | result.append(patches) | ||
41 | else: | ||
42 | # Enabled by default. | ||
43 | result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch') | ||
44 | return ' '.join(result) | ||
45 | |||
46 | # Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS for Edison. | ||
47 | IMA_EVM_SETATTR_PATCH_3.10.98 = "" | ||
48 | |||
49 | # Kernel config fragment enabling IMA/EVM and (where necessary and possible) | ||
50 | # also patching the kernel. | ||
51 | IMA_EVM_CFG_yes = " file://ima.cfg \ | ||
52 | ${@ ima_evm_setattr_patch(d)} \ | ||
53 | " | ||
54 | IMA_EVM_CFG_no = "" | ||
55 | SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}" | ||
56 | |||
57 | # IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded | ||
58 | # x509 CA certificate which will get compiled into the kernel. | ||
59 | # The kernel will then use it to validate additional certificates, | ||
60 | # like the one loaded dynamically for IMA. | ||
61 | # | ||
62 | # Depending on the kernel version, there are two ways to add the | ||
63 | # CA certificate: | ||
64 | # - For Linux < 4.3, we put the x509 file into the source directory | ||
65 | # where the kernel compilation will find it automatically | ||
66 | # (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115). | ||
67 | # - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS | ||
68 | # (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29). | ||
69 | # The ima_evm_root_ca.cfg only contains a blank file name. | ||
70 | # The actual file name gets patched in after the file was used | ||
71 | # to configure the kernel (see do_kernel_configme_append). | ||
72 | # This has to point to a single file, i.e. using it for IMA has to | ||
73 | # be coordinated with other usages. | ||
74 | # | ||
75 | # The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass. | ||
76 | # Need weaker default here in case that ima-evm-rootfs.bbclass is not | ||
77 | # inherited. | ||
78 | IMA_EVM_ROOT_CA ??= "" | ||
79 | |||
80 | # Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and | ||
81 | # copy the root certificate into the build directory. By using | ||
82 | # the normal fetcher mechanism for the certificate we ensure that | ||
83 | # a rebuild is triggered when the file name or content change. | ||
84 | # | ||
85 | # Recompiling on name change is a bit too aggressive and causes | ||
86 | # unnecessary rebuilds when only the location of the file, but not its | ||
87 | # content change. This may need further work, should it become a problem | ||
88 | # in practice. For example, IMA_EVM_ROOT_CA could be redefined as | ||
89 | # an URL that then gets found via the normal file lookup. | ||
90 | # | ||
91 | # The fetcher does not expand SRC_URI. We have to enforce that here. | ||
92 | IMA_EVM_ROOT_CA_CFG_yes = "${@ \ | ||
93 | ((' file://ima_evm_root_ca.cfg' if bb.utils.vercmp_string_op('${LINUX_VERSION}', '4.3', '>=') else '') + \ | ||
94 | ' file://${IMA_EVM_ROOT_CA}') \ | ||
95 | if '${IMA_EVM_ROOT_CA}' else ''}" | ||
96 | IMA_EVM_ROOT_CA_CFG_no = "" | ||
97 | |||
98 | SRC_URI_append = "${IMA_EVM_ROOT_CA_CFG_${IMA_ENABLED_HERE}}" | ||
99 | |||
100 | do_kernel_configme_append () { | ||
101 | if [ '${IMA_EVM_ROOT_CA}' ] && grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS=' ${B}/.config; then | ||
102 | # We can replace a blank value from ima_evm_root_ca.cfg, | ||
103 | # but when we find some other value, then we have to abort | ||
104 | # because we can't set more than one value. | ||
105 | eval `grep '^CONFIG_SYSTEM_TRUSTED_KEYS='` | ||
106 | if [ "$CONFIG_SYSTEM_TRUSTED_KEYS" ] && [ "$CONFIG_SYSTEM_TRUSTED_KEYS" != "${IMA_EVM_ROOT_CA}" ]; then | ||
107 | bbfatal "CONFIG_SYSTEM_TRUSTED_KEYS already set to $CONFIG_SYSTEM_TRUSTED_KEYS, cannot replace with IMA_EVM_ROOT_CA = ${IMA_EVM_ROOT_CA}" | ||
108 | exit 1 | ||
109 | fi | ||
110 | pemcert=${B}/`basename ${IMA_EVM_ROOT_CA}`.pem | ||
111 | openssl x509 -inform der -in ${IMA_EVM_ROOT_CA} -out $pemcert | ||
112 | sed -i -e "s;^CONFIG_SYSTEM_TRUSTED_KEYS=.*;CONFIG_SYSTEM_TRUSTED_KEYS=\"$pemcert\";" ${B}/.config | ||
113 | fi | ||
114 | } | ||
115 | |||
116 | do_kernel_configme[depends] += "${@ 'openssl-native:do_populate_sysroot' if '${IMA_ENABLED_HERE}' == 'yes' and '${IMA_EVM_ROOT_CA}' else '' }" | ||