linux: update bbappend

remove untested code Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2019-05-19 09:52:37 -0700
committer: Armin Kuster <akuster808@gmail.com> 2019-05-28 07:38:52 -0700
commit: e7771ce287028a21d8eec23ae2145be8f234b671 (patch)
tree: 7f304f9abaa0ccc818e6090d2d5e4962ea6f6d78 /meta-integrity
parent: f26869aef36bd278d14cfe48101cdf5f7189a7c4 (diff)
download: meta-security-e7771ce287028a21d8eec23ae2145be8f234b671.tar.gz
1 files changed, 2 insertions, 115 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index 48560b1..931854e 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,116 +1,3 @@
-IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' in d.getVar('DISTRO_FEATURES', True).split() else 'no'}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
-IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:"
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"
-IMA_FILESEXTRAPATHS_no := ""
-FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}"
-# These two patches are necessary to unpack archives with security.ima xattr
-# such that security.ima is taken from the archive. If the policy
-# allows hashing, unpatched kernels (at least up to 4.3) will replace
-# a signed hash in security.ima with a locally computed hash.
-#
-# Note that only bsdtar/libarchive are known to work; GNU tar sets
-# the security.ima on an empty file and the tries re-opening it for
-# writing its content, which then fails due to the IMA hash mismatch.
-#
-# Kernels >= 4.7 have the patches, while older kernels are likely to
-# need the patches. So apply them by default. To avoid that,
-# set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version)
-# to an empty string (to avoid patching) or some other patch files
-# suitable for that kernel.
-def ima_evm_setattr_patch(d):
-    result = []
-    linux_version = d.getVar('LINUX_VERSION', True) or ''
-    # These two patches are known to be included upstream.
-    if bb.utils.vercmp_string_op(linux_version, '4.7', '<'):
-        patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True)
-        if patches != None:
-            # Patches explicitly chosen, may be empty.
-            result.append(patches)
-        else:
-            # Enabled by default.
-            result.append('file://0001-ima-fix-ima_inode_post_setattr.patch file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch')
-    # This one addresses a problem added in 4.2. The upstream revert will land
-    # in some future kernel. We need to extend version check once we know
-    # which kernels have the patch.
-    if bb.utils.vercmp_string_op(linux_version, '4.2', '>='):
-        patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, True)
-        if patches != None:
-            # Patches explicitly chosen, may be empty.
-            result.append(patches)
-        else:
-            # Enabled by default.
-            result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch')
-    return ' '.join(result)
-# Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS for Edison.
-IMA_EVM_SETATTR_PATCH_3.10.98 = ""
-# Kernel config fragment enabling IMA/EVM and (where necessary and possible)
-# also patching the kernel.
-IMA_EVM_CFG_yes = " file://ima.cfg \
-                    ${@ ima_evm_setattr_patch(d)} \
-                  "
-IMA_EVM_CFG_no = ""
-SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}"
-# IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded
-# x509 CA certificate which will get compiled into the kernel.
-# The kernel will then use it to validate additional certificates,
-# like the one loaded dynamically for IMA.
-#
-# Depending on the kernel version, there are two ways to add the
-# CA certificate:
-# - For Linux < 4.3, we put the x509 file into the source directory
-#   where the kernel compilation will find it automatically
-#   (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115).
-# - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS
-#   (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29).
-#   The ima_evm_root_ca.cfg only contains a blank file name.
-#   The actual file name gets patched in after the file was used
-#   to configure the kernel (see do_kernel_configme_append).
-#   This has to point to a single file, i.e. using it for IMA has to
-#   be coordinated with other usages.
-#
-# The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass.
-# Need weaker default here in case that ima-evm-rootfs.bbclass is not
-# inherited.
-IMA_EVM_ROOT_CA ??= ""
-# Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and
-# copy the root certificate into the build directory. By using
-# the normal fetcher mechanism for the certificate we ensure that
-# a rebuild is triggered when the file name or content change.
-#
-# Recompiling on name change is a bit too aggressive and causes
-# unnecessary rebuilds when only the location of the file, but not its
-# content change. This may need further work, should it become a problem
-# in practice. For example, IMA_EVM_ROOT_CA could be redefined as
-# an URL that then gets found via the normal file lookup.
-#
-# The fetcher does not expand SRC_URI. We have to enforce that here.
-IMA_EVM_ROOT_CA_CFG_yes = "${@ \
- ((' file://ima_evm_root_ca.cfg' if bb.utils.vercmp_string_op('${LINUX_VERSION}', '4.3', '>=') else '') + \
-   ' file://${IMA_EVM_ROOT_CA}') \
- if '${IMA_EVM_ROOT_CA}' else ''}"
-IMA_EVM_ROOT_CA_CFG_no = ""
-SRC_URI_append = "${IMA_EVM_ROOT_CA_CFG_${IMA_ENABLED_HERE}}"
-do_kernel_configme_append () {
-    if [ '${IMA_EVM_ROOT_CA}' ] && grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS=' ${B}/.config; then
-        # We can replace a blank value from ima_evm_root_ca.cfg,
-        # but when we find some other value, then we have to abort
-        # because we can't set more than one value.
-        eval `grep '^CONFIG_SYSTEM_TRUSTED_KEYS='`
-        if [ "$CONFIG_SYSTEM_TRUSTED_KEYS" ] && [ "$CONFIG_SYSTEM_TRUSTED_KEYS" != "${IMA_EVM_ROOT_CA}" ]; then
-            bbfatal "CONFIG_SYSTEM_TRUSTED_KEYS already set to $CONFIG_SYSTEM_TRUSTED_KEYS, cannot replace with IMA_EVM_ROOT_CA = ${IMA_EVM_ROOT_CA}"
-            exit 1
-        fi
-        pemcert=${B}/`basename ${IMA_EVM_ROOT_CA}`.pem
-        openssl x509 -inform der -in ${IMA_EVM_ROOT_CA} -out $pemcert
-        sed -i -e "s;^CONFIG_SYSTEM_TRUSTED_KEYS=.*;CONFIG_SYSTEM_TRUSTED_KEYS=\"$pemcert\";" ${B}/.config
-    fi
-}
-do_kernel_configme[depends] += "${@ 'openssl-native:do_populate_sysroot' if '${IMA_ENABLED_HERE}' == 'yes' and '${IMA_EVM_ROOT_CA}' else '' }"
author	Armin Kuster <akuster808@gmail.com>	2019-05-19 09:52:37 -0700
committer	Armin Kuster <akuster808@gmail.com>	2019-05-28 07:38:52 -0700
commit	e7771ce287028a21d8eec23ae2145be8f234b671 (patch)
tree	7f304f9abaa0ccc818e6090d2d5e4962ea6f6d78 /meta-integrity
parent	f26869aef36bd278d14cfe48101cdf5f7189a7c4 (diff)
download	meta-security-e7771ce287028a21d8eec23ae2145be8f234b671.tar.gz

diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend index 48560b1..931854e 100644 --- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,116 +1,3 @@
1	IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' in d.getVar('DISTRO_FEATURES', True).split() else 'no'}"	1	FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
2		2
3	IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:"	3	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"
4	IMA_FILESEXTRAPATHS_no := ""
5	FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}"
6
7	# These two patches are necessary to unpack archives with security.ima xattr
8	# such that security.ima is taken from the archive. If the policy
9	# allows hashing, unpatched kernels (at least up to 4.3) will replace
10	# a signed hash in security.ima with a locally computed hash.
11	#
12	# Note that only bsdtar/libarchive are known to work; GNU tar sets
13	# the security.ima on an empty file and the tries re-opening it for
14	# writing its content, which then fails due to the IMA hash mismatch.
15	#
16	# Kernels >= 4.7 have the patches, while older kernels are likely to
17	# need the patches. So apply them by default. To avoid that,
18	# set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version)
19	# to an empty string (to avoid patching) or some other patch files
20	# suitable for that kernel.
21	def ima_evm_setattr_patch(d):
22	result = []
23	linux_version = d.getVar('LINUX_VERSION', True) or ''
24	# These two patches are known to be included upstream.
25	if bb.utils.vercmp_string_op(linux_version, '4.7', '<'):
26	patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True)
27	if patches != None:
28	# Patches explicitly chosen, may be empty.
29	result.append(patches)
30	else:
31	# Enabled by default.
32	result.append('file://0001-ima-fix-ima_inode_post_setattr.patch file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch')
33	# This one addresses a problem added in 4.2. The upstream revert will land
34	# in some future kernel. We need to extend version check once we know
35	# which kernels have the patch.
36	if bb.utils.vercmp_string_op(linux_version, '4.2', '>='):
37	patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, True)
38	if patches != None:
39	# Patches explicitly chosen, may be empty.
40	result.append(patches)
41	else:
42	# Enabled by default.
43	result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch')
44	return ' '.join(result)
45
46	# Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS for Edison.
47	IMA_EVM_SETATTR_PATCH_3.10.98 = ""
48
49	# Kernel config fragment enabling IMA/EVM and (where necessary and possible)
50	# also patching the kernel.
51	IMA_EVM_CFG_yes = " file://ima.cfg \
52	${@ ima_evm_setattr_patch(d)} \
53	"
54	IMA_EVM_CFG_no = ""
55	SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}"
56
57	# IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded
58	# x509 CA certificate which will get compiled into the kernel.
59	# The kernel will then use it to validate additional certificates,
60	# like the one loaded dynamically for IMA.
61	#
62	# Depending on the kernel version, there are two ways to add the
63	# CA certificate:
64	# - For Linux < 4.3, we put the x509 file into the source directory
65	# where the kernel compilation will find it automatically
66	# (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115).
67	# - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS
68	# (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29).
69	# The ima_evm_root_ca.cfg only contains a blank file name.
70	# The actual file name gets patched in after the file was used
71	# to configure the kernel (see do_kernel_configme_append).
72	# This has to point to a single file, i.e. using it for IMA has to
73	# be coordinated with other usages.
74	#
75	# The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass.
76	# Need weaker default here in case that ima-evm-rootfs.bbclass is not
77	# inherited.
78	IMA_EVM_ROOT_CA ??= ""
79
80	# Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and
81	# copy the root certificate into the build directory. By using
82	# the normal fetcher mechanism for the certificate we ensure that
83	# a rebuild is triggered when the file name or content change.
84	#
85	# Recompiling on name change is a bit too aggressive and causes
86	# unnecessary rebuilds when only the location of the file, but not its
87	# content change. This may need further work, should it become a problem
88	# in practice. For example, IMA_EVM_ROOT_CA could be redefined as
89	# an URL that then gets found via the normal file lookup.
90	#
91	# The fetcher does not expand SRC_URI. We have to enforce that here.
92	IMA_EVM_ROOT_CA_CFG_yes = "${@ \
93	((' file://ima_evm_root_ca.cfg' if bb.utils.vercmp_string_op('${LINUX_VERSION}', '4.3', '>=') else '') + \
94	' file://${IMA_EVM_ROOT_CA}') \
95	if '${IMA_EVM_ROOT_CA}' else ''}"
96	IMA_EVM_ROOT_CA_CFG_no = ""
97
98	SRC_URI_append = "${IMA_EVM_ROOT_CA_CFG_${IMA_ENABLED_HERE}}"
99
100	do_kernel_configme_append () {
101	if [ '${IMA_EVM_ROOT_CA}' ] && grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS=' ${B}/.config; then
102	# We can replace a blank value from ima_evm_root_ca.cfg,
103	# but when we find some other value, then we have to abort
104	# because we can't set more than one value.
105	eval `grep '^CONFIG_SYSTEM_TRUSTED_KEYS='`
106	if [ "$CONFIG_SYSTEM_TRUSTED_KEYS" ] && [ "$CONFIG_SYSTEM_TRUSTED_KEYS" != "${IMA_EVM_ROOT_CA}" ]; then
107	bbfatal "CONFIG_SYSTEM_TRUSTED_KEYS already set to $CONFIG_SYSTEM_TRUSTED_KEYS, cannot replace with IMA_EVM_ROOT_CA = ${IMA_EVM_ROOT_CA}"
108	exit 1
109	fi
110	pemcert=${B}/`basename ${IMA_EVM_ROOT_CA}`.pem
111	openssl x509 -inform der -in ${IMA_EVM_ROOT_CA} -out $pemcert
112	sed -i -e "s;^CONFIG_SYSTEM_TRUSTED_KEYS=.*;CONFIG_SYSTEM_TRUSTED_KEYS=\"$pemcert\";" ${B}/.config
113	fi
114	}
115
116	do_kernel_configme[depends] += "${@ 'openssl-native:do_populate_sysroot' if '${IMA_ENABLED_HERE}' == 'yes' and '${IMA_EVM_ROOT_CA}' else '' }"