subtree updates
meta-security: 53c5cc794f..ddf301c45c:
Adrian Zaharia (1):
libmhash: fix multilib header conflict - mutils/mhash_config.h
Alexander Kanavin (1):
maintainers.inc: rename to avoid clashes with oe-core
Armin Kuster (15):
meta-tpm: rename recipes-tpm to recipes-tpm1
recipes-tpm: use this for common tpm recipes
swtpm: update to 0.8.0
libtpm: update to 0.9.6
ossec-hids: update to tip of 3.7.0
libhtp: update to 0.5.43
suricata: update to 6.0.11
fscryptctl: update to 1.0.1
oeqa: fix hash test to match new changes
integrity-image-minimal: adapt QEMU cmdline to new changes
lynis: Add decoding OE and Poky
os-release.bbappend: drop now CPE_NAME is in core
openembedded-release: drop as os-release does this now
tpm2-tss: drop vendor from PACKAGECONFIG
packagegroup-security-tpm2: restore pkgs removed earlier
Paul Gortmaker (4):
dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
dm-verity: don't make read-only-rootfs sound like a requirement
dm-verity: document the meta-intel dependency in the systemd example
dm-verity: add x86-64 systemd based example instructions
Peter Hoyes (1):
meta-parsec/layer.conf: Insert addpylib declaration
Peter Kjellerstedt (1):
tpm2-tools: Remove unnecessary and optional dependencies
Stefan Berger (12):
ima: Document and replace keys and adapt scripts for EC keys
ima: Fix the ima_policy_appraise_all to appraise executables & libraries
ima: Fix the IMA kernel feature
ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
ima: Sign all executables and the ima-policy in the root filesystem
integrity: Update the README for IMA support
linux: overlayfs: Add kernel patch resolving a file change notification issue
ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
linux: overlayfs: Drop kernel patch resolving a file change notification issue
ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
integrity: Fix the do_configure function
integrity: Rename linux-%.bbappend to linux-yocto%.bbappend
meta-raspberrypi: bf948e0aa8..928bb234bb:
Martin Jansa (3):
rpi-libcamera-apps: fix flags used in aarch64 builds
rpi-libcamera-apps: fix version generation on hosts with older python
rpi-libcamera-apps: bump to latest SRCREV and set PV
meta-arm: 0b5724266a..f9d80e1a14:
Emekcan Aras (2):
arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md
index eae1c57..1a37280 100644
--- a/meta-security/meta-integrity/README.md
+++ b/meta-security/meta-integrity/README.md
@@ -76,7 +76,7 @@
It has some dependencies on a suitable BSP; in particular the kernel
must have a recent enough IMA/EVM subsystem. The layer was tested with
-Linux 3.19 and uses some features (like loading X509 certificates
+Linux 6.1 and uses some features (like loading X509 certificates
directly from the kernel) which were added in that release. Your
mileage may vary with older kernels.
@@ -89,10 +89,17 @@
compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
+ DISTRO_FEATURES:append = " integrity ima"
+
IMAGE_CLASSES += "ima-evm-rootfs"
+
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
+ IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+
+ # The following policy enforces IMA & EVM signatures
+ IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
@@ -113,10 +120,7 @@
cd $IMA_EVM_KEY_DIR
# In that shell, create the keys. Several options exist:
- # 1. Self-signed keys.
- $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
-
- # 2. Keys signed by a new CA.
+ # 1. Keys signed by a new CA.
# When asked for a PEM passphrase, that will be for the root CA.
# Signing images then will not require entering that passphrase,
# only creating new certificates does. Most likely the default
@@ -125,13 +129,11 @@
# $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
- # 3. Keys signed by an existing CA.
+ # 2. Keys signed by an existing CA.
# $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
exit
-When using ``ima-self-signed.sh`` as described above, self-signed keys
-are created. Alternatively, one can also use keys signed by a CA. The
-``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
supports adding tha CA's public key to the kernel's system keyring by
compiling it directly into the kernel. Because it is unknown whether
@@ -187,7 +189,7 @@
changes. To activate policy loading via systemd, place a policy file
in `/etc/ima/ima-policy`, for example with:
- IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
+ IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
index 57de2f6..98c4bc1 100644
--- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@
# with a .x509 suffix. See linux-%.bbappend for details.
#
# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= ""
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
# Sign all regular files by default.
IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@
# Avoid re-generating fstab when ima is enabled.
WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
+
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
@@ -59,17 +62,32 @@
perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
fi
- # Sign file with private IMA key. EVM not supported at the moment.
- bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
- find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
- bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
- find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+ # Detect 32bit target to pass --m32 to evmctl by looking at libc
+ tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')"
+ if [ "${tmp}" = "ELF 32-bit" ]; then
+ evmctl_param="--m32"
+ elif [ "${tmp}" = "ELF 64-bit" ]; then
+ evmctl_param=""
+ else
+ bberror "Unknown target architecture bitness: '${tmp}'" >&2
+ exit 1
+ fi
+
+ bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+
+ # check signing key and signature verification key
+ evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+ evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
# Optionally install custom policy for loading by systemd.
- if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+ if [ "${IMA_EVM_POLICY}" ]; then
install -d ./${sysconfdir}/ima
rm -f ./${sysconfdir}/ima/ima-policy
- install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+ install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+
+ bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
fi
}
diff --git a/meta-security/meta-integrity/data/debug-keys/README.md b/meta-security/meta-integrity/data/debug-keys/README.md
new file mode 100644
index 0000000..e613968
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/README.md
@@ -0,0 +1,17 @@
+# EVM & IMA keys
+
+The following IMA & EVM debug/test keys are in this directory
+
+- ima-local-ca.priv: The CA's private key (password: 1234)
+- ima-local-ca.pem: The CA's self-signed certificate
+- privkey_ima.pem: IMA & EVM private key used for signing files
+- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
+
+The CA's (self-signed) certificate can be used to verify the validity of
+the x509_ima.der certificate. Since the CA certificate will be built into
+the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
+pass this test:
+
+```
+ openssl verify -CAfile ima-local-ca.pem x509_ima.der
+````
diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem
new file mode 100644
index 0000000..4b48be4
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9
+MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt
+c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG
+SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP
+MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD
+DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU
+rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud
+IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO
+PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu
+clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw==
+-----END CERTIFICATE-----
diff --git a/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv
new file mode 100644
index 0000000..e13de23
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/ima-local-ca.priv
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw
+DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK
+x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems
+lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY
+LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
index 502a0b6..8362cfe 100644
--- a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
+++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -1,16 +1,5 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
-Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
-IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
-OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
-lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
-HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
-aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
-TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
-WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
-SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
-xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
-CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
-1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
-3vVaxg2EfqB1
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm
+SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj
+cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv
-----END PRIVATE KEY-----
diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
index 087ca6b..3f6f24e 100644
--- a/meta-security/meta-integrity/data/debug-keys/x509_ima.der
+++ b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
Binary files differ
diff --git a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
index 0c8617a..6b361ca 100644
--- a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
+++ b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -58,21 +58,19 @@
@OETestDepends(['ima.IMACheck.test_ima_enabled'])
def test_ima_hash(self):
''' Test if IMA stores correct file hash '''
- filename = "/etc/filetest"
+ filename = "/etc/ld.so.cache"
ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
- status, output = self.target.run("echo test > %s" % filename)
- self.assertEqual(status, 0, "Cannot create file %s on target" % filename)
# wait for the IMA system to update the entry
- maximum_tries = 30
+ maximum_tries = 3
tries = 0
- status, output = self.target.run("sha1sum %s" %filename)
+ status, output = self.target.run("sha256sum %s" %filename)
sleep(2)
current_hash = output.split()[0]
ima_hash = ""
while tries < maximum_tries:
- status, output = self.target.run("cat %s | grep %s" \
+ status, output = self.target.run("cat %s | grep -e '%s'" \
% (ima_measure_file, filename))
# get last entry, 4th field
if status == 0:
diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
index f40e867..5022170 100644
--- a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -18,4 +18,4 @@
INHERIT += "ima-evm-rootfs"
-QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
+QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix"
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
similarity index 100%
rename from meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
rename to meta-security/meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
deleted file mode 100644
index 64016dd..0000000
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Tue, 8 Mar 2016 16:43:55 -0500
-Subject: [PATCH] ima: fix ima_inode_post_setattr
-
-Changing file metadata (eg. uid, guid) could result in having to
-re-appraise a file's integrity, but does not change the "new file"
-status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
-IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
-only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
-
-With this patch, changing the file timestamp will not remove the
-file signature on new files.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
-
-Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- security/integrity/ima/ima_appraise.c | 2 +-
- security/integrity/integrity.h | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..a384ba1 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
- if (iint) {
- iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
- IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
-- IMA_ACTION_FLAGS);
-+ IMA_ACTION_RULE_FLAGS);
- if (must_appraise)
- iint->flags |= IMA_APPRAISE;
- }
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 0fc9519..f9decae 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -28,6 +28,7 @@
-
- /* iint cache flags */
- #define IMA_ACTION_FLAGS 0xff000000
-+#define IMA_ACTION_RULE_FLAGS 0x06000000
- #define IMA_DIGSIG 0x01000000
- #define IMA_DIGSIG_REQUIRED 0x02000000
- #define IMA_PERMIT_DIRECTIO 0x04000000
---
-2.5.0
-
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
deleted file mode 100644
index 6ab7ce2..0000000
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Thu, 10 Mar 2016 18:19:20 +0200
-Subject: [PATCH] ima: add support for creating files using the mknodat
- syscall
-
-Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
-stopped identifying empty files as new files. However new empty files
-can be created using the mknodat syscall. On systems with IMA-appraisal
-enabled, these empty files are not labeled with security.ima extended
-attributes properly, preventing them from subsequently being opened in
-order to write the file data contents. This patch marks these empty
-files, created using mknodat, as new in order to allow the file data
-contents to be written.
-
-Files with security.ima xattrs containing a file signature are considered
-"immutable" and can not be modified. The file contents need to be
-written, before signing the file. This patch relaxes this requirement
-for new files, allowing the file signature to be written before the file
-contents.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
-
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- fs/namei.c | 2 ++
- include/linux/ima.h | 7 ++++++-
- security/integrity/ima/ima_appraise.c | 3 +++
- security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++-
- 4 files changed, 42 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index ccd7f98..19502da 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -3526,6 +3526,8 @@ retry:
- switch (mode & S_IFMT) {
- case 0: case S_IFREG:
- error = vfs_create(path.dentry->d_inode,dentry,mode,true);
-+ if (!error)
-+ ima_post_path_mknod(dentry);
- break;
- case S_IFCHR: case S_IFBLK:
- error = vfs_mknod(path.dentry->d_inode,dentry,mode,
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 120ccc5..7f51971 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
- extern int ima_file_mmap(struct file *file, unsigned long prot);
- extern int ima_module_check(struct file *file);
- extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
--
-+extern void ima_post_path_mknod(struct dentry *dentry);
- #else
- static inline int ima_bprm_check(struct linux_binprm *bprm)
- {
-@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
- return 0;
- }
-
-+static inline void ima_post_path_mknod(struct dentry *dentry)
-+{
-+ return;
-+}
-+
- #endif /* CONFIG_IMA */
-
- #ifdef CONFIG_IMA_APPRAISE
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..20806ea 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -274,6 +274,11 @@ out:
- xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
- if (!ima_fix_xattr(dentry, iint))
- status = INTEGRITY_PASS;
-+ } else if ((inode->i_size == 0) &&
-+ (iint->flags & IMA_NEW_FILE) &&
-+ (xattr_value &&
-+ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
-+ status = INTEGRITY_PASS;
- }
- integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
- op, cause, rc, 0);
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index eeee00dc..705bf78 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
- ima_audit_measurement(iint, pathname);
-
- out_digsig:
-- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
-+ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
-+ !(iint->flags & IMA_NEW_FILE))
- rc = -EACCES;
- kfree(xattr_value);
- out_free:
-@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
- EXPORT_SYMBOL_GPL(ima_file_check);
-
- /**
-+ * ima_post_path_mknod - mark as a new inode
-+ * @dentry: newly created dentry
-+ *
-+ * Mark files created via the mknodat syscall as new, so that the
-+ * file data can be written later.
-+ */
-+void ima_post_path_mknod(struct dentry *dentry)
-+{
-+ struct integrity_iint_cache *iint;
-+ struct inode *inode;
-+ int must_appraise;
-+
-+ if (!dentry || !dentry->d_inode)
-+ return;
-+
-+ inode = dentry->d_inode;
-+ if (inode->i_size != 0)
-+ return;
-+
-+ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
-+ if (!must_appraise)
-+ return;
-+
-+ iint = integrity_inode_get(inode);
-+ if (iint)
-+ iint->flags |= IMA_NEW_FILE;
-+}
-+
-+/**
- * ima_module_check - based on policy, collect/store/appraise measurement.
- * @file: pointer to the file to be measured/appraised
- *
---
-2.5.0
-
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
deleted file mode 100644
index 157c007..0000000
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Tue, 15 Nov 2016 10:10:23 +0100
-Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
- modes"
-
-This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
-
-The original motivation was security hardening ("File hashes are
-automatically set and updated and should not be manually set.")
-
-However, that hardening ignores and breaks some valid use cases:
-- File hashes might not be set because the file is currently
- outside of the policy and therefore have to be set by the
- creator. Examples:
- - Booting into an initramfs with an IMA-enabled kernel but
- without setting an IMA policy, then installing
- the OS onto the target partition by unpacking a rootfs archive
- which has the file hashes pre-computed.
- - Unpacking a file into a staging area with meta data (like owner)
- that leaves the file outside of the current policy, then changing
- the meta data such that it becomes part of the current policy.
-- "should not be set manually" implies that the creator is aware
- of IMA semantic, the current system's configuration, and then
- skips setting file hashes in security.ima if (and only if) the
- kernel would prevent it. That's not the case for standard, unmodified
- tools. Example: unpacking an archive with security.ima xattrs with
- bsdtar or GNU tar.
-
-Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- security/integrity/ima/ima_appraise.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4b9b4a4..b8b2dd9 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
- result = ima_protect_xattr(dentry, xattr_name, xattr_value,
- xattr_value_len);
- if (result == 1) {
-- bool digsig;
--
- if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
- return -EINVAL;
-- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
-- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
-- return -EPERM;
-- ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
-+ ima_reset_appraise_flags(d_backing_inode(dentry),
-+ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
- result = 0;
- }
- return result;
---
-2.1.4
-
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg
new file mode 100644
index 0000000..d7d80a6
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -0,0 +1,45 @@
+CONFIG_KEYS=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
+CONFIG_CRYPTO_ECDSA=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
+# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
+# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_APPRAISE_SIGNED_INIT=y
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+# CONFIG_IMA_DISABLE_HTABLE is not set
+CONFIG_EVM=y
+# CONFIG_EVM_LOAD_X509 is not set
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc
new file mode 100644
index 0000000..6eb84b0
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable IMA"
+
+kconf non-hardware ima.cfg
+
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 3ab53e5..7016800 100644
--- a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,4 +1,14 @@
-KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+FILESEXTRAPATHS:append := "${THISDIR}/linux:"
+
+SRC_URI += " \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
+"
+
+do_configure:append() {
+ if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
+ sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
+ fi
+}
KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
new file mode 100644
index 0000000..3624576
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
@@ -0,0 +1,35 @@
+From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 18 Apr 2023 11:43:55 -0400
+Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
+
+If a signatures is detected as being portable do not attempt to read the
+generation with the ioctl since in some cases this may not be supported
+by the filesystem and is also not needed for computing a portable
+signature.
+
+This avoids the current work-around of passing --generation 0 when the
+ioctl is not supported by the filesystem.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/evmctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 6d2bb67..c35a28c 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ if (mode_str)
+ st.st_mode = strtoul(mode_str, NULL, 10);
+
+- if (!evm_immutable) {
++ if (!evm_immutable && !evm_portable) {
+ if (S_ISREG(st.st_mode) && !generation_str) {
+ int fd = open(file, 0);
+
+---
+2.39.2
+
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
similarity index 71%
rename from meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
rename to meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
index 873aeeb..8ac080c 100644
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
@@ -6,8 +6,13 @@
DEPENDS:class-native += "openssl-native keyutils-native"
-SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
-SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
+FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
+
+SRC_URI = " \
+ https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
+ file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
+"
+SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
inherit pkgconfig autotools features_check
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
index 36e71a7..3498025 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -25,5 +25,12 @@
dont_appraise fsmagic=0x6e736673
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
+# Cgroup
+dont_appraise fsmagic=0x27e0eb
+# Cgroup2
+dont_appraise fsmagic=0x63677270
-appraise
+# Appraise libraries
+appraise func=MMAP_CHECK mask=MAY_EXEC
+# Appraise executables
+appraise func=BPRM_CHECK
diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
index 5f3a728..b10b1ba 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -20,7 +20,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -36,13 +35,15 @@
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
- -out csr_ima.pem -keyout privkey_ima.pem
-openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -out csr_ima.pem -keyout privkey_ima.pem \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \
-CA $CA -CAkey $CAKEY -CAcreateserial \
-outform DER -out x509_ima.der
diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
index b600761..339d3e3 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,7 +18,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -33,10 +32,11 @@
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
deleted file mode 100755
index 5ee876c..0000000
--- a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# Copied from ima-evm-utils.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# version 2 as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-GENKEY=ima.genkey
-
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 1024
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = myexts
-
-[ req_distinguished_name ]
-O = example.com
-CN = meta-intel-iot-security example signing key
-emailAddress = john.doe@example.com
-
-[ myexts ]
-basicConstraints=critical,CA:FALSE
-keyUsage=digitalSignature
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-__EOF__
-
-openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
- -x509 -config $GENKEY \
- -outform DER -out x509_ima.der -keyout privkey_ima.pem