subtree updates
meta-security: 53c5cc794f..ddf301c45c:
Adrian Zaharia (1):
libmhash: fix multilib header conflict - mutils/mhash_config.h
Alexander Kanavin (1):
maintainers.inc: rename to avoid clashes with oe-core
Armin Kuster (15):
meta-tpm: rename recipes-tpm to recipes-tpm1
recipes-tpm: use this for common tpm recipes
swtpm: update to 0.8.0
libtpm: update to 0.9.6
ossec-hids: update to tip of 3.7.0
libhtp: update to 0.5.43
suricata: update to 6.0.11
fscryptctl: update to 1.0.1
oeqa: fix hash test to match new changes
integrity-image-minimal: adapt QEMU cmdline to new changes
lynis: Add decoding OE and Poky
os-release.bbappend: drop now CPE_NAME is in core
openembedded-release: drop as os-release does this now
tpm2-tss: drop vendor from PACKAGECONFIG
packagegroup-security-tpm2: restore pkgs removed earlier
Paul Gortmaker (4):
dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
dm-verity: don't make read-only-rootfs sound like a requirement
dm-verity: document the meta-intel dependency in the systemd example
dm-verity: add x86-64 systemd based example instructions
Peter Hoyes (1):
meta-parsec/layer.conf: Insert addpylib declaration
Peter Kjellerstedt (1):
tpm2-tools: Remove unnecessary and optional dependencies
Stefan Berger (12):
ima: Document and replace keys and adapt scripts for EC keys
ima: Fix the ima_policy_appraise_all to appraise executables & libraries
ima: Fix the IMA kernel feature
ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
ima: Sign all executables and the ima-policy in the root filesystem
integrity: Update the README for IMA support
linux: overlayfs: Add kernel patch resolving a file change notification issue
ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
linux: overlayfs: Drop kernel patch resolving a file change notification issue
ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
integrity: Fix the do_configure function
integrity: Rename linux-%.bbappend to linux-yocto%.bbappend
meta-raspberrypi: bf948e0aa8..928bb234bb:
Martin Jansa (3):
rpi-libcamera-apps: fix flags used in aarch64 builds
rpi-libcamera-apps: fix version generation on hosts with older python
rpi-libcamera-apps: bump to latest SRCREV and set PV
meta-arm: 0b5724266a..f9d80e1a14:
Emekcan Aras (2):
arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
diff --git a/meta-security/conf/distro/include/maintainers.inc b/meta-security/conf/distro/include/maintainers-meta-security.inc
similarity index 100%
rename from meta-security/conf/distro/include/maintainers.inc
rename to meta-security/conf/distro/include/maintainers-meta-security.inc
diff --git a/meta-security/docs/dm-verity-systemd-x86-64.txt b/meta-security/docs/dm-verity-systemd-x86-64.txt
new file mode 100644
index 0000000..a47b02c
--- /dev/null
+++ b/meta-security/docs/dm-verity-systemd-x86-64.txt
@@ -0,0 +1,77 @@
+dm-verity and x86-64 and systemd
+--------------------------------
+In this example, we'll target combining qemux86-64 with dm-verity and
+also systemd - systemd has dm-verity bindings and is more likely to be
+used on x86.
+
+While dm-verity in a qemu environment doesn't make practial sense as a
+deployment - it can be a useful stepping stone for testing and getting to
+a final physical deployment.
+
+Set/uncomment the MACHINE line for "qemux86-64" if you haven't yet. It
+should be the default if unspecified, but check to be sure. As of this
+writing (kernel v6.1) the resulting qemux86-64 build can also be booted
+successfully on physical hardware, but if you don't intend to use qemu,
+you might instead want to choose "genericx86-64"
+
+This will make use of wic/systemd-bootdisk-dmverity.wks.in -- note that it
+contains a dependency on the meta-intel layer for microcode, so you'll need
+to fetch and add that layer in addition to the meta-security related layers.
+
+In addition to the basic dm-verity settings, choose systemd in local.conf:
+
+DISTRO_FEATURES:append = " security systemd"
+VIRTUAL-RUNTIME_init_manager = "systemd"
+EFI_PROVIDER = "systemd-boot"
+PACKAGECONFIG:append:pn-systemd = " cryptsetup"
+
+Note the last line - you won't typically see that in on-line instructions
+for enabling systemd. It is important for dm-verity, since it triggers
+the build and installation of components like this onto the rootfs:
+
+ /lib/systemd/system-generators/systemd-veritysetup-generator
+ /lib/systemd/systemd-veritysetup
+
+Now build the components for the wic image:
+
+ bitbake intel-microcode
+ bitbake core-image-minimal
+
+Assemble the image:
+
+ ------------------------------
+build-qemu-x86_64$wic create systemd-bootdisk-dmverity -e core-image-minimal
+INFO: Building wic-tools...
+
+[...]
+
+INFO: Creating image(s)...
+
+INFO: The new image(s) can be found here:
+ ./systemd-bootdisk-dmverity.wks-202304181413-sda.direct
+
+The following build artifacts were used to create the image(s):
+ BOOTIMG_DIR: /home/paul/poky/build-qemu-x86_64/tmp/work/qemux86_64-poky-linux/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+ KERNEL_DIR: /home/paul/poky/build-qemu-x86_64/tmp/deploy/images/qemux86-64
+ NATIVE_SYSROOT: /home/paul/poky/build-qemu-x86_64/tmp/work/core2-64-poky-linux/wic-tools/1.0-r0/recipe-sysroot-native
+
+INFO: The image(s) were created using OE kickstart file:
+ /home/paul/poky/meta-security/wic/systemd-bootdisk-dmverity.wks.in
+build-qemu-x86_64$
+ ------------------------------
+
+The "runqemu" script defaults were acceptable for testing with only the
+verity image needing to be specified, i.e.
+
+ runqemu \
+ nographic \
+ qemux86-64 \
+ tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
+
+You will see the above "direct" image file and also similarly named
+individual partition images. To boot on UEFI enabled physical hardware,
+you need to simply write the "direct" image file to a USB stick with dd
+and the partition images can largely be ignored.
+
+Further information on interacting with the systemd UEFI loader is here:
+https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/
diff --git a/meta-security/docs/dm-verity.txt b/meta-security/docs/dm-verity.txt
index 602a826..c2dce73 100644
--- a/meta-security/docs/dm-verity.txt
+++ b/meta-security/docs/dm-verity.txt
@@ -31,6 +31,8 @@
Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES
which will source features/device-mapper/dm-verity.scc when dm-verity-img
is used. [See commit d9feafe991c]
+IMPORTANT: As per the top level README, you *must* put security in the
+DISTRO_FEATURES, or else you won't get the dm-verity kernel settings.
Supported Platforms
-------------------
@@ -51,11 +53,18 @@
Firstly, you need the meta-security layer to conf/bblayers.conf along with
the dependencies it has -- see the top level meta-security README for that.
-Next, assuming you'll be using dm-verity for validation of your rootfs,
-you'll need to enable read-only rootfs support in your local.conf with:
+Note that if you are using dm-verity for your rootfs, then it enforces a
+read-only mount right at the kernel level, so be prepared for issues such
+as failed creation of temporary files and similar.
+
+Yocto does support additional checks and changes via setting:
EXTRA_IMAGE_FEATURES = "read-only-rootfs"
+...but since read-only is enforced at the kernel level already, using
+this feature isn't a hard requirement. It may be best to delay/defer
+making use of this until after you've established basic booting.
+
For more details, see the associated documentation:
https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md
index eae1c57..1a37280 100644
--- a/meta-security/meta-integrity/README.md
+++ b/meta-security/meta-integrity/README.md
@@ -76,7 +76,7 @@
It has some dependencies on a suitable BSP; in particular the kernel
must have a recent enough IMA/EVM subsystem. The layer was tested with
-Linux 3.19 and uses some features (like loading X509 certificates
+Linux 6.1 and uses some features (like loading X509 certificates
directly from the kernel) which were added in that release. Your
mileage may vary with older kernels.
@@ -89,10 +89,17 @@
compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
+ DISTRO_FEATURES:append = " integrity ima"
+
IMAGE_CLASSES += "ima-evm-rootfs"
+
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
+ IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+
+ # The following policy enforces IMA & EVM signatures
+ IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
@@ -113,10 +120,7 @@
cd $IMA_EVM_KEY_DIR
# In that shell, create the keys. Several options exist:
- # 1. Self-signed keys.
- $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
-
- # 2. Keys signed by a new CA.
+ # 1. Keys signed by a new CA.
# When asked for a PEM passphrase, that will be for the root CA.
# Signing images then will not require entering that passphrase,
# only creating new certificates does. Most likely the default
@@ -125,13 +129,11 @@
# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
- # 3. Keys signed by an existing CA.
+ # 2. Keys signed by an existing CA.
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
exit
-When using ``ima-self-signed.sh`` as described above, self-signed keys
-are created. Alternatively, one can also use keys signed by a CA. The
-``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
supports adding tha CA's public key to the kernel's system keyring by
compiling it directly into the kernel. Because it is unknown whether
@@ -187,7 +189,7 @@
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
- IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
+ IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
index 57de2f6..98c4bc1 100644
--- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@
# with a .x509 suffix. See linux-%.bbappend for details.
#
# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= ""
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
# Sign all regular files by default.
IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@
# Avoid re-generating fstab when ima is enabled.
WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
+
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
@@ -59,17 +62,32 @@
perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
fi
- # Sign file with private IMA key. EVM not supported at the moment.
- bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
- find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
- bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
- find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+ # Detect 32bit target to pass --m32 to evmctl by looking at libc
+ tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')"
+ if [ "${tmp}" = "ELF 32-bit" ]; then
+ evmctl_param="--m32"
+ elif [ "${tmp}" = "ELF 64-bit" ]; then
+ evmctl_param=""
+ else
+ bberror "Unknown target architecture bitness: '${tmp}'" >&2
+ exit 1
+ fi
+
+ bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+
+ # check signing key and signature verification key
+ evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+ evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
# Optionally install custom policy for loading by systemd.
- if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+ if [ "${IMA_EVM_POLICY}" ]; then
install -d ./${sysconfdir}/ima
rm -f ./${sysconfdir}/ima/ima-policy
- install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+ install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+
+ bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
fi
}
diff --git a/meta-security/meta-integrity/data/debug-keys/README.md b/meta-security/meta-integrity/data/debug-keys/README.md
new file mode 100644
index 0000000..e613968
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/README.md
@@ -0,0 +1,17 @@
+# EVM & IMA keys
+
+The following IMA & EVM debug/test keys are in this directory
+
+- ima-local-ca.priv: The CA's private key (password: 1234)
+- ima-local-ca.pem: The CA's self-signed certificate
+- privkey_ima.pem: IMA & EVM private key used for signing files
+- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
+
+The CA's (self-signed) certificate can be used to verify the validity of
+the x509_ima.der certificate. Since the CA certificate will be built into
+the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
+pass this test:
+
+```
+ openssl verify -CAfile ima-local-ca.pem x509_ima.der
+````
diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem
new file mode 100644
index 0000000..4b48be4
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9
+MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt
+c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG
+SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP
+MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD
+DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU
+rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud
+IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO
+PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu
+clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw==
+-----END CERTIFICATE-----
diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv
new file mode 100644
index 0000000..e13de23
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw
+DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK
+x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems
+lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY
+LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
index 502a0b6..8362cfe 100644
--- a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
+++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -1,16 +1,5 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
-Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
-IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
-OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
-lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
-HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
-aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
-TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
-WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
-SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
-xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
-CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
-1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
-3vVaxg2EfqB1
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm
+SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj
+cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv
-----END PRIVATE KEY-----
diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
index 087ca6b..3f6f24e 100644
--- a/meta-security/meta-integrity/data/debug-keys/x509_ima.der
+++ b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
Binary files differ
diff --git a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
index 0c8617a..6b361ca 100644
--- a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
+++ b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -58,21 +58,19 @@
@OETestDepends(['ima.IMACheck.test_ima_enabled'])
def test_ima_hash(self):
''' Test if IMA stores correct file hash '''
- filename = "/etc/filetest"
+ filename = "/etc/ld.so.cache"
ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
- status, output = self.target.run("echo test > %s" % filename)
- self.assertEqual(status, 0, "Cannot create file %s on target" % filename)
# wait for the IMA system to update the entry
- maximum_tries = 30
+ maximum_tries = 3
tries = 0
- status, output = self.target.run("sha1sum %s" %filename)
+ status, output = self.target.run("sha256sum %s" %filename)
sleep(2)
current_hash = output.split()[0]
ima_hash = ""
while tries < maximum_tries:
- status, output = self.target.run("cat %s | grep %s" \
+ status, output = self.target.run("cat %s | grep -e '%s'" \
% (ima_measure_file, filename))
# get last entry, 4th field
if status == 0:
diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index f40e867..5022170 100644
--- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -18,4 +18,4 @@
INHERIT += "ima-evm-rootfs"
-QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
+QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix"
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
similarity index 100%
rename from meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
rename to meta-security/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
deleted file mode 100644
index 64016dd..0000000
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Tue, 8 Mar 2016 16:43:55 -0500
-Subject: [PATCH] ima: fix ima_inode_post_setattr
-
-Changing file metadata (eg. uid, guid) could result in having to
-re-appraise a file's integrity, but does not change the "new file"
-status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
-IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
-only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
-
-With this patch, changing the file timestamp will not remove the
-file signature on new files.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
-
-Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- security/integrity/ima/ima_appraise.c | 2 +-
- security/integrity/integrity.h | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..a384ba1 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
- if (iint) {
- iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
- IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-- IMA_ACTION_FLAGS);
-+ IMA_ACTION_RULE_FLAGS);
- if (must_appraise)
- iint->flags |= IMA_APPRAISE;
- }
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 0fc9519..f9decae 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -28,6 +28,7 @@
-
- /* iint cache flags */
- #define IMA_ACTION_FLAGS 0xff000000
-+#define IMA_ACTION_RULE_FLAGS 0x06000000
- #define IMA_DIGSIG 0x01000000
- #define IMA_DIGSIG_REQUIRED 0x02000000
- #define IMA_PERMIT_DIRECTIO 0x04000000
---
-2.5.0
-
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
deleted file mode 100644
index 6ab7ce2..0000000
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Thu, 10 Mar 2016 18:19:20 +0200
-Subject: [PATCH] ima: add support for creating files using the mknodat
- syscall
-
-Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
-stopped identifying empty files as new files. However new empty files
-can be created using the mknodat syscall. On systems with IMA-appraisal
-enabled, these empty files are not labeled with security.ima extended
-attributes properly, preventing them from subsequently being opened in
-order to write the file data contents. This patch marks these empty
-files, created using mknodat, as new in order to allow the file data
-contents to be written.
-
-Files with security.ima xattrs containing a file signature are considered
-"immutable" and can not be modified. The file contents need to be
-written, before signing the file. This patch relaxes this requirement
-for new files, allowing the file signature to be written before the file
-contents.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
-
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- fs/namei.c | 2 ++
- include/linux/ima.h | 7 ++++++-
- security/integrity/ima/ima_appraise.c | 3 +++
- security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++-
- 4 files changed, 42 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index ccd7f98..19502da 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -3526,6 +3526,8 @@ retry:
- switch (mode & S_IFMT) {
- case 0: case S_IFREG:
- error = vfs_create(path.dentry->d_inode,dentry,mode,true);
-+ if (!error)
-+ ima_post_path_mknod(dentry);
- break;
- case S_IFCHR: case S_IFBLK:
- error = vfs_mknod(path.dentry->d_inode,dentry,mode,
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 120ccc5..7f51971 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
- extern int ima_file_mmap(struct file *file, unsigned long prot);
- extern int ima_module_check(struct file *file);
- extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
--
-+extern void ima_post_path_mknod(struct dentry *dentry);
- #else
- static inline int ima_bprm_check(struct linux_binprm *bprm)
- {
-@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
- return 0;
- }
-
-+static inline void ima_post_path_mknod(struct dentry *dentry)
-+{
-+ return;
-+}
-+
- #endif /* CONFIG_IMA */
-
- #ifdef CONFIG_IMA_APPRAISE
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..20806ea 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -274,6 +274,11 @@ out:
- xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
- if (!ima_fix_xattr(dentry, iint))
- status = INTEGRITY_PASS;
-+ } else if ((inode->i_size == 0) &&
-+ (iint->flags & IMA_NEW_FILE) &&
-+ (xattr_value &&
-+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
-+ status = INTEGRITY_PASS;
- }
- integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
- op, cause, rc, 0);
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index eeee00dc..705bf78 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
- ima_audit_measurement(iint, pathname);
-
- out_digsig:
-- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
-+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
-+ !(iint->flags & IMA_NEW_FILE))
- rc = -EACCES;
- kfree(xattr_value);
- out_free:
-@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
- EXPORT_SYMBOL_GPL(ima_file_check);
-
- /**
-+ * ima_post_path_mknod - mark as a new inode
-+ * @dentry: newly created dentry
-+ *
-+ * Mark files created via the mknodat syscall as new, so that the
-+ * file data can be written later.
-+ */
-+void ima_post_path_mknod(struct dentry *dentry)
-+{
-+ struct integrity_iint_cache *iint;
-+ struct inode *inode;
-+ int must_appraise;
-+
-+ if (!dentry || !dentry->d_inode)
-+ return;
-+
-+ inode = dentry->d_inode;
-+ if (inode->i_size != 0)
-+ return;
-+
-+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
-+ if (!must_appraise)
-+ return;
-+
-+ iint = integrity_inode_get(inode);
-+ if (iint)
-+ iint->flags |= IMA_NEW_FILE;
-+}
-+
-+/**
- * ima_module_check - based on policy, collect/store/appraise measurement.
- * @file: pointer to the file to be measured/appraised
- *
---
-2.5.0
-
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
deleted file mode 100644
index 157c007..0000000
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Tue, 15 Nov 2016 10:10:23 +0100
-Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
- modes"
-
-This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
-
-The original motivation was security hardening ("File hashes are
-automatically set and updated and should not be manually set.")
-
-However, that hardening ignores and breaks some valid use cases:
-- File hashes might not be set because the file is currently
- outside of the policy and therefore have to be set by the
- creator. Examples:
- - Booting into an initramfs with an IMA-enabled kernel but
- without setting an IMA policy, then installing
- the OS onto the target partition by unpacking a rootfs archive
- which has the file hashes pre-computed.
- - Unpacking a file into a staging area with meta data (like owner)
- that leaves the file outside of the current policy, then changing
- the meta data such that it becomes part of the current policy.
-- "should not be set manually" implies that the creator is aware
- of IMA semantic, the current system's configuration, and then
- skips setting file hashes in security.ima if (and only if) the
- kernel would prevent it. That's not the case for standard, unmodified
- tools. Example: unpacking an archive with security.ima xattrs with
- bsdtar or GNU tar.
-
-Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- security/integrity/ima/ima_appraise.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4b9b4a4..b8b2dd9 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
- result = ima_protect_xattr(dentry, xattr_name, xattr_value,
- xattr_value_len);
- if (result == 1) {
-- bool digsig;
--
- if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
- return -EINVAL;
-- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
-- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
-- return -EPERM;
-- ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
-+ ima_reset_appraise_flags(d_backing_inode(dentry),
-+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
- result = 0;
- }
- return result;
---
-2.1.4
-
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg
new file mode 100644
index 0000000..d7d80a6
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -0,0 +1,45 @@
+CONFIG_KEYS=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
+CONFIG_CRYPTO_ECDSA=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
+# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
+# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_APPRAISE_SIGNED_INIT=y
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+# CONFIG_IMA_DISABLE_HTABLE is not set
+CONFIG_EVM=y
+# CONFIG_EVM_LOAD_X509 is not set
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc
new file mode 100644
index 0000000..6eb84b0
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable IMA"
+
+kconf non-hardware ima.cfg
+
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 3ab53e5..7016800 100644
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,4 +1,14 @@
-KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+FILESEXTRAPATHS:append := "${THISDIR}/linux:"
+
+SRC_URI += " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
+"
+
+do_configure:append() {
+ if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
+ sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
+ fi
+}
KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
new file mode 100644
index 0000000..3624576
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
@@ -0,0 +1,35 @@
+From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 18 Apr 2023 11:43:55 -0400
+Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
+
+If a signatures is detected as being portable do not attempt to read the
+generation with the ioctl since in some cases this may not be supported
+by the filesystem and is also not needed for computing a portable
+signature.
+
+This avoids the current work-around of passing --generation 0 when the
+ioctl is not supported by the filesystem.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/evmctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 6d2bb67..c35a28c 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ if (mode_str)
+ st.st_mode = strtoul(mode_str, NULL, 10);
+
+- if (!evm_immutable) {
++ if (!evm_immutable && !evm_portable) {
+ if (S_ISREG(st.st_mode) && !generation_str) {
+ int fd = open(file, 0);
+
+---
+2.39.2
+
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
similarity index 71%
rename from meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
rename to meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
index 873aeeb..8ac080c 100644
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
@@ -6,8 +6,13 @@
DEPENDS:class-native += "openssl-native keyutils-native"
-SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
-SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
+FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
+
+SRC_URI = " \
+ https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
+ file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
+"
+SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
inherit pkgconfig autotools features_check
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
index 36e71a7..3498025 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -25,5 +25,12 @@
dont_appraise fsmagic=0x6e736673
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
+# Cgroup
+dont_appraise fsmagic=0x27e0eb
+# Cgroup2
+dont_appraise fsmagic=0x63677270
-appraise
+# Appraise libraries
+appraise func=MMAP_CHECK mask=MAY_EXEC
+# Appraise executables
+appraise func=BPRM_CHECK
diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
index 5f3a728..b10b1ba 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -20,7 +20,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -36,13 +35,15 @@
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
- -out csr_ima.pem -keyout privkey_ima.pem
-openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -out csr_ima.pem -keyout privkey_ima.pem \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \
-CA $CA -CAkey $CAKEY -CAcreateserial \
-outform DER -out x509_ima.der
diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
index b600761..339d3e3 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,7 +18,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -33,10 +32,11 @@
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
deleted file mode 100755
index 5ee876c..0000000
--- a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# Copied from ima-evm-utils.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# version 2 as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-GENKEY=ima.genkey
-
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 1024
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = myexts
-
-[ req_distinguished_name ]
-O = example.com
-CN = meta-intel-iot-security example signing key
-emailAddress = john.doe@example.com
-
-[ myexts ]
-basicConstraints=critical,CA:FALSE
-keyUsage=digitalSignature
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-__EOF__
-
-openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
- -x509 -config $GENKEY \
- -outform DER -out x509_ima.der -keyout privkey_ima.pem
diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf
index 0a71694..7d272a2 100644
--- a/meta-security/meta-parsec/conf/layer.conf
+++ b/meta-security/meta-parsec/conf/layer.conf
@@ -12,3 +12,5 @@
LAYERDEPENDS_parsec-layer = "core clang-layer"
BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
+
+addpylib ${LAYERDIR}/lib oeqa
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch b/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
new file mode 100644
index 0000000..d365ec1
--- /dev/null
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch
@@ -0,0 +1,51 @@
+From 4b1de197ee0dd259cc05d5faf7fd38b580d841d2 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Tue, 2 May 2023 16:22:13 -0400
+Subject: [PATCH] osdetection: add OpenEmbedded and Poky
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Upstream-Status: Pending
+https://github.com/CISOfy/lynis/pull/1390
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ include/osdetection | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/include/osdetection b/include/osdetection
+index 989b1b3..e5974e5 100644
+--- a/include/osdetection
++++ b/include/osdetection
+@@ -308,6 +308,12 @@
+ OS_REDHAT_OR_CLONE=1
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ ;;
++ "nodistro")
++ LINUX_VERSION="openembedded"
++ OS_NAME="OpenEmbedded"
++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++ ;;
+ "opensuse-tumbleweed")
+ LINUX_VERSION="openSUSE Tumbleweed"
+ # It's rolling release but has a snapshot version (the date of the snapshot)
+@@ -330,6 +336,14 @@
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ ;;
++ "poky")
++ LINUX_VERSION="Poky"
++ OS_NAME="openembedded"
++ LINUX_VERSION_LIKE="openembedded"
++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++ OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
++
++ ;;
+ "pop")
+ LINUX_VERSION="Pop!_OS"
+ LINUX_VERSION_LIKE="Ubuntu"
+--
+2.25.1
+
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
index d38c17a..0a49812 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
@@ -6,7 +6,9 @@
LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
-SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz \
+ file://0001-osdetection-add-OpenEmbedded-and-Poky.patch \
+ "
SRC_URI[sha256sum] = "98373a4cc9d0471ab9bebb249e442fcf94b6bf6d4e9c6fc0b22bca1506646c63"
diff --git a/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb b/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb
deleted file mode 100644
index 0ad427d..0000000
--- a/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-inherit allarch
-
-SUMMARY = "Operating release identification"
-DESCRIPTION = "The /etc/openembedded-release file contains operating system identification data."
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-INHIBIT_DEFAULT_DEPS = "1"
-
-do_fetch[noexec] = "1"
-do_unpack[noexec] = "1"
-do_patch[noexec] = "1"
-do_configure[noexec] = "1"
-
-VERSION = "0"
-RELEASE_NAME = "${DISTRO_NAME} ${DISTRO} ${VERSION}"
-
-def sanitise_version(ver):
- ret = ver.replace('+', '-').replace(' ','_')
- return ret.lower()
-
-python do_compile () {
- import shutil
- release_name = d.getVar('RELEASE_NAME')
- with open(d.expand('${B}/openemebedded-release'), 'w') as f:
- f.write('%s\n' % release_name)
-}
-do_compile[vardeps] += "${RELEASE_NAME}"
-
-do_install () {
- install -d ${D}${sysconfdir}
- install -m 0644 openemebedded-release ${D}${sysconfdir}/
-}
diff --git a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
deleted file mode 100644
index 604bacb..0000000
--- a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-CPE_NAME="cpe:/o:openembedded:nodistro:0"
diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
similarity index 100%
rename from meta-security/meta-tpm/conf/distro/include/maintainers.inc
rename to meta-security/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index fb36fab..fb0105e 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -3,6 +3,8 @@
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+PACKAGE_ARCH = "${TUNE_PKGARCH}"
+
inherit packagegroup
PACKAGES = "${PN}"
@@ -12,6 +14,9 @@
tpm2-tools \
trousers \
tpm2-tss \
+ libtss2-mu \
+ libtss2-tcti-device \
+ libtss2-tcti-mssim \
libtss2 \
tpm2-abrmd \
tpm2-pkcs11 \
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
similarity index 88%
rename from meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb
rename to meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
index cf80064..a860319 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.5.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.9.6.bb
@@ -2,7 +2,7 @@
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
-SRCREV = "df1c3e98d697f3c1f09262d2ba161a7db784d6cc"
+SRCREV = "f8c2dc7e12a730dcca4220d7ac5ad86d13dfd630"
SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.9;protocol=https"
PE = "1"
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
similarity index 92%
rename from meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb
rename to meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
index 55d83f9..614b07f 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.3.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb
@@ -6,8 +6,8 @@
# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
-SRCREV = "f2268eebb0d1adf89bad83fa4cf91e37b4e3fa53"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.7-next;protocol=https \
+SRCREV = "2ae7b019370760e17f4f2675195a91ca53950eda"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=master;protocol=https \
"
PE = "1"
diff --git a/meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb b/meta-security/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/hoth/libhoth_git.bb
rename to meta-security/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
rename to meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
rename to meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
rename to meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
rename to meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch
rename to meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/files/openssl11_build_fix.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
rename to meta-security/meta-tpm/recipes-tpm1/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-security/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch
rename to meta-security/meta-tpm/recipes-tpm1/pcr-extend/files/fix_openssl11_build.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
rename to meta-security/meta-tpm/recipes-tpm1/pcr-extend/pcr-extend_git.bb
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
rename to meta-security/meta-tpm/recipes-tpm1/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch
rename to meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/04-fix-FTBFS-clang.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch
rename to meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/openssl1.1_fix.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
rename to meta-security/meta-tpm/recipes-tpm1/tpm-tools/files/tpm-tools-extendpcr.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
rename to meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/meta-security/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
rename to meta-security/meta-tpm/recipes-tpm1/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/meta-security/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
rename to meta-security/meta-tpm/recipes-tpm1/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/meta-security/meta-tpm/recipes-tpm1/trousers/files/tcsd.service
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
rename to meta-security/meta-tpm/recipes-tpm1/trousers/files/tcsd.service
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
rename to meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers-udev.rules
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
rename to meta-security/meta-tpm/recipes-tpm1/trousers/files/trousers.init.sh
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
rename to meta-security/meta-tpm/recipes-tpm1/trousers/trousers_git.bb
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
index ef73238..8119bb1 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
@@ -4,7 +4,7 @@
LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=a846608d090aa64494c45fc147cc12e3"
SECTION = "tpm"
-DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive"
+DEPENDS = "tpm2-tss openssl curl"
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
@@ -13,6 +13,3 @@
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
inherit autotools pkgconfig bash-completion
-
-# need tss-esys
-RDEPENDS:${PN} = "libtss2 tpm2-abrmd"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
index cc7e6ae..6386105 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
@@ -18,7 +18,7 @@
inherit autotools pkgconfig systemd useradd
-PACKAGECONFIG ??= "vendor"
+PACKAGECONFIG ??= ""
PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c util-linux-libuuid "
PACKAGECONFIG[policy] = "--enable-policy,--disable-policy,json-c util-linux-libuuid "
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
index c211f03..55c10fa 100644
--- a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -9,7 +9,7 @@
file://0002-Makefile-don-t-set-uid-gid.patch \
"
-SRCREV = "1ecffb1b884607cb12e619f9ab3c04f530801083"
+SRCREV = "bf797c759994015274f3bc31fe2bed278cce67ee"
UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.42.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.43.bb
similarity index 90%
rename from meta-security/recipes-ids/suricata/libhtp_0.5.42.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.43.bb
index e2866c8..5825419 100644
--- a/meta-security/recipes-ids/suricata/libhtp_0.5.42.bb
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.43.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "b14f81bfddbc7206ea713177fcf1e1090257dcd2"
+SRCREV = "be0063a6138f795fc1af76cc5340bcb11d3b0b87"
DEPENDS = "zlib"
diff --git a/meta-security/recipes-ids/suricata/suricata_6.0.10.bb b/meta-security/recipes-ids/suricata/suricata_6.0.11.bb
similarity index 97%
rename from meta-security/recipes-ids/suricata/suricata_6.0.10.bb
rename to meta-security/recipes-ids/suricata/suricata_6.0.11.bb
index 9d53356..914278e 100644
--- a/meta-security/recipes-ids/suricata/suricata_6.0.10.bb
+++ b/meta-security/recipes-ids/suricata/suricata_6.0.11.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
-SRC_URI[sha256sum] = "59bfd1bf5d9c1596226fa4815bf76643ce59698866c107a26269c481f125c4d7"
+SRC_URI[sha256sum] = "4da5e4e91e49992633a6024ce10afe6441255b2775a8f20f1ef188bd1129ac66"
DEPENDS = "lz4 libhtp"
diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
similarity index 84%
rename from meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
rename to meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
index d319e48..3de2bfa 100644
--- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
+++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
@@ -9,11 +9,16 @@
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SRCREV = "56b898c896240328adef7407090215abbe9ee03d"
+SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23"
SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https"
S = "${WORKDIR}/git"
+do_compile:prepend() {
+ sed -i 's/fscryptctl\.1//g' ${S}/Makefile
+ sed -i 's/install-man//g' ${S}/Makefile
+}
+
do_install() {
oe_runmake DESTDIR=${D} PREFIX=/usr install
}
diff --git a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
index 4d1f584..49139d2 100644
--- a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -23,7 +23,11 @@
SRC_URI[md5sum] = "f91c74f9ccab2b574a98be5bc31eb280"
SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab248dfef0"
-inherit autotools-brokensep ptest
+inherit autotools-brokensep ptest multilib_header
+
+do_install:append() {
+ oe_multilib_header mutils/mhash_config.h
+}
do_compile_ptest() {
if [ ! -d ${S}/demo ]; then mkdir ${S}/demo; fi
diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
index ef114ca..a275a48 100644
--- a/meta-security/wic/systemd-bootdisk-dmverity.wks.in
+++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in
@@ -5,6 +5,7 @@
# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
#
# This .wks only works with the dm-verity-img class.
+# Also note that the use of microcode.cpio introduces a meta-intel layer dependency.
part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid