<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/meta-integrity, branch test</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=test</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=test'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2021-04-12T14:07:11+00:00</updated>
<entry>
<title>initramfs-framework-ima: introduce IMA_FORCE</title>
<updated>2021-04-12T14:07:11+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-04-08T18:38:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=076e75d5cc1fe7b43af8dcd10d8b2b18af422c84'/>
<id>urn:sha1:076e75d5cc1fe7b43af8dcd10d8b2b18af422c84</id>
<content type='text'>
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.

This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel arguments, it will easily bypass rootfs
authenticity checks.

Signed-off-by: Sergio Prado &lt;sergio.prado@toradex.com&gt;
Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta: drop IMA_POLICY from policy recipes</title>
<updated>2021-04-02T15:21:34+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-03-22T13:02:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=995f25bcb91357d988d89e940ac1d2f792c18b1a'/>
<id>urn:sha1:995f25bcb91357d988d89e940ac1d2f792c18b1a</id>
<content type='text'>
IMA_POLICY is being referred as policy recipe name in some places and it
is also being referred as policy file in other places, they are
conflicting with each other which make it impossible to set a IMA_POLICY
global variable in config file.

Fix it by dropping IMA_POLICY definitions from policy recipes

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>layer.conf: Add hardknott to LAYERSERIES_COMPAT</title>
<updated>2021-03-18T15:01:19+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2021-03-17T04:21:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=f9fdf977300d4a3e970be9ee43e324dcf500db3a'/>
<id>urn:sha1:f9fdf977300d4a3e970be9ee43e324dcf500db3a</id>
<content type='text'>
Thats codename for 3.3

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima-evm-keys: add file-checksums to IMA_EVM_X509</title>
<updated>2021-03-18T15:01:19+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-03-12T09:53:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=6ada80aa3e8f426c2a4284fc48a2eaf2688d6411'/>
<id>urn:sha1:6ada80aa3e8f426c2a4284fc48a2eaf2688d6411</id>
<content type='text'>
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic</title>
<updated>2021-03-02T19:56:27+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-03-01T12:35:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=9504d02694d89302a867f296b73e884c03413fd3'/>
<id>urn:sha1:9504d02694d89302a867f296b73e884c03413fd3</id>
<content type='text'>
This fixes following systemd boot issues:
[    7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied
[    7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
[    7.459270] systemd[1]: Freezing execution.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=6612bf719f0ecf6b040e493481ffacc553a3ff26'/>
<id>urn:sha1:6612bf719f0ecf6b040e493481ffacc553a3ff26</id>
<content type='text'>
Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>initramfs-framework-ima: let ima_enabled return 0</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=ffab25f929d8e78a909e1a2b362c05be83dee4bf'/>
<id>urn:sha1:ffab25f929d8e78a909e1a2b362c05be83dee4bf</id>
<content type='text'>
Otherwise, ima script would not run as intended.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>README.md: update according to the refactoring in ima-evm-rootfs.bbclass</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=4dc646c8cee3774e32011db534cc9f4fb8915fa3'/>
<id>urn:sha1:4dc646c8cee3774e32011db534cc9f4fb8915fa3</id>
<content type='text'>
Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>meta: refactor IMA/EVM sign rootfs</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=76d1e3ecad77ecd38c1c99171d5f2497d1258644'/>
<id>urn:sha1:76d1e3ecad77ecd38c1c99171d5f2497d1258644</id>
<content type='text'>
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:

| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "

and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.

To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.

Also add ima-evm-keys to IMAGE_INSTALL.

Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
<entry>
<title>initramfs-framework-ima: RDEPENDS on ima-evm-keys</title>
<updated>2021-02-24T04:34:51+00:00</updated>
<author>
<name>Ming Liu</name>
<email>liu.ming50@gmail.com</email>
</author>
<published>2021-02-20T12:18:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=52bfc654e8a48a1fcfd89ba8750021c21718f6f5'/>
<id>urn:sha1:52bfc654e8a48a1fcfd89ba8750021c21718f6f5</id>
<content type='text'>
Signed-off-by: Ming Liu &lt;liu.ming50@gmail.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
</content>
</entry>
</feed>
