subtree updates
meta-security: 53c5cc794f..ddf301c45c:
Adrian Zaharia (1):
libmhash: fix multilib header conflict - mutils/mhash_config.h
Alexander Kanavin (1):
maintainers.inc: rename to avoid clashes with oe-core
Armin Kuster (15):
meta-tpm: rename recipes-tpm to recipes-tpm1
recipes-tpm: use this for common tpm recipes
swtpm: update to 0.8.0
libtpm: update to 0.9.6
ossec-hids: update to tip of 3.7.0
libhtp: update to 0.5.43
suricata: update to 6.0.11
fscryptctl: update to 1.0.1
oeqa: fix hash test to match new changes
integrity-image-minimal: adapt QEMU cmdline to new changes
lynis: Add decoding OE and Poky
os-release.bbappend: drop now CPE_NAME is in core
openembedded-release: drop as os-release does this now
tpm2-tss: drop vendor from PACKAGECONFIG
packagegroup-security-tpm2: restore pkgs removed earlier
Paul Gortmaker (4):
dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
dm-verity: don't make read-only-rootfs sound like a requirement
dm-verity: document the meta-intel dependency in the systemd example
dm-verity: add x86-64 systemd based example instructions
Peter Hoyes (1):
meta-parsec/layer.conf: Insert addpylib declaration
Peter Kjellerstedt (1):
tpm2-tools: Remove unnecessary and optional dependencies
Stefan Berger (12):
ima: Document and replace keys and adapt scripts for EC keys
ima: Fix the ima_policy_appraise_all to appraise executables & libraries
ima: Fix the IMA kernel feature
ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
ima: Sign all executables and the ima-policy in the root filesystem
integrity: Update the README for IMA support
linux: overlayfs: Add kernel patch resolving a file change notification issue
ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
linux: overlayfs: Drop kernel patch resolving a file change notification issue
ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
integrity: Fix the do_configure function
integrity: Rename linux-%.bbappend to linux-yocto%.bbappend
meta-raspberrypi: bf948e0aa8..928bb234bb:
Martin Jansa (3):
rpi-libcamera-apps: fix flags used in aarch64 builds
rpi-libcamera-apps: fix version generation on hosts with older python
rpi-libcamera-apps: bump to latest SRCREV and set PV
meta-arm: 0b5724266a..f9d80e1a14:
Emekcan Aras (2):
arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
index 57de2f6..98c4bc1 100644
--- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@
# with a .x509 suffix. See linux-%.bbappend for details.
#
# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= ""
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
# Sign all regular files by default.
IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@
# Avoid re-generating fstab when ima is enabled.
WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
+
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
@@ -59,17 +62,32 @@
perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
fi
- # Sign file with private IMA key. EVM not supported at the moment.
- bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
- find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
- bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
- find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+ # Detect 32bit target to pass --m32 to evmctl by looking at libc
+ tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')"
+ if [ "${tmp}" = "ELF 32-bit" ]; then
+ evmctl_param="--m32"
+ elif [ "${tmp}" = "ELF 64-bit" ]; then
+ evmctl_param=""
+ else
+ bberror "Unknown target architecture bitness: '${tmp}'" >&2
+ exit 1
+ fi
+
+ bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+
+ # check signing key and signature verification key
+ evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+ evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
# Optionally install custom policy for loading by systemd.
- if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+ if [ "${IMA_EVM_POLICY}" ]; then
install -d ./${sysconfdir}/ima
rm -f ./${sysconfdir}/ima/ima-policy
- install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+ install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+
+ bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
+ evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
fi
}