<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/meta-integrity/classes, branch mickledore</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=mickledore</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=mickledore'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2022-07-05T23:26:50+00:00</updated>
<entry>
<title>meta-integrity: kernel-modsign: prevents splitting out debug symbols</title>
<updated>2022-07-05T23:26:50+00:00</updated>
<author>
<name>Jose Quaresma</name>
<email>quaresma.jose@gmail.com</email>
</author>
<published>2022-06-27T12:02:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=c1c80cf0c0f26215fb252242f0d70f8870916734'/>
<id>urn:sha1:c1c80cf0c0f26215fb252242f0d70f8870916734</id>
<content type='text'>
Starting with [1] kernel modules symbols is being slipped in OE-core
and this breaks the kernel modules sign, so disable it.

[1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8

Signed-off-by: Jose Quaresma &lt;jose.quaresma@foundries.io&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: kernel-modsign: Change weak default value</title>
<updated>2021-08-27T04:43:35+00:00</updated>
<author>
<name>Daiane Angolini</name>
<email>daiane.angolini@foundries.io</email>
</author>
<published>2021-08-26T17:14:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=ab90741aa2de75bf8afc4ce99a4f8f412781024a'/>
<id>urn:sha1:ab90741aa2de75bf8afc4ce99a4f8f412781024a</id>
<content type='text'>
Assign a weak default value for MODSIGN_KEY_DIR so the other layers can
set a default value for them as well.

Signed-off-by: Daiane Angolini &lt;daiane.angolini@foundries.io&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: Convert to new override syntax</title>
<updated>2021-08-01T15:47:08+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2021-07-29T23:32:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=b8554aae23cb66378866bff7d5ef6c6324fa486a'/>
<id>urn:sha1:b8554aae23cb66378866bff7d5ef6c6324fa486a</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: add sanity check</title>
<updated>2021-06-06T20:03:37+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2021-06-02T01:59:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=6e75e751ff1a0e1c45545a032a598a9098fa75f2'/>
<id>urn:sha1:6e75e751ff1a0e1c45545a032a598a9098fa75f2</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=6612bf719f0ecf6b040e493481ffacc553a3ff26'/>
<id>urn:sha1:6612bf719f0ecf6b040e493481ffacc553a3ff26</id>
<content type='text'>
Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta: refactor IMA/EVM sign rootfs</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=76d1e3ecad77ecd38c1c99171d5f2497d1258644'/>
<id>urn:sha1:76d1e3ecad77ecd38c1c99171d5f2497d1258644</id>
<content type='text'>
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:

| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "

and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.

To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.

Also add ima-evm-keys to IMAGE_INSTALL.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>kernel-modsign.bbclass: add support for kernel modules signing</title>
<updated>2019-08-07T14:09:43+00:00</updated>
<author>
<name>Dmitry Eremin-Solenikov</name>
<email>dmitry_eremin-solenikov@mentor.com</email>
</author>
<published>2019-07-28T15:31:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=79bc2559fef750dda6301e4c3ed891850d3244a1'/>
<id>urn:sha1:79bc2559fef750dda6301e4c3ed891850d3244a1</id>
<content type='text'>
Add bbclass responsible for handling signing of kernel modules.

Signed-off-by: Dmitry Eremin-Solenikov &lt;dmitry_eremin-solenikov@mentor.com&gt;

fixup class to avoid including in every configure task

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: rename IMA_EVM_BASE to INTEGRITY_BASE</title>
<updated>2019-08-04T20:12:41+00:00</updated>
<author>
<name>Dmitry Eremin-Solenikov</name>
<email>dmitry_eremin-solenikov@mentor.com</email>
</author>
<published>2019-07-28T15:31:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=c9c4e6c228556cc2054a4b49f85b282fd69fc25c'/>
<id>urn:sha1:c9c4e6c228556cc2054a4b49f85b282fd69fc25c</id>
<content type='text'>
data/debug-keys will be reused for demo modsign keys, so rename
IMA_EVM_BASE to more generic INTEGRITY_BASE.

Signed-off-by: Dmitry Eremin-Solenikov &lt;dmitry_eremin-solenikov@mentor.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: port over from meta-intel-iot-security</title>
<updated>2019-05-28T14:38:41+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2019-05-16T22:41:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=6680225c05bb0834280307c223c3a545b088cbd3'/>
<id>urn:sha1:6680225c05bb0834280307c223c3a545b088cbd3</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
</feed>
