summaryrefslogtreecommitdiffstats
path: root/meta-integrity
Commit message (Collapse)AuthorAgeFilesLines
* Update maintainersHEADmasterScott Murray8 days1-1/+3
| | | | | | | | | | | Add Marta and myself as maintainers for meta-security and the other embedded layers that Armin had been maintaining. To avoid Armin getting bugged about individual recipes, set the RECIPE_MAINTAINER variables to myself for now as a starting point that can be adjusted as things get more settled. Signed-off-by: Scott Murray <scott.murray@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove self as MaintainerArmin Kuster12 days1-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Enable choice of creating IMA signatures or hashesStefan Berger2025-03-122-2/+9
| | | | | | | | | | | | | | | | | | | When IMA and EVM are used for file appraisal then EVM verifies the signature stored in security.evm. This signature covers file metadata (uid, gid, mode bits, etc.) as well as the security.ima xattr. Therefore, it is sufficient that only files' hashes are stored in security.ima. This also leads to slight performance improvements since IMA appraisal will then only verify that a file's hash matches the expected hash stored in security.ima. EVM will ensure that the signature over all the file metadata and security.ima xattr is correct. Therefore, give the user control over whether to store file signatures (--imasig) in ima.security or hashes (--imahash) by setting the option in IMA_EVM_IMA_XATTR_OPT. Only test-verify an IMA signature if --imasig is used as the option. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Remove True option to getVar callsakash hadke2025-02-021-1/+1
| | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Signed-off-by: Akash Hadke <akash.hadke27@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* oeqa runtime ima.py: skip without "integrity" in DISTRO_FEATURESMikko Rapeli2024-12-271-0/+1
| | | | | | | ima and meta-integrity are not enabled without and the test fails. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update to walnascar (5.2) layer/release seriesArmin Kuster2024-11-241-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update to styhead release name seriesArmin Kuster2024-09-151-1/+1
| | | | | | few more layers to fixup Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy: Fix S=UNPACKDIRArmin Kuster2024-07-313-3/+3
| | | | | | Drop BP , these are files not src bundle Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-simple: set SMikko Rapeli2024-07-311-0/+2
| | | | | | | Build with latest poky fails without it Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-appraise-all: set SMikko Rapeli2024-07-311-0/+2
| | | | | | | Build with latest poky requires it Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-hashed: set SMikko Rapeli2024-07-311-0/+2
| | | | | | | Build with latest poky fails without Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-simple: UNPACKDIR fixMikko Rapeli2024-07-311-1/+1
| | | | | | | New poky uses UNPACKDIR instead of WORKDIR Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-appraise-all: UNPACKDIR fixMikko Rapeli2024-07-311-1/+1
| | | | | | | New poky uses UNPACKDIR instead of WORKDIR Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* initramfs-framework-ima: UNPACKDIR fixMikko Rapeli2024-07-311-1/+1
| | | | | | | New poky uses UNPACKDIR instead of WORKDIR Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Enable passing private key passwordStefan Berger2024-07-012-0/+6
| | | | | | | | Allow users to pass the private key password using IMA_EVM_EVMCTL_KEY_PASSWORD. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctlStefan Berger2024-07-012-2/+9
| | | | | | | | | Introduce IMA_EVM_PRIVKEY_KEY_OPT to pass additional options to evmctl when signing files. An example is --keyid <id> that makes evmctl use a specific key id when signing files. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: Remove stale variables and documentationStefan Berger2024-07-012-11/+1
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-policy-hashed: Start WORKDIR -> UNPACKDIR transitionWang Mingyu2024-06-171-1/+1
| | | | | | | Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: WORKDIR -> UNPACKDIR transitionChangqing Li2024-06-171-1/+1
| | | | | | | | | * WORKDIR -> UNPACKDIR transition * Switch away from S = WORKDIR Signed-off-by: Changqing Li <changqing.li@windriver.com> [Fixed up the smack changes due to prior patch] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README.md: update to new patches mailing listArmin Kuster2024-04-091-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update for the scarthgap release seriesMax Krummenacher2024-03-271-1/+1
| | | | | Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity-image-minimal: Fix IMAGE_INSTALLLeon Anavi2024-02-201-6/+4
| | | | | | | | | | | | | Append to IMAGE_INSTALL rather than directly setting the variable and does it after inheriting core-image.bbclass because in it IMAGE_INSTALL is set with a default value CORE_IMAGE_BASE_INSTALL. Variable CORE_IMAGE_BASE_INSTALL includes CORE_IMAGE_EXTRA_INSTALL so the change allows adding auditd to CORE_IMAGE_EXTRA_INSTALL as per the instructions in meta-integrity/README.md. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto%.bbappend: Add audit.cfgLeon Anavi2024-02-203-2/+10
| | | | | | | | | | | | | | Add audit.cfg configuration fragment. By default it is not appended to SRC_URI. It allows enabling the audit kernel subsystem which may help to debug appraisal issues. Boot with "integrity_audit=1" to capture a more complete set of events in /var/log/audit/. Previously the same configuration fragment was provided by layer meta-security-framework but it is no longer maintained therefore it makes sense to have audit.cfg in layer meta-integrity. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima,evm: Add two variables to write filenames and signatures intoStefan Berger2023-11-081-0/+12
| | | | | | | | | | | | | | | | | | | | Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE for filenames where the ima_evm_sign_rootfs script can write the names of files and their IMA or EVM signatures into. Both variables are optional. The content of the file with IMA signatures may look like this: /usr/bin/gpiodetect ima:0x0302046730eefd... /usr/bin/pwscore ima:0x0302046730eefd004... Having the filenames along with their signatures is useful for signing files in the initrd when the initrd is running out of a tmpfs filesystem that has support for xattrs. This allows to enable an IMA appraisal policy already in the initrd where files must be signed as soon as the policy becomes active. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: update LAYERSERIES_COMPAT for nanbieldMartin Jansa2023-09-111-1/+1
| | | | | | | | * oe-core switched to nanbield in: https://git.openembedded.org/openembedded-core/commit/?id=f212cb12a0db9c9de5afd3cc89b1331d386e55f6 Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer: add QA_WARNINGS to all layersArmin Kuster2023-08-061-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: drop ima.cfg in favor of new k-cacheArmin Kuster2023-07-313-54/+1
| | | | | | | The upstream ima.cfg kernel-cache has been updated. Use it instead. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* *.patch: add Upstream-Status to all patchesMartin Jansa2023-06-251-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | There is new patch-status QA check in oe-core: https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a This is temporary work around just to hide _many_ warnings from optional patch-status (if you add it to WARN_QA). This just added Upstream-Status: Pending everywhere without actually investigating what's the proper status. This is just to hide current QA warnings and to catch new .patch files being added without Upstream-Status, but the number of Pending patches is now terrible: 0 (0%) meta-parsec N/A (0%) meta-hardening 1 (100%) meta-integrity 15 (68%) meta-tpm 27 (61%) meta-security Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Insert addpylib declarationArmin Kuster2023-05-221-0/+2
| | | | | | | | | | | Yocto mickledore introduced the addpylib directive for explicitly adding layer paths to the PYTHONPATH. Standalone OEQA test suite discovery does not require this directive but it is required to import test cases from other layers, e.g. to extend and modify the test cases. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity: Rename linux-%.bbappend to linux-yocto%.bbappendStefan Berger2023-05-131-0/+0
| | | | | | | | To avoid having linux-%.bbappend included in targets unrelated to the linux kernel, rename linux-%.bbappend to linux-yocto%.bbappend. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity: Fix the do_configure functionStefan Berger2023-05-131-2/+4
| | | | | | | | | | | Append ':append' to do_configure so it does not replace all existing do_configure's. Only run 'sed' when DISTRO_FEATURES contains 'ima' and the .config file exists. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfgStefan Berger2023-05-131-1/+0
| | | | | | | | Drop the kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg. Instead, require projects that use squashfs to set this option. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux: overlayfs: Drop kernel patch resolving a file change notification issueStefan Berger2023-05-132-43/+0
| | | | | | | | | | | Revert the patch resolving a file change notitfication issue (for IMA appraisal) since this patch fails in 'many downstream kernels'. - https://lists.yoctoproject.org/g/yocto/message/59928 - https://lists.yoctoproject.org/g/yocto/message/59929 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity-image-minimal: adapt QEMU cmdline to new changesArmin Kuster2023-05-061-1/+1
| | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* oeqa: fix hash test to match new changesArmin Kuster2023-05-061-6/+4
| | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: Update ima-evm-utils to v1.5 and add a patchStefan Berger2023-05-062-2/+42
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux: overlayfs: Add kernel patch resolving a file change notification issueStefan Berger2023-05-062-0/+43
| | | | | | | | | | | | | Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue will be resolved in later kernels with the following patch that builds on newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1: https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* integrity: Update the README for IMA supportStefan Berger2023-05-061-9/+11
| | | | | | | Update the README describing how IMA support can be used. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Sign all executables and the ima-policy in the root filesystemStefan Berger2023-05-061-5/+20
| | | | | Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICYStefan Berger2023-05-062-3/+3
| | | | | | | | | The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Fix the IMA kernel featureStefan Berger2023-05-067-251/+63
| | | | | | | | Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Fix the ima_policy_appraise_all to appraise executables & librariesStefan Berger2023-05-061-1/+8
| | | | | | | | | Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima: Document and replace keys and adapt scripts for EC keysStefan Berger2023-05-068-62/+50
| | | | | | | | | | For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: disable documentation from buildMikko Rapeli2023-03-261-0/+1
| | | | | | | | Building documentation fails due to missing asciidoc, xsltproc etc so it's better to just disable building them by default. Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: update LAYERSERIES_COMPAT for mickledoreMartin Jansa2023-01-041-1/+1
| | | | | | | | * oe-core switched to mickedore in: https://git.openembedded.org/openembedded-core/commit/?id=57239d66b933c4313cf331d35d13ec2d0661c38f Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-integrity: kernel-modsign: prevents splitting out debug symbolsJose Quaresma2022-07-051-0/+2
| | | | | | | | | | Starting with [1] kernel modules symbols is being slipped in OE-core and this breaks the kernel modules sign, so disable it. [1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Post release codename changesArmin Kuster2022-06-071-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-utils: Update to 1.4Armin Kuster2022-05-234-181/+2
| | | | | | | | | | | | | Switch from git to https in SRC_URI Drop patches not upstreamed. Passes OEQA: RESULTS - ima.IMACheck.test_ima_enabled: PASSED (1.05s) RESULTS - ima.IMACheck.test_ima_hash: PASSED (6.13s) RESULTS - ima.IMACheck.test_ima_overwrite: PASSED (131.31s) RESULTS - ima.IMACheck.test_ima_signature: PASSED (69.03s) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ima-evm-keys: don't use lnrArmin Kuster2022-03-111-1/+1
| | | | | | | | | | | | lnr is a script in oe-core that creates relative symlinks, with the same behaviour as `ln --relative --symlink`. It was added back in 2014[1] as not all of the supported host distributions at the time shipped coreutils 8.16, the first release with --relative. However the oldest coreutils release in the supported distributions is now 8.22 in CentOS 7, so lnr can be deprecated and users switched to ln. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: Update to use kirkstoneArmin Kuster2022-02-201-1/+1
| | | | | | | Update the layers to use the kirkstone namespace. No compatibility is made for honister due to the variable renaming. Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-06 05:00:59 +0000