[yocto] [meta-security][PATCH 00/14] Port over meta-integrity

2019-05-26 Thread Armin Kuster
Copied meta-integrity from meta-intel-iot-security that Intel created,
to carry on maintenance. 

This update that code base to work on master.

runtime test passes on Arm H/w and qemux86-64

Armin Kuster (14):
  meta-integrity: port over from meta-intel-iot-security
  layer.conf: add LAYERSERIES_COMPAT
  README: update
  ima-evm-utils: cleanup and update to tip
  ima.cfg: update to 5.0 kernel
  linux: update bbappend
  base-files: add appending to automount securityfs
  ima-policy-hashed: add new recipe
  ima_policy_simple: add another sample policy
  policy: add ima appraise all policy
  data: remove policies
  initramfs: clean up to pull in packages.
  runtime qa: moderize ima test
  image: add image for testing

 meta-integrity/README.md  | 250 ++
 meta-integrity/classes/ima-evm-rootfs.bbclass |  92 +++
 meta-integrity/conf/layer.conf|  24 ++
 .../data/debug-keys/privkey_ima.pem   |  16 ++
 meta-integrity/data/debug-keys/x509_ima.der   | Bin 0 -> 707 bytes
 meta-integrity/lib/oeqa/runtime/cases/ima.py  | 129 +
 .../base-files/base-files-ima.inc |   5 +
 .../base-files/base-files_%.bbappend  |   1 +
 .../images/integrity-image-minimal.bb |  22 ++
 .../initrdscripts/initramfs-framework-ima.bb  |  28 ++
 .../initrdscripts/initramfs-framework-ima/ima |  52 
 .../packagegroup-ima-evm-utils.bb |   9 +
 .../systemd/files/machine-id-commit-sync.conf |   2 +
 .../systemd/files/random-seed-sync.conf   |   3 +
 .../recipes-core/systemd/systemd_%.bbappend   |  13 +
 .../recipes-kernel/linux/linux-%.bbappend |   3 +
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 
 ...for-creating-files-using-the-mknodat.patch | 138 ++
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 +
 .../recipes-kernel/linux/linux/ima.cfg|  18 ++
 .../linux/linux/ima_evm_root_ca.cfg   |   3 +
 ...link-to-libcrypto-instead-of-OpenSSL.patch |  65 +
 ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch |  43 +++
 ...clude-hash-info.gen-into-distributio.patch |  31 +++
 ...ma-evm-utils-update-.gitignore-files.patch |  34 +++
 ...nd-line-apply-operation-to-all-paths.patch |  68 +
 .../ima-evm-utils/disable-doc-creation.patch  |  50 
 ...t-depend-on-xattr.h-with-IMA-defines.patch |  47 
 .../ima-evm-utils/ima-evm-utils_git.bb|  41 +++
 .../files/ima_policy_appraise_all |  29 ++
 .../ima-policy-appraise-all_1.0.bb|  18 ++
 .../ima_policy_hashed/files/ima_policy_hashed |  77 ++
 .../ima-policy-hashed_1.0.bb  |  20 ++
 .../ima_policy_simple/files/ima_policy_simple |   4 +
 .../ima-policy-simple_1.0.bb  |  18 ++
 meta-integrity/scripts/ima-gen-CA-signed.sh   |  48 
 meta-integrity/scripts/ima-gen-local-ca.sh|  42 +++
 meta-integrity/scripts/ima-gen-self-signed.sh |  41 +++
 38 files changed, 1595 insertions(+)
 create mode 100644 meta-integrity/README.md
 create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass
 create mode 100644 meta-integrity/conf/layer.conf
 create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem
 create mode 100644 meta-integrity/data/debug-keys/x509_ima.der
 create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py
 create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc
 create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend
 create mode 100644 
meta-integrity/recipes-core/images/integrity-image-minimal.bb
 create mode 100644 
meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
 create mode 100644 
meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
 create mode 100644 
meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
 create mode 100644 
meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf
 create mode 100644 
meta-integrity/recipes-core/systemd/files/random-seed-sync.conf
 create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
 create mode 100644 
meta-integrity/recipes-securit

[yocto] [meta-security][PATCH 02/14] layer.conf: add LAYERSERIES_COMPAT

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 meta-integrity/conf/layer.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index e8bb268..2f696cf 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -20,3 +20,5 @@ IMA_EVM_BASE := '${LAYERDIR}'
 # dependent on location of the layer). Exporting it to just the
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
+
+LAYERSERIES_COMPAT_integrity = "warrior"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 03/14] README: update

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 meta-integrity/README.md | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index ba96d8e..5bef76e 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -24,12 +24,9 @@ This layer depends on:
 Patches
 ===
 
-Please submit any patches against the integrity layer via Github
-pull requests.
-
 For discussion or patch submission via email, use the
 yocto@yoctoproject.org mailing list. When submitting patches that way,
-make sure to copy the maintainer and add a "[meta-]"
+make sure to copy the maintainer and add a "[meta-integrity]"
 prefix to the subject of the mails.
 
 Maintainer: Armin Kuster 
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 05/14] ima.cfg: update to 5.0 kernel

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 .../recipes-kernel/linux/linux/ima.cfg| 28 ++-
 .../linux/linux/ima_evm_root_ca.cfg   |  6 ++--
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg 
b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
index 02381aa..b3e47ba 100644
--- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -1,16 +1,18 @@
-# Enable bare minimum IMA measurement and appraisal as needed by this layer.
-
-CONFIG_SECURITY=y
-CONFIG_INTEGRITY=y
-
-# measurement
 CONFIG_IMA=y
-
-# appraisal
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA1=y
+CONFIG_IMA_DEFAULT_HASH="sha1"
 CONFIG_IMA_APPRAISE=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-
-# Kernel will get built with embedded X.509 root CA key and all keys
-# need to be signed with that.
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
 CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_SIGNATURE=y
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+
+#CONFIG_INTEGRITY_SIGNATURE=y
+#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+#CONFIG_INTEGRITY_TRUSTED_KEYRING=y
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg 
b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
index 7338232..9a45425 100644
--- a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
@@ -1,3 +1,3 @@
-CONFIG_KEYS=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip

2019-05-26 Thread Armin Kuster
update to tip
backported patches to fix build issues.
fix native support

Signed-off-by: Armin Kuster 
---
 .../ima-evm-utils/ima-evm-utils.inc   | 19 --
 ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++
 ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 
 ...clude-hash-info.gen-into-distributio.patch | 31 +
 ...ma-evm-utils-update-.gitignore-files.patch | 34 ++
 .../ima-evm-utils/ima-evm-utils_git.bb| 30 -
 6 files changed, 200 insertions(+), 22 deletions(-)
 delete mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc 
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
deleted file mode 100644
index 72a13f7..000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
+++ /dev/null
@@ -1,19 +0,0 @@
-DESCRIPTION = "IMA/EVM control utility"
-LICENSE = "GPL-2.0-with-OpenSSL-exception"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-DEPENDS = " \
-openssl \
-attr \
-keyutils \
-pkgconfig \
-"
-
-# blkid is called by evmctl when creating evm checksums.
-# This is less useful when signing files on the build host,
-# so disable it when compiling on the host.
-RDEPENDS_${PN}_append_class-target = " util-linux-blkid"
-
-inherit autotools
-
-BBCLASSEXTEND = "native"
diff --git 
a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
 
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
new file mode 100644
index 000..5ccb73d
--- /dev/null
+++ 
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
@@ -0,0 +1,65 @@
+From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov 
+Date: Wed, 6 Mar 2019 01:08:43 +0300
+Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL
+
+There is no need to link to full libssl. evmctl uses functions from
+libcrypto, so let's link only against that library.
+
+Signed-off-by: Dmitry Eremin-Solenikov 
+---
+ configure.ac| 4 +---
+ src/Makefile.am | 9 -
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 60f3684..32e8d85 100644
+--- a/configure.ac
 b/configure.ac
+@@ -24,9 +24,7 @@ LT_INIT
+ # Checks for header files.
+ AC_HEADER_STDC
+ 
+-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
+-AC_SUBST(OPENSSL_CFLAGS)
+-AC_SUBST(OPENSSL_LIBS)
++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
+ AC_SUBST(KERNEL_HEADERS)
+ AC_CHECK_HEADER(unistd.h)
+ AC_CHECK_HEADERS(openssl/conf.h)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index d74fc6f..b81281a 100644
+--- a/src/Makefile.am
 b/src/Makefile.am
+@@ -1,11 +1,11 @@
+ lib_LTLIBRARIES = libimaevm.la
+ 
+ libimaevm_la_SOURCES = libimaevm.c
+-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
+ # current[:revision[:age]]
+ # result: [current-age].age.revision
+ libimaevm_la_LDFLAGS = -version-info 0:0:0
+-libimaevm_la_LIBADD =  $(OPENSSL_LIBS)
++libimaevm_la_LIBADD =  $(LIBCRYPTO_LIBS)
+ 
+ include_HEADERS = imaevm.h
+ 
+@@ -17,12 +17,11 @@ hash_info.h: Makefile
+ bin_PROGRAMS = evmctl
+ 
+ evmctl_SOURCES = evmctl.c
+-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
+ evmctl_LDFLAGS = $(LDFLAGS_READLINE)
+-evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils libimaevm.la
++evmctl_LDADD =  $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+ 
+ INCLUDES = -I$(top_srcdir) -include config.h
+ 
+ CLEANFILES = hash_info.h
+ DISTCLEANFILES = @DISTCLEANFILES@
+-
+-- 
+2.17.1
+
diff --git 
a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
 
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
new file mode 100644
index 000..8237274
--- /dev/null
+++ 
b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
@@ -0,0 +1,43 @@
+From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov 
+Date: Wed, 6 Mar 2019 01:17:12 +0300
+Subject: [PATCH

[yocto] [meta-security][PATCH 01/14] meta-integrity: port over from meta-intel-iot-security

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 meta-integrity/README.md  | 253 ++
 meta-integrity/classes/ima-evm-rootfs.bbclass |  92 +++
 meta-integrity/conf/layer.conf|  22 ++
 .../data/debug-keys/privkey_ima.pem   |  16 ++
 meta-integrity/data/debug-keys/x509_ima.der   | Bin 0 -> 707 bytes
 meta-integrity/data/ima_policy_appraise_all   |  29 ++
 meta-integrity/data/ima_policy_hashed |  77 ++
 meta-integrity/data/ima_policy_simple |   4 +
 meta-integrity/lib/oeqa/runtime/__init__.py   |   0
 meta-integrity/lib/oeqa/runtime/ima.py|  82 ++
 .../initrdscripts/initramfs-framework-ima.bb  |  32 +++
 .../initrdscripts/initramfs-framework-ima/ima |  52 
 .../packagegroup-ima-evm-utils.bb |   9 +
 .../systemd/files/machine-id-commit-sync.conf |   2 +
 .../systemd/files/random-seed-sync.conf   |   3 +
 .../recipes-core/systemd/systemd_%.bbappend   |  13 +
 .../recipes-kernel/linux/linux-%.bbappend | 116 
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 
 ...for-creating-files-using-the-mknodat.patch | 138 ++
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 +
 .../recipes-kernel/linux/linux/ima.cfg|  16 ++
 .../linux/linux/ima_evm_root_ca.cfg   |   3 +
 .../ima-evm-utils/ima-evm-utils.inc   |  19 ++
 ...nd-line-apply-operation-to-all-paths.patch |  68 +
 .../ima-evm-utils/disable-doc-creation.patch  |  50 
 ...t-depend-on-xattr.h-with-IMA-defines.patch |  47 
 .../ima-evm-utils/ima-evm-utils_git.bb|  17 ++
 meta-integrity/scripts/ima-gen-CA-signed.sh   |  48 
 meta-integrity/scripts/ima-gen-local-ca.sh|  42 +++
 meta-integrity/scripts/ima-gen-self-signed.sh |  41 +++
 30 files changed, 1402 insertions(+)
 create mode 100644 meta-integrity/README.md
 create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass
 create mode 100644 meta-integrity/conf/layer.conf
 create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem
 create mode 100644 meta-integrity/data/debug-keys/x509_ima.der
 create mode 100644 meta-integrity/data/ima_policy_appraise_all
 create mode 100644 meta-integrity/data/ima_policy_hashed
 create mode 100644 meta-integrity/data/ima_policy_simple
 create mode 100644 meta-integrity/lib/oeqa/runtime/__init__.py
 create mode 100644 meta-integrity/lib/oeqa/runtime/ima.py
 create mode 100644 
meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
 create mode 100644 
meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
 create mode 100644 
meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
 create mode 100644 
meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf
 create mode 100644 
meta-integrity/recipes-core/systemd/files/random-seed-sync.conf
 create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
 create mode 100644 
meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
 create mode 100644 
meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
 create mode 100755 meta-integrity/scripts/ima-gen-CA-signed.sh
 create mode 100755 meta-integrity/scripts/ima-gen-local-ca.sh
 create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
new file mode 100644
index 000..ba96d8e
--- /dev/null
+++ b/meta-integrity/README.md
@@ -0,0 +1,253 @@
+This README file contains information on the contents of the
+integrity layer.
+
+Please see the corresponding sections below for details.
+
+
+Dependencies
+
+
+This layer depends on:
+
+URI: git://git.openembedded.org/bitbake
+branch: master
+
+URI: git://git.openembedded.org/openembedded-core
+layers: meta
+branch: master
+
+URI: git://github.com/01org/meta-security/meta-integrate
+layers: security-framework
+branch: master
+
+
+Patches
+===
+
+Please submit any patches against the integrity layer via Github
+p

[yocto] [meta-security][PATCH 07/14] base-files: add appending to automount securityfs

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 meta-integrity/recipes-core/base-files/base-files-ima.inc| 5 +
 meta-integrity/recipes-core/base-files/base-files_%.bbappend | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc
 create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend

diff --git a/meta-integrity/recipes-core/base-files/base-files-ima.inc 
b/meta-integrity/recipes-core/base-files/base-files-ima.inc
new file mode 100644
index 000..7e9e210
--- /dev/null
+++ b/meta-integrity/recipes-core/base-files/base-files-ima.inc
@@ -0,0 +1,5 @@
+# Append iversion option for auto types
+do_install_append() {
+sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab"
+echo 'securityfs  /sys/kernel/security  securityfs  defaults  0  0' >> 
"${D}${sysconfdir}/fstab"
+}
diff --git a/meta-integrity/recipes-core/base-files/base-files_%.bbappend 
b/meta-integrity/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 000..c006f0e
--- /dev/null
+++ b/meta-integrity/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', 
'', d)}
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 10/14] policy: add ima appraise all policy

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 .../files/ima_policy_appraise_all | 29 +++
 .../ima-policy-appraise-all_1.0.bb| 18 
 2 files changed, 47 insertions(+)
 create mode 100644 
meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
 create mode 100644 
meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb

diff --git 
a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
 
b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
new file mode 100644
index 000..36e71a7
--- /dev/null
+++ 
b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -0,0 +1,29 @@
+#
+# Integrity measure policy 
(http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
+# 
+# Do not measure anything, but appraise everything
+#
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream 
Linux kernel)
+dont_appraise fsmagic=0x6e736673
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+
+appraise
diff --git 
a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
 
b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
new file mode 100644
index 000..b58d3fe
--- /dev/null
+++ 
b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "IMA sample simple appraise policy "
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = 
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_appraise_all"
+
+SRC_URI = " file://${IMA_POLICY}"
+
+do_install () {
+install -d ${D}/${sysconfdir}/ima
+install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 08/14] ima-policy-hashed: add new recipe

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 .../ima_policy_hashed/files/ima_policy_hashed | 77 +++
 .../ima-policy-hashed_1.0.bb  | 20 +
 2 files changed, 97 insertions(+)
 create mode 100644 
meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
 create mode 100644 
meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb

diff --git 
a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed 
b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
new file mode 100644
index 000..7f89c8d
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
@@ -0,0 +1,77 @@
+# With this policy, all files on regular partitions are
+# appraised. Files with signed IMA hash and normal hash are
+# accepted. Signed files cannot be modified while hashed files can be
+# (which will also update the hash). However, signed files can
+# be deleted, so in practice it is still possible to replace them
+# with a modified version.
+#
+# Without EVM, this is obviously not very secure, so this policy is
+# just an example and/or basis for further improvements. For that
+# purpose, some comments show what could be added to make the policy
+# more secure.
+#
+# With EVM the situation might be different because access
+# to the EVM key can be restricted.
+#
+# Files which are appraised are also measured. This allows
+# debugging whether a file is in policy by looking at
+# /sys/kernel/security/ima/ascii_runtime_measurements
+
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+dont_measure fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+dont_measure fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+dont_measure fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+dont_measure fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+dont_measure fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+dont_measure fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+dont_measure fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+dont_measure fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+dont_measure fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream 
Linux kernel)
+dont_appraise fsmagic=0x6e736673
+dont_measure fsmagic=0x6e736673
+# SMACK_MAGIC
+dont_appraise fsmagic=0x43415d53
+dont_measure fsmagic=0x43415d53
+# CGROUP_SUPER_MAGIC
+dont_appraise fsmagic=0x27e0eb
+dont_measure fsmagic=0x27e0eb
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+dont_measure fsmagic=0xde5e81e4
+
+# Special partition, no checking done.
+# dont_measure  fsuuid=a11234...
+# dont_appraise fsuuid=a11243...
+
+# Special immutable group.
+# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
+
+# All executables must be signed - too strict, we need to
+# allow installing executables on the device.
+# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
+# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
+
+# Default rule. Would be needed also when other rules were added that
+# determine what to do in case of reading (mask=MAY_READ or
+# mask=MAY_EXEC) because otherwise writing does not update the file
+# hash.
+appraise
+measure
diff --git 
a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb 
b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
new file mode 100644
index 000..3352daa
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -0,0 +1,20 @@
+SUMMARY = "IMA sample hash policy"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = 
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_hashed"
+
+SRC_URI = " \
+file://${IMA_POLICY} \
+"
+
+do_install () {
+install -d ${D}/${sysconfdir}/ima
+install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 13/14] runtime qa: moderize ima test

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 meta-integrity/lib/oeqa/runtime/__init__.py  |   0
 meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++
 meta-integrity/lib/oeqa/runtime/ima.py   |  82 
 3 files changed, 129 insertions(+), 82 deletions(-)
 delete mode 100644 meta-integrity/lib/oeqa/runtime/__init__.py
 create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py
 delete mode 100644 meta-integrity/lib/oeqa/runtime/ima.py

diff --git a/meta-integrity/lib/oeqa/runtime/__init__.py 
b/meta-integrity/lib/oeqa/runtime/__init__.py
deleted file mode 100644
index e69de29..000
diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py 
b/meta-integrity/lib/oeqa/runtime/cases/ima.py
new file mode 100644
index 000..0c8617a
--- /dev/null
+++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -0,0 +1,129 @@
+#!/usr/bin/env python
+#
+# Authors:  Cristina Moraru 
+#   Alexandru Cornea 
+
+import string
+from time import sleep
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar
+import bb
+blacklist = ["/usr/bin/uz", "/bin/su.shadow"]
+
+class IMACheck(OERuntimeTestCase):
+
+@classmethod
+def setUpClass(cls):
+locations = ["/bin", "/usr/bin"]
+cls.binaries = []
+for l in locations:
+status, output = cls.tc.target.run("find %s -type f" % l)
+cls.binaries.extend(output.split("\n"))
+
+cls.total = len(cls.binaries)
+
+
+@OETestDepends(['ssh.SSHTest.test_ssh'])
+def test_ima_enabled(self):
+''' Test if IMA policy is loaded before systemd starts'''
+
+ima_search = "ima: "
+systemd_search = "systemd .* running"
+status, output = self.target.run("dmesg | grep -n '%s'" % ima_search)
+self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
+
+
+@skipIfNotFeature('systemd',
+  'Test requires systemd to be in DISTRO_FEATURES')
+@skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd',
+  'systemd is not the init manager for this image')
+@OETestDepends(['ima.IMACheck.test_ima_enabled'])
+def test_ima_before_systemd(self):
+''' Test if IMA policy is loaded before systemd starts'''
+ima_search = "ima: "
+systemd_search = "systemd .* running"
+status, output = self.target.run("dmesg | grep -n '%s'" % ima_search)
+self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
+ima_id = int(output.split(":")[0])
+status, output = self.target.run("dmesg | grep -n '%s'" % 
systemd_search)
+self.assertEqual(status, 0, "Did not find '%s' in dmesg" % 
systemd_search)
+init_id = int(output.split(":")[0])
+if ima_id > init_id:
+self.fail("IMA does not start before systemd")
+
+
+@OETestDepends(['ima.IMACheck.test_ima_enabled'])
+def test_ima_hash(self):
+''' Test if IMA stores correct file hash '''
+filename = "/etc/filetest"
+ima_measure_file = 
"/sys/kernel/security/ima/ascii_runtime_measurements"
+status, output = self.target.run("echo test > %s" % filename)
+self.assertEqual(status, 0, "Cannot create file %s on target" % 
filename)
+
+# wait for the IMA system to update the entry
+maximum_tries = 30
+tries = 0
+status, output = self.target.run("sha1sum %s" %filename)
+sleep(2)
+current_hash = output.split()[0]
+ima_hash = ""
+
+while tries < maximum_tries:
+status, output = self.target.run("cat %s | grep %s" \
+% (ima_measure_file, filename))
+# get last entry, 4th field
+if status == 0:
+tokens = output.split("\n")[-1].split()[3]
+ima_hash = tokens.split(":")[1]
+if ima_hash == current_hash:
+break
+
+tries += 1
+sleep(1)
+
+# clean target
+self.target.run("rm %s" % filename)
+if ima_hash != current_hash:
+self.fail("Hash stored by IMA does not match actual hash")
+
+
+@OETestDepends(['ima.IMACheck.test_ima_enabled'])
+def test_ima_signature(self):
+''' Test if IMA stores correct signature for system binaries'''
+passed = 0
+failed = 0
+for b in self.binaries:
+if b in blacklist:
+continue
+status, output = self.target.run("evmctl ima_verify %s" % b)
+if status != 0:
+failed += 1
+else:
+passed += 1
+
+if failed == self.total:
+ self.fail("Signature verifications failed (%s)" % self.total)
+
+#bb.warn("pass: %s, fail: %s, Total: 

[yocto] [meta-security][PATCH 09/14] ima_policy_simple: add another sample policy

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 .../ima_policy_simple/files/ima_policy_simple  |  4 
 .../ima_policy_simple/ima-policy-simple_1.0.bb | 18 ++
 2 files changed, 22 insertions(+)
 create mode 100644 
meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
 create mode 100644 
meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb

diff --git 
a/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple 
b/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
new file mode 100644
index 000..38ca8f5
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
@@ -0,0 +1,4 @@
+# Very simple policy demonstrating the systemd policy loading bug
+# (policy with one line works, two lines don't).
+dont_appraise fsmagic=0x9fa0
+dont_appraise fsmagic=0x62656572
diff --git 
a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb 
b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
new file mode 100644
index 000..17132aa
--- /dev/null
+++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "IMA sample simple policy"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = 
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_simple"
+
+SRC_URI = " file://${IMA_POLICY}"
+
+do_install () {
+install -d ${D}/${sysconfdir}/ima
+install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 14/14] image: add image for testing

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 .../images/integrity-image-minimal.bb | 22 +++
 1 file changed, 22 insertions(+)
 create mode 100644 
meta-integrity/recipes-core/images/integrity-image-minimal.bb

diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb 
b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
new file mode 100644
index 000..6ed724d
--- /dev/null
+++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -0,0 +1,22 @@
+DESCRIPTION = "An image as an exmaple for Ima support"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+
+IMAGE_INSTALL = "\
+packagegroup-base \
+packagegroup-core-boot \
+packagegroup-ima-evm-utils \
+os-release"
+
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "integrity-image-minimal"
+
+INHERIT += "ima-evm-rootfs"
+IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+
+QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb 
ima_policy=appraise_tcb"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 06/14] linux: update bbappend

2019-05-26 Thread Armin Kuster
remove untested code

Signed-off-by: Armin Kuster 
---
 .../recipes-kernel/linux/linux-%.bbappend | 117 +-
 1 file changed, 2 insertions(+), 115 deletions(-)

diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend 
b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index 48560b1..931854e 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,116 +1,3 @@
-IMA_ENABLED_HERE := "${@'yes' if bb.data.inherits_class('kernel', d) and 'ima' 
in d.getVar('DISTRO_FEATURES', True).split() else 'no'}"
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
 
-IMA_FILESEXTRAPATHS_yes := "${THISDIR}/linux:"
-IMA_FILESEXTRAPATHS_no := ""
-FILESEXTRAPATHS_prepend := "${IMA_FILESEXTRAPATHS_${IMA_ENABLED_HERE}}"
-
-# These two patches are necessary to unpack archives with security.ima xattr
-# such that security.ima is taken from the archive. If the policy
-# allows hashing, unpatched kernels (at least up to 4.3) will replace
-# a signed hash in security.ima with a locally computed hash.
-#
-# Note that only bsdtar/libarchive are known to work; GNU tar sets
-# the security.ima on an empty file and the tries re-opening it for
-# writing its content, which then fails due to the IMA hash mismatch.
-#
-# Kernels >= 4.7 have the patches, while older kernels are likely to
-# need the patches. So apply them by default. To avoid that,
-# set IMA_EVM_SETATTR_PATCH_x.y.z (where x.y.z == linux kernel version)
-# to an empty string (to avoid patching) or some other patch files
-# suitable for that kernel.
-def ima_evm_setattr_patch(d):
-result = []
-linux_version = d.getVar('LINUX_VERSION', True) or ''
-# These two patches are known to be included upstream.
-if bb.utils.vercmp_string_op(linux_version, '4.7', '<'):
-patches = d.getVar('IMA_EVM_SETATTR_PATCH_' + linux_version, True)
-if patches != None:
-# Patches explicitly chosen, may be empty.
-result.append(patches)
-else:
-# Enabled by default.
-result.append('file://0001-ima-fix-ima_inode_post_setattr.patch 
file://0002-ima-add-support-for-creating-files-using-the-mknodat.patch')
-# This one addresses a problem added in 4.2. The upstream revert will land
-# in some future kernel. We need to extend version check once we know
-# which kernels have the patch.
-if bb.utils.vercmp_string_op(linux_version, '4.2', '>='):
-patches = d.getVar('IMA_EVM_SETATTR_REVERT_PATCH_' + linux_version, 
True)
-if patches != None:
-# Patches explicitly chosen, may be empty.
-result.append(patches)
-else:
-# Enabled by default.
-
result.append('file://Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch')
-return ' '.join(result)
-
-# Edison kernel too old, patch not applicable -> swupd is broken in Ostro OS 
for Edison.
-IMA_EVM_SETATTR_PATCH_3.10.98 = ""
-
-# Kernel config fragment enabling IMA/EVM and (where necessary and possible)
-# also patching the kernel.
-IMA_EVM_CFG_yes = " file://ima.cfg \
-${@ ima_evm_setattr_patch(d)} \
-  "
-IMA_EVM_CFG_no = ""
-SRC_URI_append = "${IMA_EVM_CFG_${IMA_ENABLED_HERE}}"
-
-# IMA_EVM_ROOT_CA, if set, is the absolute path to a der-encoded
-# x509 CA certificate which will get compiled into the kernel.
-# The kernel will then use it to validate additional certificates,
-# like the one loaded dynamically for IMA.
-#
-# Depending on the kernel version, there are two ways to add the
-# CA certificate:
-# - For Linux < 4.3, we put the x509 file into the source directory
-#   where the kernel compilation will find it automatically
-#   (http://lxr.free-electrons.com/source/kernel/Makefile?v=4.2#L115).
-# - For Linux >= 4.3, we set SYSTEM_TRUSTED_KEYS
-#   (http://lxr.free-electrons.com/source/certs/Kconfig?v=4.3#L29).
-#   The ima_evm_root_ca.cfg only contains a blank file name.
-#   The actual file name gets patched in after the file was used
-#   to configure the kernel (see do_kernel_configme_append).
-#   This has to point to a single file, i.e. using it for IMA has to
-#   be coordinated with other usages.
-#
-# The IMA_EVM_ROOT_CA default is set globally in ima-evm-rootfs.bbclass.
-# Need weaker default here in case that ima-evm-rootfs.bbclass is not
-# inherited.
-IMA_EVM_ROOT_CA ??= ""
-
-# Add CONFIG_SYSTEM_TRUSTED_KEYS (for recent kernels) and
-# copy the root certificate into the build directory. By using
-# the normal fetcher mechanism for the certificate we ensure that
-# a rebuild is triggered when the file name or content change.
-#
-# Recompiling on name change is a bit too aggressive and causes
-# unnecessary rebuilds when only the location of the file, but not its
-# content change. This may need further work, should it become a problem
-# in practice. For example, IMA_EVM_ROOT_CA could be redefined as
-# an URL that then gets found v

[yocto] [meta-security][PATCH 11/14] data: remove policies

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 meta-integrity/data/ima_policy_appraise_all | 29 
 meta-integrity/data/ima_policy_hashed   | 77 -
 meta-integrity/data/ima_policy_simple   |  4 --
 3 files changed, 110 deletions(-)
 delete mode 100644 meta-integrity/data/ima_policy_appraise_all
 delete mode 100644 meta-integrity/data/ima_policy_hashed
 delete mode 100644 meta-integrity/data/ima_policy_simple

diff --git a/meta-integrity/data/ima_policy_appraise_all 
b/meta-integrity/data/ima_policy_appraise_all
deleted file mode 100644
index 36e71a7..000
--- a/meta-integrity/data/ima_policy_appraise_all
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Integrity measure policy 
(http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
-# 
-# Do not measure anything, but appraise everything
-#
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-# BIFMT
-dont_appraise fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-# SELINUXFS_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream 
Linux kernel)
-dont_appraise fsmagic=0x6e736673
-# EFIVARFS_MAGIC
-dont_appraise fsmagic=0xde5e81e4
-
-appraise
diff --git a/meta-integrity/data/ima_policy_hashed 
b/meta-integrity/data/ima_policy_hashed
deleted file mode 100644
index 7f89c8d..000
--- a/meta-integrity/data/ima_policy_hashed
+++ /dev/null
@@ -1,77 +0,0 @@
-# With this policy, all files on regular partitions are
-# appraised. Files with signed IMA hash and normal hash are
-# accepted. Signed files cannot be modified while hashed files can be
-# (which will also update the hash). However, signed files can
-# be deleted, so in practice it is still possible to replace them
-# with a modified version.
-#
-# Without EVM, this is obviously not very secure, so this policy is
-# just an example and/or basis for further improvements. For that
-# purpose, some comments show what could be added to make the policy
-# more secure.
-#
-# With EVM the situation might be different because access
-# to the EVM key can be restricted.
-#
-# Files which are appraised are also measured. This allows
-# debugging whether a file is in policy by looking at
-# /sys/kernel/security/ima/ascii_runtime_measurements
-
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-dont_measure fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-dont_measure fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-dont_measure fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-dont_measure fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-dont_measure fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-dont_measure fsmagic=0x1cd1
-# BIFMT
-dont_appraise fsmagic=0x42494e4d
-dont_measure fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-dont_measure fsmagic=0x73636673
-# SELINUXFS_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-dont_measure fsmagic=0xf97cff8c
-# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream 
Linux kernel)
-dont_appraise fsmagic=0x6e736673
-dont_measure fsmagic=0x6e736673
-# SMACK_MAGIC
-dont_appraise fsmagic=0x43415d53
-dont_measure fsmagic=0x43415d53
-# CGROUP_SUPER_MAGIC
-dont_appraise fsmagic=0x27e0eb
-dont_measure fsmagic=0x27e0eb
-# EFIVARFS_MAGIC
-dont_appraise fsmagic=0xde5e81e4
-dont_measure fsmagic=0xde5e81e4
-
-# Special partition, no checking done.
-# dont_measure  fsuuid=a11234...
-# dont_appraise fsuuid=a11243...
-
-# Special immutable group.
-# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
-
-# All executables must be signed - too strict, we need to
-# allow installing executables on the device.
-# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
-# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
-
-# Default rule. Would be needed also when other rules were added that
-# determine what to do in case of reading (mask=MAY_READ or
-# mask=MAY_EXEC) because otherwise writing does not update the file
-# hash.
-appraise
-measure
diff --git a/meta-integrity/data/ima_policy_simple 
b/meta-integrity/data/ima_policy_simple
deleted file mode 100644
index 38ca8f5..000
--- a/meta-integrity/data/ima_policy_simple
+++ /dev/null
@@ -1,4 +0,0 @@
-# Very simple policy demonstrating the systemd policy loading bug
-# (policy with one line works, two lines don't).
-dont_appraise fsmagic=0x9fa0
-dont_appraise fsmagic=0x62656572
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-security][PATCH 12/14] initramfs: clean up to pull in packages.

2019-05-26 Thread Armin Kuster
Signed-off-by: Armin Kuster 
---
 .../initrdscripts/initramfs-framework-ima.bb | 12 
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git 
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb 
b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index aca38b7..6057e8d 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -8,25 +8,21 @@
 SUMMARY = "IMA module for the modular initramfs system"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = 
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-RDEPENDS_${PN} += "initramfs-framework-base"
 
 # This policy file will get installed as /etc/ima/ima-policy.
 # It is located via the normal file search path, so a .bbappend
 # to this recipe can just point towards one of its own files.
 IMA_POLICY ?= "ima_policy_hashed"
-FILESEXTRAPATHS =. "${IMA_EVM_BASE}/data:"
 
-SRC_URI = " \
-file://${IMA_POLICY} \
-file://ima \
-"
+SRC_URI = " file://ima"
 
 do_install () {
 install -d ${D}/${sysconfdir}/ima
-install ${WORKDIR}/${IMA_POLICY}  ${D}/${sysconfdir}/ima-policy
 install -d ${D}/init.d
 install ${WORKDIR}/ima  ${D}/init.d/20-ima
 }
 
 FILES_${PN} = "/init.d ${sysconfdir}"
-RDEPENDS_${PN} = "keyutils"
+
+RDEPENDS_${PN} = "keyutils ${IMA_POLICY}"
+RDEPENDS_${PN} += "initramfs-framework-base"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-cgl][PATCH 1/2] crmsh: do not use unstable github archive tarballs

2019-05-26 Thread Hongxu Jia
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs

Signed-off-by: Hongxu Jia 
---
 meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb 
b/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
index b28a826..7563c99 100644
--- a/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
+++ b/meta-cgl-common/recipes-cgl/crmsh/crmsh_3.0.3.bb
@@ -13,12 +13,12 @@ DEPENDS = "asciidoc-native \
"
 RDEPENDS_${PN} = "pacemaker python-lxml gawk"
 
-SRC_URI = 
"https://github.com/ClusterLabs/crmsh/archive/${PV}.tar.gz;downloadfilename=${BP}.tar.gz
 \
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=crmsh-3.0 \
file://tweaks_for_build.patch \
   "
 
-SRC_URI[md5sum] = "563b463155a652820c8d1319418e88b7"
-SRC_URI[sha256sum] = 
"364fadb0d0c9619676e10bb75f4ea833a49019aa77ddb26229bc9d1c435585c0"
+SRCREV = "41845ca5511b844593cf25ae4eb7f307aa78c5be"
 
 inherit autotools-brokensep distutils-base
 
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-selinux][PATCH] setools: do not use unstable github archive tarballs

2019-05-26 Thread Hongxu Jia
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs

Signed-off-by: Hongxu Jia 
---
 recipes-security/setools/setools_4.1.1.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-security/setools/setools_4.1.1.bb 
b/recipes-security/setools/setools_4.1.1.bb
index c5a2d34..8bdbfba 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -8,14 +8,14 @@ SETools."
 SECTION = "base"
 LICENSE = "GPLv2 & LGPLv2.1"
 
-SRC_URI = 
"https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz
 \
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
 "
 
-SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd"
-SRC_URI[sha256sum] = 
"46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610"
+SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331"
 
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
 
file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


[yocto] [meta-cgl][PATCH 2/2] pacemaker: do not use unstable github archive tarballs

2019-05-26 Thread Hongxu Jia
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs

Signed-off-by: Hongxu Jia 
---
 meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb 
b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
index 00893d1..a7c38df 100644
--- a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
+++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker_1.1.19.bb
@@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=19a64afd3a35d044a80579d7aafc30ff"
 
 DEPENDS = "corosync libxslt libxml2 gnutls resource-agents libqb python-native"
 
-SRC_URI = "https://github.com/ClusterLabs/${BPN}/archive/Pacemaker-${PV}.zip \
+SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=1.1 \
file://0001-pacemaker-fix-xml-config.patch \

file://0002-pacemaker-search-header-from-STAGING_INCDIR-to-walka.patch \
file://0003-pacemaker-fix-header-defs-lookup.patch \
@@ -28,12 +28,11 @@ SRC_URI = 
"https://github.com/ClusterLabs/${BPN}/archive/Pacemaker-${PV}.zip \
 
 SRC_URI_append_libc-musl = 
"file://0001-pacemaker-fix-compile-error-of-musl-libc.patch"
 
-SRC_URI[md5sum] = "deb7017c5a9d3f39895d9ea2c34bc8eb"
-SRC_URI[sha256sum] = 
"6e222046487c2dc6ae61d49089ecbf6a0bcb495e8cdcb76d115fd987d0df8f7f"
+SRCREV = "c3c624ea3d98a74a8a287671a156db126c99a7bb"
 
 inherit autotools-brokensep pkgconfig systemd python-dir useradd
 
-S="${WORKDIR}/pacemaker-Pacemaker-${PV}"
+S = "${WORKDIR}/git"
 
 CLEANBROKEN = "1"
 
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto