<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/meta-integrity/classes, branch styhead</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=styhead</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=styhead'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2024-07-01T11:07:58+00:00</updated>
<entry>
<title>meta-integrity: Enable passing private key password</title>
<updated>2024-07-01T11:07:58+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2024-06-19T14:15:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=37e5a930d70ccd6f4468606276012c9711103dc4'/>
<id>urn:sha1:37e5a930d70ccd6f4468606276012c9711103dc4</id>
<content type='text'>
Allow users to pass the private key password using
IMA_EVM_EVMCTL_KEY_PASSWORD.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctl</title>
<updated>2024-07-01T11:07:58+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2024-06-19T14:15:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=06bd46276fbba42019f1327ecd8c4caf6a963a6f'/>
<id>urn:sha1:06bd46276fbba42019f1327ecd8c4caf6a963a6f</id>
<content type='text'>
Introduce IMA_EVM_PRIVKEY_KEY_OPT to pass additional options to evmctl
when signing files. An example is --keyid &lt;id&gt; that makes evmctl use
a specific key id when signing files.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: Remove stale variables and documentation</title>
<updated>2024-07-01T11:07:58+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2024-06-19T14:15:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=d2d125de9231a9919f3b7f4be4b994336a2eced1'/>
<id>urn:sha1:d2d125de9231a9919f3b7f4be4b994336a2eced1</id>
<content type='text'>
Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima,evm: Add two variables to write filenames and signatures into</title>
<updated>2023-11-08T12:09:28+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2023-11-01T17:13:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=070a1e82cc59424d230a23c0b2a104b01fbaa2ad'/>
<id>urn:sha1:070a1e82cc59424d230a23c0b2a104b01fbaa2ad</id>
<content type='text'>
Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE
for filenames where the ima_evm_sign_rootfs script can write the names
of files and their IMA or EVM signatures into. Both variables are
optional. The content of the file with IMA signatures may look like
this:

/usr/bin/gpiodetect ima:0x0302046730eefd...
/usr/bin/pwscore ima:0x0302046730eefd004...

Having the filenames along with their signatures is useful for signing
files in the initrd when the initrd is running out of a tmpfs filesystem
that has support for xattrs. This allows to enable an IMA appraisal
policy already in the initrd where files must be signed as soon as the
policy becomes active.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima: Sign all executables and the ima-policy in the root filesystem</title>
<updated>2023-05-06T11:54:09+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2023-04-28T12:23:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=76f1f539a678725211283294c8b6735186055694'/>
<id>urn:sha1:76f1f539a678725211283294c8b6735186055694</id>
<content type='text'>
Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY</title>
<updated>2023-05-06T11:54:09+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2023-04-28T12:23:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=292b49342cb47da59525a44227598cf136311e1b'/>
<id>urn:sha1:292b49342cb47da59525a44227598cf136311e1b</id>
<content type='text'>
The IMA policy will be specified using the IMA_EVM_POLICY variable since
systemd will not be involved in loading the policy but the init script will
load it.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima: Fix the IMA kernel feature</title>
<updated>2023-05-06T11:54:09+00:00</updated>
<author>
<name>Stefan Berger</name>
<email>stefanb@linux.ibm.com</email>
</author>
<published>2023-04-28T12:23:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=f4f7624d2e50e19249e7a2a3798c1120e5183424'/>
<id>urn:sha1:f4f7624d2e50e19249e7a2a3798c1120e5183424</id>
<content type='text'>
Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding
kernel configuration options for IMA and EVM.

Signed-off-by: Stefan Berger &lt;stefanb@linux.ibm.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: kernel-modsign: prevents splitting out debug symbols</title>
<updated>2022-07-05T23:26:50+00:00</updated>
<author>
<name>Jose Quaresma</name>
<email>quaresma.jose@gmail.com</email>
</author>
<published>2022-06-27T12:02:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=c1c80cf0c0f26215fb252242f0d70f8870916734'/>
<id>urn:sha1:c1c80cf0c0f26215fb252242f0d70f8870916734</id>
<content type='text'>
Starting with [1] kernel modules symbols is being slipped in OE-core
and this breaks the kernel modules sign, so disable it.

[1] https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8

Signed-off-by: Jose Quaresma &lt;jose.quaresma@foundries.io&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: kernel-modsign: Change weak default value</title>
<updated>2021-08-27T04:43:35+00:00</updated>
<author>
<name>Daiane Angolini</name>
<email>daiane.angolini@foundries.io</email>
</author>
<published>2021-08-26T17:14:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=ab90741aa2de75bf8afc4ce99a4f8f412781024a'/>
<id>urn:sha1:ab90741aa2de75bf8afc4ce99a4f8f412781024a</id>
<content type='text'>
Assign a weak default value for MODSIGN_KEY_DIR so the other layers can
set a default value for them as well.

Signed-off-by: Daiane Angolini &lt;daiane.angolini@foundries.io&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta-integrity: Convert to new override syntax</title>
<updated>2021-08-01T15:47:08+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2021-07-29T23:32:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=b8554aae23cb66378866bff7d5ef6c6324fa486a'/>
<id>urn:sha1:b8554aae23cb66378866bff7d5ef6c6324fa486a</id>
<content type='text'>
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
</feed>
