From b8554aae23cb66378866bff7d5ef6c6324fa486a Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Thu, 29 Jul 2021 16:32:05 -0700 Subject: meta-integrity: Convert to new override syntax Signed-off-by: Armin Kuster --- meta-integrity/README.md | 4 ++-- meta-integrity/classes/ima-evm-rootfs.bbclass | 2 +- meta-integrity/classes/kernel-modsign.bbclass | 4 ++-- .../meta-networking/recipes-support/strongswan/strongswan-ima.inc | 4 ++-- meta-integrity/recipes-core/base-files/base-files-ima.inc | 2 +- meta-integrity/recipes-core/images/integrity-image-minimal.bb | 2 +- .../recipes-core/initrdscripts/initramfs-framework-ima.bb | 6 +++--- .../recipes-core/packagegroups/packagegroup-ima-evm-utils.bb | 2 +- meta-integrity/recipes-core/systemd/systemd_%.bbappend | 4 ++-- meta-integrity/recipes-kernel/linux/linux_ima.inc | 4 ++-- meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 2 +- .../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 8 ++++---- .../ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb | 4 ++-- .../recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb | 4 ++-- .../recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb | 4 ++-- 15 files changed, 28 insertions(+), 28 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 8254b0d..eae1c57 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -6,7 +6,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'integrity' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line. - DISTRO_FEATURES_append = " integrity" + DISTRO_FEATURES:append = " integrity" If meta-integrity is included, but integrity is not enabled as a distro feature a warning is printed at parse time: @@ -219,7 +219,7 @@ executing the file is no longer allowed: Enabling the audit kernel subsystem may help to debug appraisal issues. Enable it by adding the meta-security-framework layer and changing your local.conf: - SRC_URI_append_pn-linux-yocto = " file://audit.cfg" + SRC_URI:append:pn-linux-yocto = " file://audit.cfg" CORE_IMAGE_EXTRA_INSTALL += "auditd" Then boot with "ima_appraise=log ima_appraise_tcb". diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 0acd6e7..57de2f6 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -29,7 +29,7 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" IMA_EVM_ROOTFS_IVERSION ?= "" # Avoid re-generating fstab when ima is enabled. -WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" +WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} diff --git a/meta-integrity/classes/kernel-modsign.bbclass b/meta-integrity/classes/kernel-modsign.bbclass index 09025ba..cf5d3eb 100644 --- a/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-integrity/classes/kernel-modsign.bbclass @@ -15,7 +15,7 @@ MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt" # If this class is enabled, disable stripping signatures from modules INHIBIT_PACKAGE_STRIP = "1" -kernel_do_configure_prepend() { +kernel_do_configure:prepend() { if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then cat "${MODSIGN_PRIVKEY}" "${MODSIGN_X509}" \ > "${B}/modsign_key.pem" @@ -24,6 +24,6 @@ kernel_do_configure_prepend() { fi } -do_shared_workdir_append() { +do_shared_workdir:append() { cp modsign_key.pem $kerneldir/ } diff --git a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc b/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc index a45182e..807075c 100644 --- a/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc +++ b/meta-integrity/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-ima.inc @@ -1,8 +1,8 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" DEPENDS = "libtspi" -SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" +SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch" PACKAGECONFIG += " \ aikgen \ diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-integrity/recipes-core/base-files/base-files-ima.inc index 7e9e210..cfa65a2 100644 --- a/meta-integrity/recipes-core/base-files/base-files-ima.inc +++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc @@ -1,5 +1,5 @@ # Append iversion option for auto types -do_install_append() { +do_install:append() { sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab" echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab" } diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index 1a3a30a..f40e867 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -18,4 +18,4 @@ export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" +QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 6471c53..58cbe6e 100644 --- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -30,7 +30,7 @@ do_install () { sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } -FILES_${PN} = "/init.d ${sysconfdir}" +FILES:${PN} = "/init.d ${sysconfdir}" -RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" -RDEPENDS_${PN} += "initramfs-framework-base" +RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}" +RDEPENDS:${PN} += "initramfs-framework-base" diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb index 8196edb..484859f 100644 --- a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb +++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb @@ -6,6 +6,6 @@ inherit packagegroup features_check REQUIRED_DISTRO_FEATURES = "ima" # Only one at the moment, but perhaps more will come in the future. -RDEPENDS_${PN} = " \ +RDEPENDS:${PN} = " \ ima-evm-utils \ " diff --git a/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-integrity/recipes-core/systemd/systemd_%.bbappend index 3b45541..57b3684 100644 --- a/meta-integrity/recipes-core/systemd/systemd_%.bbappend +++ b/meta-integrity/recipes-core/systemd/systemd_%.bbappend @@ -1,11 +1,11 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += " \ file://machine-id-commit-sync.conf \ file://random-seed-sync.conf \ " -do_install_append () { +do_install:append () { for i in machine-id-commit random-seed; do install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index f9a48cd..3ab53e5 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,5 +1,5 @@ -KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" -KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb index 7708aef..dd32397 100644 --- a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb +++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 inherit features_check REQUIRED_DISTRO_FEATURES = "ima" -ALLOW_EMPTY_${PN} = "1" +ALLOW_EMPTY:${PN} = "1" do_install () { if [ -e "${IMA_EVM_X509}" ]; then diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb index bd85583..fc7a2d6 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "openssl attr keyutils" -DEPENDS_class-native += "openssl-native keyutils-native" +DEPENDS:class-native += "openssl-native keyutils-native" PV = "1.2.1+git${SRCPV}" SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" @@ -26,13 +26,13 @@ S = "${WORKDIR}/git" inherit pkgconfig autotools features_check REQUIRED_DISTRO_FEATURES = "ima" -REQUIRED_DISTRO_FEATURES_class-native = "" +REQUIRED_DISTRO_FEATURES:class-native = "" -EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" +EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}" # blkid is called by evmctl when creating evm checksums. # This is less useful when signing files on the build host, # so disable it when compiling on the host. -RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils" +RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils" BBCLASSEXTEND = "native nativesdk" diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index 84ea161..5f2244e 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -12,5 +12,5 @@ do_install () { install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index ff7169e..57c0640 100644 --- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -14,5 +14,5 @@ do_install () { install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index 0e56aec..8fed410 100644 --- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -12,5 +12,5 @@ do_install () { install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy } -FILES_${PN} = "${sysconfdir}/ima" -RDEPENDS_${PN} = "ima-evm-utils" +FILES:${PN} = "${sysconfdir}/ima" +RDEPENDS:${PN} = "ima-evm-utils" -- cgit v1.2.3-54-g00ecf