subtree updates
meta-openembedded: f3018013ff..3b245e4fe8:
Adrian Bunk (8):
Remove start-stop-daemon
dvb-apps: Remove workaround patch for ancient target compilers
Remove ipsec-tools and umip
gpsd: Switch PACKAGECONFIG[qt] from Qt4 to Qt5
samba: Upgrade 4.8.11 -> 4.8.12
recipes-devtools: Move back from meta-networking to meta-perl
wireless-regdb: Upgrade 2019.03.01 -> 2019.06.03
mcelog: Remove manual RDEPENDS from PN-ptest to PN package
Alejandro del Castillo (1):
apache2: add all extra/*.conf to conffiles
Alistair Francis (1):
python-obd: Uprade from 0.7.0 to 0.7.1
Andreas Müller (1):
python-six: put python2/3 variant together
Andrei Gherzan (2):
modemmanager: Update to 1.10.0
networkmanager: Update to 1.18.0
Ankit Navik (1):
safec: Initial recipe for safe C library
Carlos Rafael Giani (1):
openh264: Fix armv7ve build
Changqing Li (11):
syslog-ng: add rconflict for package syslog-ng-libs
netkit-telnet: add rconflicts
samba/libldb: add rconflicts
php-fpm-apache: fix module path
phoronix-test-suite: upgrade from 8.6.0 -> 8.8.1
python-pygobject: upgrade 3.28.3 -> 3.32.1
rrdtool: upgrade 1.7.1 -> 1.7.2
php: upgrade 7.3.4 -> 7.3.6
xf86-video-ati: upgrade 18.0.1 -> 19.0.1
pavucontrol: upgrade 3.0 -> 4.0
multipath-tools: upgrade 0.8.0 -> 0.8.1
Herman van Hazendonk (1):
Geoclue: Update to 2.5.3
Hongxu Jia (4):
rrdtool: improve reproducibility
crash: do not use unstable github archive tarballs
postgresql: improve reproducibility
net-snmp: split net-snmp-config to package net-snmp-dev
Hongzhi.Song (1):
spice: fix compile errors on 32bit system
Horvath, Chris (1):
lcov: Upgrade 1.11 -> 1.14
James Feist (1):
libgpiod: Enable cxx bindings by default
Kai Kang (16):
xfce4-session: 4.13.1 -> 4.13.2
xfce4-screensaver: add recipe
packagegroup-xfce-extended: add xfce4-screensaver
lxdm: provides fake gdmflexiserver for xfce desktop environment
thunar: 1.8.4 -> 1.8.6
xfdesktop: 4.13.3 -> 4.13.4
xfce4-panel: 4.13.4 -> 4.13.5
thunar-volman: 0.9.1 -> 0.9.2
xfce4-appfinder: 4.13.2 -> 4.13.3
libxfce4util: 4.13.2 -> 4.13.3
xfwm4: 4.13.1 -> 4.13.2
xfconf: 4.13.6 -> 4.13.7
libxfce4ui: 4.13.4 -> 4.13.5
xfce4-power-manager: 1.6.1 -> 1.6.2
xfce4-settings: set default theme Adwaita
lxdm: provides fake gdmflexiserver for xfce desktop environment
Khem Raj (8):
libnfc: Fix build with musl
openocd: Fix build on x86_64
spice,spice-protocol: Uprev to 0.14.0
udisks: Install bash_completion script in OE familiar dir
udisks: Remove bash dependency
python-jsmin,python-pytoml,python-which: Add recipes
mozjs: Upgrade to version 60.x
polkit: Upgrade to 0.116
Liwei Song (1):
turbostat: copy bits.h from kernel to turbostat
Marek Belisko (1):
libsrtp: Fix compilation and add pkgconfig
Martin Jansa (17):
igmpproxy: remove 0001-src-igmpproxy.h-Include-sys-types.h-for-u_short-u_in.patch and _GNU_SOURCE
ne10, libopus: add armv7ve override as well
pidgin: upgrade to 2.13.0
funyahoo-plusplus, icyque, pidgin-sipe, purple-skypeweb: add couple plugins for pidgin
hunspell: use git fetcher instead of github archive
hunspell-dictionaries: import from meta-luneos to make hunspell in meta-oe a bit more useful
ttf-mplus, ttf-vlgothic: add ttf-mplus license
android-tools-conf: import one more improvement for android-gadget-setup from meta-luneos
uriparser: upgrade to 0.9.3
libmikmod: fix SRC_URI
leptonica: fix SRC_URI
libmikmod: upgrade to 3.3.11.1
open-vm-tools: refresh the patches so that they can be easily applied with devtool or git am
open-vm-tools: import gcc9 fixes from fedora
spice: append to CFLAGS instead of +=
cpprest: temporary ignore deprecated-copy and redundant-move errors detected by gcc9
oprofile: drop virtual/kernel dependency and switch back to TUNE_PKGARCH
Mingli Yu (4):
mariadb: Upgrade to 10.3.15
kea: Upgrade to 1.5.0
hwloc: Upgrade to 1.11.12
kea: replace -Og with -O
Naveen Saini (1):
pm-graph: add recipe
Oleksandr Kravchuk (12):
opensaf: update to 5.19.03
python-ldap: update to 3.2.0
rp-pppoe: update to 3.13
atftp: update to 0.7.2
ipcalc: update to 2.2.3
mtr: update to 0.92
nbd: update to 3.19
mdns: update to 878.200.35
lldpd: update to 1.0.3
libp11: update to 0.4.10
nano: update to 4.2
libspatialite: update to 4.3.0a
Ovidiu Panait (1):
xfsprogs: Fix host contamination
Paolo Valente (1):
s-suite: push SRCREV to version 3.4
Pascal Bach (1):
rocksdb: 5.18.3 -> 6.0.2
Qi.Chen@windriver.com (2):
polkit: fix CVE-2019-6133
.gitignore: add *.pyc and *.pyo
Randy MacLeod (1):
imagemagick: update from 7.0.8-43 to 7.0.8-47
Robert Joslyn (4):
cryptsetup: Add PACKAGECONFIG options
lmsensors: Update to 3.5.0
xfce4-session: Add xrdb RDEPENDS
xfce4-session: Reformat DEPENDS and RDEPENDS
Slater, Joseph (1):
php-7: mark two tests as expected to fail
Stefan Agner (1):
haveged: fix CPU cache size detection
Tim Orling (13):
libterm-readkey-perl: upgrade 2.37 -> 2.38; fix upstream check; enable ptest
libtest-deep-perl: add recipe for v1.128
libcgi-perl: upgrade 4.38 -> 4.43; enable ptest
libcrypt-openssl-guess-perl: rename from libcrypt-openssl-guess; enable ptest
libcrypt-openssl-rsa-perl: upgrade 0.30 -> 0.31; enable ptest
libcrypt-openssl-random-perl: upgrade 0.11 -> 0.15; enable ptest
libextutils-installpaths-perl: upgrade 0.011 -> 0.012; enable ptest
libexutils-config-perl: enable ptest
libhtml-tagset-perl: add recipe for v3.20
libhtml-parser-perl: enable ptest
libstrictures-perl: upgrade 2.000003 -> 2.000006; enable ptest
libxml-libxml-perl: enable ptest
libcapture-tiny-perl: upgrade 0.46 -> 0.48; enable ptest
William A. Kennington III via Openembedded-devel (1):
cli11: 1.6.2 -> 1.7.1
Yi Zhao (8):
python-ldap: add python-pyasn1 and python-pyasn1-modules as runtime dependencies
fuse: upgrade 2.9.8 -> 2.9.9
yaffs2-utils: update to latest master
xfsprogs: upgrade 4.18.0 -> 5.0.0
fcgi: upgrade 2.4.1+git -> 2.4.2
xdebug: upgrade 2.7.0RC2 -> 2.7.2
phpmyadmin: upgrade 4.8.5 -> 4.9.0.1
openipmi: upgrade 2.0.25 -> 2.0.27
Zang Ruochen (13):
python-pywbem: solved the conflict with python3-pywbem
python3-pywbem:solved the conflict with python-pywbem
python-pbr: upgrade 5.2.0 -> 5.2.1
python-mako: upgrade 1.0.10 -> 1.0.12
python-babel: upgrade 2.6.0 -> 2.7.0
python-cachetools: upgrade 3.1.0 -> 3.1.1
python-cryptography: upgrade 2.6.1 -> 2.7
python-cryptography-vectors: upgrade 2.6.1 -> 2.7
python-cython: upgrade 0.29.7 -> 0.29.10
python-lxml: upgrade 4.3.3 -> 4.3.4
python-psutil: upgrade 5.6.2 -> 5.6.3
python-requests: upgrade 2.21.0 -> 2.22.0
python-urllib3: upgrade 1.25.2 -> 1.25.3
nick83ola (5):
nginx: update to version 1.17.0
nginx: update stable version to 1.16.0
nginx: add PACKAGECONFIG[http-auth-request]
nginx: fix kill path in nginx systemd unit file
uthash: do not use unstable github archive tarballs
thstead (1):
Upgraded python-pysnmp from version 4.3.5. to 4.4.9.
Łukasz Łaguna (1):
gsl: update to version 2.5
meta-security: 9f5cc2a7eb..c28b72e91d:
Armin Kuster (17):
checksec: update to 1.11.1
keyutils: fix library install path
checksec: add runtime test
meta-integrity: port over from meta-intel-iot-security
layer.conf: add LAYERSERIES_COMPAT
README: update
ima-evm-utils: cleanup and update to tip
ima.cfg: update to 5.0 kernel
linux: update bbappend
base-files: add appending to automount securityfs
ima-policy-hashed: add new recipe
ima_policy_simple: add another sample policy
policy: add ima appraise all policy
data: remove policies
initramfs: clean up to pull in packages.
runtime qa: moderize ima test
image: add image for testing
Changqing Li (1):
samhain: add rconflict for client and server mode
Zang Ruochen (4):
bastille: solved the conflict with perl-module-text-wrap and base-files
python-scapy: Remove redundant sed operations
python-scapy: solved the conflict with python3-scapy
python3-scapy: solved the conflict with python-scapy
leimaohui (1):
python3-fail2ban: Fix build error of xrange.
poky: 797916f93a..111b7173fe:
Adrian Bunk (25):
nss-myhostname: Stop trying to build for musl
systemd: Some upstreamable musl patches have been upstreamed
libnss-mdns: Stop trying to build for musl
icu: Remove workaround for musl issue fixed upstream 2 years ago
socat: Remove workaround for musl issue now fixed upstream
ofono: Use external ell instead of an internal copy
ofono: Fix another race condition during the build
squashfs-tools: Mark as incompatible with musl
apt: Remove workaround patches for no longer supported host distributions
m4/tar: Remove remove-gets.patch
pinentry: Switch pinentry-qt from Qt4 to Qt5
librsvg: Replace workaround for old host systems with upstream fix
vim: Move PACKAGECONFIG[gtkgui] from GTK 2 to GTK 3
Remove Go 1.11
go: Remove INSANE_SKIP_* textrel that are now handled in go.bbclass
dpkg: Remove workaround patches for no longer supported host distributions
lrzsz: Add implicit declaration fixes from Debian
tcp-wrappers: Add compile warning fixes from Debian
libpam: Upgrade 1.3.0 -> 1.3.1
vte: Fix the license information
gcc: Remove 0006-gcc-disable-MASK_RELAX_PIC_CALLS-bit.patch
openssl: Upgrade 1.1.1b -> 1.1.1c
Remove manual RDEPENDS from PN-ptest to PN package
ref-manual: Remove irda feature
lttng-modules: Upgrade 2.10.9 -> 2.10.10
Adrian Freihofer (3):
qemurunner: fix undefined variable
testimage: consider QB_DEFAULT_FSTYPE
runqemu: QB_FSINFO to support fstype wic images
Alejandro Enedino Hernandez Samaniego (1):
python-numpy: Avoid installing copy of f2py script
Alejandro Hernandez Samaniego (2):
newlib: Upgrade to 3.1.0
newlib: export CC_FOR_TARGET as CC
Alejandro del Castillo (1):
opkg-utils: upgrade to version 0.4.1
Alex Kiernan (2):
kernel-fitimage: uboot-sign: Check UBOOT_DTB_BINARY before adding deps
systemd: Backport OpenSSL BUF_MEM fix
Alexander Kanavin (53):
vim: split the common part into vim.inc
libpcre2: upgrade 10.32 -> 10.33
librepo: upgrade 1.9.6 -> 1.10.2
libmodulemd: upgrade 2.2.3 -> 2.4.0
libmodulemd: fix erroneous linking against v2 library when v1 was requested
createrepo-c: upgrade 0.12.2 -> 0.14.0
libdazzle: upgrade 3.32.1 -> 3.32.2
adwaita-icon-theme: upgrade 3.30.1 -> 3.32.0
bison: upgrade 3.1 -> 3.3.2
atk: upgrade 2.30.0 -> 2.32.0
python3-mako: upgrade 1.0.9 -> 1.0.10
nss: upgrade 3.43 -> 3.44
go: update 1.12.1->1.12.5
systemtap: upgrade 4.0 -> 4.1
gawk: upgrade 4.2.1 -> 5.0.0
alsa-plugins: upgrade 1.1.8 -> 1.1.9
alsa-utils: upgrade 1.1.8 -> 1.1.9
alsa-lib: upgrade 1.1.8 -> 1.1.9
lz4: upgrade 1.9.0 -> 1.9.1
libxcrypt: upgrade 4.4.4 -> 4.4.6
python3-pip: upgrade 19.0.3 -> 19.1.1
pkgconf: upgrade 1.6.0 -> 1.6.1
at-spi2-core: upgrade 2.30.0 -> 2.32.1
at-spi2-atk: upgrade 2.30.0 -> 2.32.0
glib-networking: upgrade 2.60.1 -> 2.60.2
libsoup-2.4: upgrade 2.66.1 -> 2.66.2
x264: upgrade to latest revision
linux-firmware: upgrade to latest revision
python3-pbr: upgrade 5.1.3 -> 5.2.0
bash-completion: upgrade 2.8 -> 2.9
gst-examples: upgrade to 1.16.0
acpica: upgrade 20190405 -> 20190509
freetype: upgrade 2.9.1 -> 2.10.0
usbutils: upgrade 010->012
webkitgtk: update to 2.24.2
epiphany: update to 3.32.2
btrfs-tools: update to 5.1
iproute2: upgrade 5.0.0 -> 5.1.0
chkconfig: do not use unstable github archive tarballs
chkconfig: fix upstream version check
perl: update to 5.30.0
piglit: upgrade to latest revision
ccache: fix upstream version check
Revert "ncurses: fix incorrect UPSTREAM_CHECK_GITTAGREGEX"
sysstat: add UPSTREAM_VERSION_UNKNOWN
python3-pygments: add a recipe
gtk-doc: upgrade 1.29 -> 1.30
libpsl: fix the gtk-doc 1.30 build
source-highlight: remove the recipe
mesa-demos: update to 8.4.0
glib-2.0: udpate 2.58.3 -> 2.60.3
gdk-pixbuf: update 2.38.0 -> 2.38.1
gtk+3: update 3.24.5 -> 3.24.8
Alistair Francis (3):
gdb: Upgrade from 8.2.1 to 8.3
gnu-config: Update to latest SHA
qemu: Backport the arm segfault fix
Andreas Müller (1):
gsettings-desktop-schemas: upgrade 3.28.1 -> 3.32.0
Andrei Gherzan (1):
ca-certificates: Fix openssl runtime dependencies
Anuj Mittal (8):
Revert "image_types: use pigz to create .gz files"
Revert "pigz: pigz is not gzip"
libva: upgrade 2.4.0 -> 2.4.1
ffmpeg: add PACKAGECONFIG for mfx
libpam: fix upstream version check
serf: cleanup recipe
scons: inherit python3native
python3-scons: fix regex replacing python by python3
Bonnans, Laurent (1):
kernel-uboot: compress arm64 kernels
Bruce Ashfield (11):
linux-yocto/5.0: update to v5.0.13
linux-yocto/4.19: update to v4.19.40
linux-yocto/4.19: update to v4.19.44
kernel: package modules.builtin.modinfo
linux-yocto-dev: bump to v5.2-rc
linux-yocto/5.0: update to v5.0.17
linux-yocto-rt/5.0: update to -rt9
linux-yocto/5.0: update to v5.0.19
linux-yocto-rt/5.0: update to -rt11
linux-yocto/5.0: fix systemtap on arm
linux-yocto: ptest: Add SCSI debug configuration for util-linux
Carlos Rafael Giani (6):
gstreamer1.0-plugins-base: upgrade to version 1.16.0
gstreamer1.0-plugins-good: upgrade to version 1.16.0
gstreamer1.0-plugins-bad: upgrade to version 1.16.0
gstreamer1.0-plugins-ugly: upgrade to version 1.16.0
gstreamer1.0-libav: upgrade to version 1.16.0
gstreamer1.0-vaapi: upgrade to version 1.16.0
Changqing Li (8):
connman: add networkmanager as rconflict
dropbear: add openssh/openssh-sshd as rconflict
busybox-inittab/sysvinit-inittab: add rconflicts
inetutils: fix wrong package name
systemd: add rconflicts
tiny-init: add rconflicts
multilib: add override for image recipe
qemu: fix qemu ptest cannot work
Chee Yang Lee (3):
wic: bootimg-efi: add label source parameter
wic/engine: include .wks.in in wic search and list
wic/plugins: kernel image refer to KERNEL_IMAGETYPE
Chen Qi (5):
libxfont2: set CVE_PRODUCT
systemd: avoid musl specific patches affect glibc systems
util-linux: upgrade to 2.33.2
oescripts.py: avoid error when cairo module is not available
context.py: fix skipping function
Chris Laplante (5):
base.bbclass: Add OE_EXTRA_IMPORTS
bitbake: knotty: allow progress rate for indeterminate bars
bitbake: build: extract progress handler creation logic into its own method
bitbake: build/progress: use context managers for progress handlers
bitbake: build: implement custom progress handlers injected via OE_EXTRA_IMPORTS
David Frey (1):
bluez5: manage udev dependency with PACKAGECONFIG
David Reyna (1):
bitbake: toaster: Fix Thud Bitbake release metadata
Diego Rondini (1):
bluez5: fix obex packaging
Douglas Royds via Openembedded-core (1):
json-c: Backport --disable-werror patch to allow compilation under icecc
Fabio Berton (3):
mesa: Update 19.0.3 -> 19.0.5
mesa: Update 19.0.5 -> 19.0.6
mesa: Update 19.0.6 -> 19.1.0
Filip Jareš (1):
recipes: Fix license "names"/versions.
Haiqing Bai (1):
kernel.bbclass: Make task clean depend on cleaning of make-mod-scripts
He Zhe (1):
lttng-modules: Add git based recipe
Hongxu Jia (5):
grub/grub-efi: fix unrecognized command line option '-pipe-Wno-error' in CFLAGS
lib/oe/reciputils.py: support character `+' in git pv
groff: improve reproducibility
diffutils/run-ptest: support to run at arbitrary path
openssh: fix potential signed overflow in pointer arithmatic
Jaewon Lee (2):
gstreamer1.0-python_1.16.0.bb: Override libpython dir
devicetree.bbclass: Combine stderr into stdout to see actual dtc error
Jean-Marie LEMETAYER (4):
npm: get npm package name from npm pack
npm: fix node and npm default directory conflict
npm: remove some temporary build files
bitbake: bitbake: fetch2/npm: fix npw view parsing
Jiping Ma (1):
dhcp:"dhclient -x eth0" action is not correct.
Joe Slater (1):
slang: modify an array test
Jon Mason (2):
resulttool: modify to be multi-machine
resulttool: Remove prints if no tests occur
Jonathan Rajotte (4):
lttng-tools: prevent test timeout when lttng-modules is not present
lttng-tools: add lttng-modules to ptest dependencies
liburcu: update to 0.11.0
liburcu: update to 0.11.1
Joshua Watt (11):
avahi: Add PACKAGECONFIG for libdns_sd
perl: Preserve attributes when applying cross files
btrfs-tools: Pass DEBUG_MAP_PREFIX flags to Python
bitbake: bitbake: cooker: Rename __depends in all multiconfigs
bitbake: bitbake: Show base multiconfig environment
perl: Set build date to SOURCE_DATE_EPOCH
glibc-locale: DEPEND on virtual/libc
zip: Remove build date to improve reproducibility
classes/package: Sort ELF file list
bash: Replace uninative loader path in ptest
oeqa: Add reproducible build selftest
Kai Kang (3):
systemd-conf: configure wired network with dhcp
qemu/qemu-system-native: depend bison-native
openssl: fix failure of ptest test_shlibload
Kevin Hao (3):
runqemu: Add the support to pass multi ports to tcpserial parameter
oeqa/utils/qemurunner: Set both the threadport&serverport with tcpserial parameter
tune-thunderx: Set the correct PACKAGE_EXTRA_ARCHS_tune-thunderx
Khem Raj (6):
mesa: Fix a case when gbm is enabled but DRIDRIVERS is not defined
ofono: Add TEMP_FAILURE_RETRY optional definition
Revert "musl: Add TEMP_FAILURE_RETRY from glibc"
binutils: Workaround mips assembler crash on target
musl: Upgrade to master tip
gdb: Let gdbserver be empty for riscv64
Lei Maohui (1):
meson.bbclass: Make meson support aarch64_be.
Luca Boccassi (2):
python*-setuptools: add separate packages for pkg_resources module
mdadm: use ${systemd_unitdir} rather than /lib/systemd
Maciej Pijanowski (1):
recipetool: add python3 support
Mariano López (3):
util-linux: Add missing ptest dependencies
util-linux: Stop udevd to run ptests
linux-yocto: Add scsi_debug module when ptest is in DISTRO_FEATURES
Mark Hatle (1):
bitbake: svn.py: Stop SVN from directly pulling from an external layer w/o fetcher
Martin Jansa (5):
python: add a fix for CVE-2019-9948 and CVE-2019-9636
glib-networking: add PACKAGECONFIG for openssl
bc: use u-a for bc as well
opkg-utils: fix opkg-list-fields script
pigz: install pigz, unpigz, pigzcat in native and nativesdk builds again
Matthias Schiffer (1):
bitbake: fetch2: runfetchcmd(): unset _PYTHON_SYSCONFIGDATA_NAME
Matthias Schoepfer via Openembedded-core (1):
python3: fix build on softfloat mips
Michael Ho (1):
base.bbclass: add named SRCREVs to the sstate hash
Mike Crowe (1):
cmake: Avoid passing empty prefix to os.path.relpath
Mingli Yu (3):
elfutils: fix ptest failures
dbus: Upgrade to 1.12.16
dbus-test: Upgrade 1.12.16
Nicola Lunghi (3):
connman: fix segfault with musl >v1.1.21
rng-tools: recipe cleanup
rng-tools: harmonise systemd and sysvinit
Oleksandr Kravchuk (6):
ethtool: update to 5.1
file: update to 5.37
p11-kit: update to 0.23.16.1
popt: fix SRC_URI
selftest/devtool: fix URI to MarkupSafe package
bitbake: cooker: list all nonexistent bblayer directories
Oliver Stäbler (1):
packagegroup-core-full-cmdline: Make nfs-utils/rpcbind optional
Peter Kjellerstedt (3):
texinfo-dummy-native: A little clean up of template.py
texinfo-dummy-native: Rewrite template.py to use argparse
package.bbclass: Clean up writing of runtime pkgdata files
Philippe Normand (9):
gstreamer1.0: upgrade to version 1.16.0
gstreamer1.0-omx: upgrade to version 1.16.0
gstreamer1.0-rtsp-server: upgrade to version 1.16.0
gstreamer1.0-python: upgrade to version 1.16.0
gst-validate: upgrade to version 1.16.0
cmake: Use compiler launcher variable when ccache is enabled
at-spi2: Make X11 support truly optional
gnutls: Use ca-certificates as default trust store file
gnutls: Use the sysconfdir variable for the ca-certificates path
Quentin Schulz (2):
meta: license: fix non-SPDX license being removed from INCOMPATIBLE_LICENSE
selftests: add tests for INCOMPATIBLE_LICENSE
Randy MacLeod (6):
valgrind: Make ptest timestamps copasetic
valgrind: add 'file' to ptest depends
util-linux: add setpriv utility
libcap-ng: split into libcap-ng/libcap-ng-python
ptest-runner: enable child procs as session leader
bash: use setpriv, sed.sed to run ptests
Richard Purdie (46):
perl-rdepends: Add missing module dependencies
bash: Fix bash-ptest dependencies
openssh: Add sudo dependency for ptest
libpcre: Add make dependency for ptest
m4: Add coreutils and diffutils dependency for ptest
perl/modules: Add various missing ptest perl module dependencies
layer.conf: Whitelist lttng-tools->lttng-modules dependency
tcmode-default: Make gcc9 the default
lttng-tools: Fix patch Upstream-Status
mesa: Fix patch Upstream-Status
uninative-tarball: Fix file generation after class changes
populate_sdk_base: Use highest compression level for xz
uninative-tarball: Use xz compression and SDK_ARCHIVE_CMD
strace: Tweak ptest disk space management
ptest-packagelists: Add mdadm
util-linux: Fix ptest dependencies
mdadm: Add missing ptest dependency
yocto-uninative: Update to 2.5 release
uninative: Switch from bz2 to xz
bitbake: main: Fix error message typo
qemuarm64: Add QB_CPU_KVM to allow kvm acceleration
runqemu: Add support for kvm on aarch64
useradd: Fix build architecture corruption of sstate artefacts
useradd: Ensure do_populate_sysroot has dependency on useradd variables
beaglebone-yocto: Add missing wic image u-boot deploy dependency
quilt: Add patch depends for quilt-ptest
libtest-needs-perl: Fix ptest dependencies
libtimedate-perl: Fix ptest dependencies
perl: Add missing perl module dependency
liburi-perl: Fix module ptest dependencies
libconvert-aan1-perl: Fix module and ptest dependencies
libxml-sax-perl: Fix module ptest dependencies
libxml-perl: Fix module and ptest dependencies
e2fsprogs: Fix missing ptest dependencies
glib-2.0: ptest fixes
openssh: Add missing ptest dependency on coreutils
gpg_sign/selftest: Fix secmem parameter handling
gawk: ptest fixes
openssh: Document skipped test dependency
multiconfig: Adapt to bitbake switch 'multiconfig' -> 'mc'
bitbake: multiconfig: Switch from 'multiconfig' -> 'mc'
bitbake: cooker: Add compability handling for multiconfig: prefix migration
build-appliance-image: Update to master head revision
bitbake: cooker: Ensure mcdeps are processed even if only one multiconfig
perl: Fix setgroup call regression from 5.30
perl: Move perl-sanity -> perl
Ross Burton (13):
insane: add sanity checks to SRC_URI
libidn2: upgrade to 2.2.0
local.conf.sample: change default MACHINE to qemux86-64
libical: tidy up Perl finding
wic/filemap: handle FIGETBSZ failing
libxslt: add comment saying when a workaround can be removed
parted: swap patches for the commits that landed upstream
parted: drop patch for linux <2.6.20 support
python-nose: python3-nose should be default
bluez: fix test case failures with GCC 9
efivar: add
efibootmgr: add
gstreamer1.0-libav: disable API documentation
Sakib Sajal (4):
bash: add iso8859-1 gconv RDEPENDS needed by bash-ptest.
bash: add big5hkscs gconv RDEPENDS needed by bash-ptest.
bash: run bash ptest as non-root user
ptest-runner: update SRCREV to latest HEAD on ptest-runner2 repo
Scott Rifenbark (17):
sdk-manual: Added link to BB manual fetcher section.
ref-manual: Updated "do_fetch" to have a link to "Fetchers"
dev-manual, ref-manual: removed "distrodata" class
ref-manual: Removed bugzilla.bbclass
ref-manual: Removed "distutils-tools" class.
ref-manual: Udated devtool help output examples.
ref-manual: New section "Checking Upgrade Status of a Recipe"
dev-manual: Added check-upgrade-status blurb to upgrading recipes
ref-manual: do_checkpkg - added link to checking upgrade status
ref-manual: Updates to check-recipe-upgrade devtool command
ref-manual: Grammar correction
dev-manual: Added new section for creating NPM packages
Makefile: Updated to support new NPM package creation section
dev-manual: Updated the "Working with Packages" list
ref-manual: Updated "npm.bbclass" section.
overview-manual: Updated SCM section
dev-manual: Fixed grammar issue.
Tim Orling (8):
libxml-parser-perl: fix ptest dependencies
perl-rdepends.txt: improve dependencies for perl module ptests
perl: install Config_git.pl
perl-rdepends.txt: fix perl-module-data-dumper dependencies
python3-scons-{native}: add recipe for v3.0.5
scons.bbclass: use python3-scons
serf: switch to python3-scons-native
oeqa/runtime: add simple test for scons
Tom Rini (2):
vim: Rework things so vim adds features not vim-tiny removes
vim: Update to 8.1.1518 to fix CVE-2019-12735
Yeoh Ee Peng (3):
resulttool/resultutils: Enable add extra configurations to results
resulttool/store: Enable add EXECUTED_BY config to results
resulttool/merge: Enable control TESTSERIES and extra configurations
Zang Ruochen (3):
openssh: Upgrade 7.9p1 -> 8.0p1
dbus: Upgrade 1.12.12 -> 1.12.14
dbus-test: Upgrade 1.12.12 -> 1.12.14
Zhixiong Chi (2):
gcc: reduce the variables in symtab
gcc: CVE-2018-12886
sangeeta jain (1):
resulttool/manualexecution: Enable creation of test case configuration
meta-raspberrypi: 7059c37451..40283f583b:
Andrei Gherzan (1):
gstreamer1.0-omx: Forward port bbappend and patches to v1.16.x
Khem Raj (4):
linux-raspberrypi_4.19.bb: Update to 4.19.44
rpi-default-versions: Switch defaults to 4.19
userland: Update to 20190501
firmware: Update 20190220 -> 20190517
malus-brandywine (1):
sdcard_image-rpi : minor bug in use of FATPAYLOAD
Change-Id: Idab4e8c2666bc776d0b47988a32dcb9f04885aff
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/meta-security/lib/oeqa/runtime/cases/checksec.py b/meta-security/lib/oeqa/runtime/cases/checksec.py
new file mode 100644
index 0000000..ff6d2f3
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/checksec.py
@@ -0,0 +1,33 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class CheckSecTest(OERuntimeTestCase):
+
+ @OEHasPackage(['checksec'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_checksec_help(self):
+ status, output = self.target.run('checksec --help ')
+ msg = ('checksec command does not work as expected. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['checksec.CheckSecTest.test_checksec_help'])
+ def test_checksec_xml(self):
+ status, output = self.target.run('checksec --format xml --proc-all')
+ msg = ('checksec xml failed. Output: %s' % output)
+ self.assertEqual(status, 0, msg = msg)
+
+ @OETestDepends(['checksec.CheckSecTest.test_checksec_xml'])
+ def test_checksec_fortify(self):
+ status, output = self.target.run('checksec --fortify-proc 1')
+ match = re.search('FORTIFY_SOURCE support:', output)
+ if not match:
+ msg = ('checksec : fortify-proc failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 1, msg = msg)
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md
new file mode 100644
index 0000000..5bef76e
--- /dev/null
+++ b/meta-security/meta-integrity/README.md
@@ -0,0 +1,250 @@
+This README file contains information on the contents of the
+integrity layer.
+
+Please see the corresponding sections below for details.
+
+
+Dependencies
+============
+
+This layer depends on:
+
+ URI: git://git.openembedded.org/bitbake
+ branch: master
+
+ URI: git://git.openembedded.org/openembedded-core
+ layers: meta
+ branch: master
+
+ URI: git://github.com/01org/meta-security/meta-integrate
+ layers: security-framework
+ branch: master
+
+
+Patches
+=======
+
+For discussion or patch submission via email, use the
+yocto@yoctoproject.org mailing list. When submitting patches that way,
+make sure to copy the maintainer and add a "[meta-integrity]"
+prefix to the subject of the mails.
+
+Maintainer: Armin Kuster <akuster808@gmail.com>
+
+
+Table of Contents
+=================
+
+1. Adding the integrity layer to your build
+2. Usage
+3. Known Issues
+
+
+1. Adding the integrity layer to your build
+===========================================
+
+In order to use this layer, you need to make the build system aware of
+it.
+
+Assuming the security repository exists at the top-level of your
+yocto build tree, you can add it to the build system by adding the
+location of the integrity layer to bblayers.conf, along with any
+other layers needed. e.g.:
+
+ BBLAYERS ?= " \
+ /path/to/yocto/meta \
+ /path/to/yocto/meta-yocto \
+ /path/to/yocto/meta-yocto-bsp \
+ /path/to/yocto/meta-security/meta-integrity \
+ "
+
+It has some dependencies on a suitable BSP; in particular the kernel
+must have a recent enough IMA/EVM subsystem. The layer was tested with
+Linux 3.19 and uses some features (like loading X509 certificates
+directly from the kernel) which were added in that release. Your
+mileage may vary with older kernels.
+
+The necessary kernel configuration parameters are added to all kernel
+versions by this layer. Watch out for QA warnings about unused kernel
+configuration parameters: those indicate that the kernel used by the BSP
+does not have the necessary IMA/EVM features.
+
+Adding the layer only enables IMA (see below regarding EVM) during
+compilation of the Linux kernel. To also activate it when building
+the image, enable image signing in the local.conf like this:
+
+ INHERIT += "ima-evm-rootfs"
+ IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+
+This uses the default keys provided in the "data" directory of the layer.
+Because everyone has access to these private keys, such an image
+should never be used in production!
+
+For that, create your own keys first. All tools and scripts required
+for that are included in the layer. This is also how the
+``debug-keys`` were generated:
+
+ # Choose a directory for storing keys. Preserve this
+ # across builds and keep its private keys secret!
+ export IMA_EVM_KEY_DIR=/tmp/imaevm
+ mkdir -p $IMA_EVM_KEY_DIR
+ # Build the required tools.
+ bitbake openssl-native
+ # Set up shell for use of the tools.
+ bitbake -c devshell openssl-native
+ cd $IMA_EVM_KEY_DIR
+ # In that shell, create the keys. Several options exist:
+
+ # 1. Self-signed keys.
+ $IMA_EVM_BASE/scripts/ima-gen-self-signed.sh
+
+ # 2. Keys signed by a new CA.
+ # When asked for a PEM passphrase, that will be for the root CA.
+ # Signing images then will not require entering that passphrase,
+ # only creating new certificates does. Most likely the default
+ # attributes for these certificates need to be adapted; modify
+ # the scripts as needed.
+ # $IMA_EVM_BASE/scripts/ima-gen-local-ca.sh
+ # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh
+
+ # 3. Keys signed by an existing CA.
+ # $IMA_EVM_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
+ exit
+
+When using ``ima-self-signed.sh`` as described above, self-signed keys
+are created. Alternatively, one can also use keys signed by a CA. The
+``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
+supports adding tha CA's public key to the kernel's system keyring by
+compiling it directly into the kernel. Because it is unknown whether
+that is necessary (for example, the CA might also get added to the
+system key ring via UEFI Secure Boot), one has to enable compilation
+into the kernel explicitly in a local.conf with:
+
+ IMA_EVM_ROOT_CA = "<path to .x509 file, for example the ima-local-ca.x509 created by ima-gen-local-ca.sh>"
+
+
+
+
+To use the personal keys, override the default IMA_EVM_KEY_DIR in your
+local.conf and/or override the individual variables from
+ima-evm-rootfs.bbclass:
+
+ IMA_EVM_KEY_DIR = "<full path>"
+ IMA_EVM_PRIVKEY = "<some other path/privkey_ima.pem>"
+
+By default, the entire file system gets signed. When using a policy which
+does not require that, the set of files to be labelled can be chosen
+by overriding the default "find" expression, for example like this:
+
+ IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f"
+
+
+2. Usage
+========
+
+After creating an image with IMA/EVM enabled, one needs to enable
+the built-in policies before IMA/EVM is active at runtime. To do this,
+add one or both of these boot parameters:
+
+ ima_tcb # measures all files read as root and all files executed
+ ima_appraise_tcb # appraises all files owned by root, beware of
+ # the known issue mentioned below
+
+Instead of booting with default policies, one can also activate custom
+policies in different ways. First, boot without any IMA policy and
+then cat a policy file into
+`/sys/kernel/security/ima/policy`. This can only be done once
+after booting and is useful for debugging.
+
+In production, the long term goal is to load a verified policy
+directly from the kernel, using a patch which still needs to be
+included upstream ("ima: load policy from the kernel",
+<https://lwn.net/Articles/595759/>).
+
+Loading via systemd also works with systemd, but is considered less
+secure (policy file is not checked before activating it). Beware that
+IMA policy loading became broken in systemd 2.18. The modified systemd
+2.19 in meta-security-smack has a patch reverting the broken
+changes. To activate policy loading via systemd, place a policy file
+in `/etc/ima/ima-policy`, for example with:
+
+ IMA_EVM_POLICY_SYSTEMD = "${IMA_EVM_BASE}/data/ima_policy_simple"
+
+To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
+
+To check that appraisal works, try modifying executables and ensure
+that executing them fails:
+
+ echo "foobar" >>/usr/bin/rpm
+ evmctl ima_verify /usr/bin/rpm
+ rpm --version
+
+Depending on the current appraisal policy, the `echo` command may
+already fail because writing is not allowed. If the file was modified
+and the current appraisal policy allows reading, then `evmctl` will
+report (the errno value seems to be printed always and is unrelated to
+the actual verification failure here):
+
+ Verification failed: 35
+ errno: No such file or directory (2)
+
+After enabling a suitable IMA appraisal policy, reading and/or
+executing the file is no longer allowed:
+
+ # evmctl ima_verify /usr/bin/rpm
+ Failed to open: /usr/bin/rpm
+ errno: Permission denied (13)
+ # rpm --version
+ -sh: /usr/bin/rpm: Permission denied
+
+Enabling the audit kernel subsystem may help to debug appraisal
+issues. Enable it by adding the meta-security-framework layer and
+changing your local.conf:
+ SRC_URI_append_pn-linux-yocto = " file://audit.cfg"
+ CORE_IMAGE_EXTRA_INSTALL += "auditd"
+
+Then boot with "ima_appraise=log ima_appraise_tcb".
+
+Adding auditd is not strictly necessary but helps to capture a
+more complete set of events in /var/log/audit/ and search in
+them with ausearch.
+
+
+3. Known Issues
+===============
+
+EVM is not enabled, for multiple reasons:
+* Signing files in advance with a X509 certificate and then not having
+ any confidential keys on the device would be the most useful mode,
+ but is not supported by EVM [1].
+* EVM signing in advance would only work on the final file system and thus
+ will require further integration work with image creation. The content
+ of the files can be signed for IMA in the rootfs, with the extended
+ attributes remaining valid when copying the files to the final image.
+ But for EVM that copy operation changes relevant parameters (for example,
+ inode) and thus invalidates the EVM hash.
+* On device creation of EVM hashes depends on secure key handling on the
+ device (TPM) and booting at least once in a special mode (file system
+ writable, evm=fix as boot parameter, reboot after opening all files);
+ such a mode is too device specific to be implemented in a generic way.
+
+IMA appraisal with "ima_appraise_tcb" enables rules which are too strict
+for most distros. For example, systemd needs to write certain files
+as root, which is prevented by the ima_appraise_tcb appraise rules. As
+a result, the system fails to boot:
+
+ [FAILED] Failed to start Commit a transient machine-id on disk.
+ See "systemctl status systemd-machine-id-commit.service" for details.
+ ...
+ [FAILED] Failed to start Network Service.
+ See "systemctl status systemd-networkd.service" for details.
+ [FAILED] Failed to start Login Service.
+ See "systemctl status systemd-logind.service" for details.
+
+No package manager is integrated with IMA/EVM. When updating packages,
+files will end up getting installed without correct IMA/EVM attributes
+and thus will not be usable when appraisal is turned on.
+
+[1] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6281
+[2] http://permalink.gmane.org/gmane.comp.handhelds.tizen.devel/6275
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
new file mode 100644
index 0000000..8aec388
--- /dev/null
+++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -0,0 +1,92 @@
+# No default! Either this or IMA_EVM_PRIVKEY/IMA_EVM_X509 have to be
+# set explicitly in a local.conf before activating ima-evm-rootfs.
+# To use the insecure (because public) example keys, use
+# IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
+
+# Private key for IMA signing. The default is okay when
+# using the example key directory.
+IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+
+# Public part of certificates (used for both IMA and EVM).
+# The default is okay when using the example key directory.
+IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
+
+# Root CA to be compiled into the kernel, none by default.
+# Must be the absolute path to a der-encoded x509 CA certificate
+# with a .x509 suffix. See linux-%.bbappend for details.
+#
+# ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
+IMA_EVM_ROOT_CA ?= ""
+
+# Sign all regular files by default.
+IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
+# Hash nothing by default.
+IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false"
+
+# Mount these file systems (identified via their mount point) with
+# the iversion flags (needed by IMA when allowing writing).
+IMA_EVM_ROOTFS_IVERSION ?= ""
+
+ima_evm_sign_rootfs () {
+ cd ${IMAGE_ROOTFS}
+
+ # Beware that all operations below must also work when
+ # ima_evm_sign_rootfs was already called earlier for the same
+ # rootfs. That's because do_image might again run for various
+ # reasons (including a change of the signing keys) without also
+ # re-running do_rootfs.
+
+ # Copy file(s) which must be on the device. Note that
+ # evmctl uses x509_evm.der also for "ima_verify", which is probably
+ # a bug (should default to x509_ima.der). Does not matter for us
+ # because we use the same key for both.
+ install -d ./${sysconfdir}/keys
+ rm -f ./${sysconfdir}/keys/x509_evm.der
+ install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der
+ ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der
+
+ # Fix /etc/fstab: it must include the "i_version" mount option for
+ # those file systems where writing files is allowed, otherwise
+ # these changes will not get detected at runtime.
+ #
+ # Note that "i_version" is documented in "man mount" only for ext4,
+ # whereas "iversion" is said to be filesystem-independent. In practice,
+ # there is only one MS_I_VERSION flag in the syscall and ext2/ext3/ext4
+ # all support it.
+ #
+ # coreutils translates "iversion" into MS_I_VERSION. busybox rejects
+ # "iversion" and only understands "i_version". systemd only understands
+ # "iversion". We pick "iversion" here for systemd, whereas rootflags
+ # for initramfs must use "i_version" for busybox.
+ #
+ # Deduplicates iversion in case that this gets called more than once.
+ if [ -f etc/fstab ]; then
+ perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
+ fi
+
+ # Sign file with private IMA key. EVM not supported at the moment.
+ bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
+ find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
+ bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
+ find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+
+ # Optionally install custom policy for loading by systemd.
+ if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+ install -d ./${sysconfdir}/ima
+ rm -f ./${sysconfdir}/ima/ima-policy
+ install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+ fi
+}
+
+# Signing must run as late as possible in the do_rootfs task.
+# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so
+# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with
+# _append instead of += because _append gets evaluated later. In
+# particular, we must run after prelink_image in
+# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables.
+
+IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; "
+
+# evmctl must have been installed first.
+do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot"
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
new file mode 100644
index 0000000..2f696cf
--- /dev/null
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -0,0 +1,24 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have a packages directory, add to BBFILES
+BBFILES := "${BBFILES} \
+ ${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "integrity"
+BBFILE_PATTERN_integrity := "^${LAYERDIR}/"
+BBFILE_PRIORITY_integrity = "6"
+
+# Set a variable to get to the top of the metadata location. Needed
+# for finding scripts (when following the README.md instructions) and
+# default debug keys (in ima-evm-rootfs.bbclass).
+IMA_EVM_BASE := '${LAYERDIR}'
+
+# We must not export this path to all shell scripts (as in "export
+# IMA_EVM_BASE"), because that causes problems with sstate (becames
+# dependent on location of the layer). Exporting it to just the
+# interactive shell is enough.
+OE_TERMINAL_EXPORTS += "IMA_EVM_BASE"
+
+LAYERSERIES_COMPAT_integrity = "warrior"
diff --git a/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
new file mode 100644
index 0000000..502a0b6
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
+Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
+IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
+OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
+lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
+HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
+aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
+TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
+WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
+SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
+xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
+CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
+1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
+3vVaxg2EfqB1
+-----END PRIVATE KEY-----
diff --git a/meta-security/meta-integrity/data/debug-keys/x509_ima.der b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
new file mode 100644
index 0000000..087ca6b
--- /dev/null
+++ b/meta-security/meta-integrity/data/debug-keys/x509_ima.der
Binary files differ
diff --git a/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
new file mode 100644
index 0000000..0c8617a
--- /dev/null
+++ b/meta-security/meta-integrity/lib/oeqa/runtime/cases/ima.py
@@ -0,0 +1,129 @@
+#!/usr/bin/env python
+#
+# Authors: Cristina Moraru <cristina.moraru@intel.com>
+# Alexandru Cornea <alexandru.cornea@intel.com>
+
+import string
+from time import sleep
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+from oeqa.core.decorator.data import skipIfDataVar, skipIfNotDataVar
+import bb
+blacklist = ["/usr/bin/uz", "/bin/su.shadow"]
+
+class IMACheck(OERuntimeTestCase):
+
+ @classmethod
+ def setUpClass(cls):
+ locations = ["/bin", "/usr/bin"]
+ cls.binaries = []
+ for l in locations:
+ status, output = cls.tc.target.run("find %s -type f" % l)
+ cls.binaries.extend(output.split("\n"))
+
+ cls.total = len(cls.binaries)
+
+
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_ima_enabled(self):
+ ''' Test if IMA policy is loaded before systemd starts'''
+
+ ima_search = "ima: "
+ systemd_search = "systemd .* running"
+ status, output = self.target.run("dmesg | grep -n '%s'" % ima_search)
+ self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
+
+
+ @skipIfNotFeature('systemd',
+ 'Test requires systemd to be in DISTRO_FEATURES')
+ @skipIfNotDataVar('VIRTUAL-RUNTIME_init_manager', 'systemd',
+ 'systemd is not the init manager for this image')
+ @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+ def test_ima_before_systemd(self):
+ ''' Test if IMA policy is loaded before systemd starts'''
+ ima_search = "ima: "
+ systemd_search = "systemd .* running"
+ status, output = self.target.run("dmesg | grep -n '%s'" % ima_search)
+ self.assertEqual( status, 0, "Did not find '%s' in dmesg" % ima_search)
+ ima_id = int(output.split(":")[0])
+ status, output = self.target.run("dmesg | grep -n '%s'" % systemd_search)
+ self.assertEqual(status, 0, "Did not find '%s' in dmesg" % systemd_search)
+ init_id = int(output.split(":")[0])
+ if ima_id > init_id:
+ self.fail("IMA does not start before systemd")
+
+
+ @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+ def test_ima_hash(self):
+ ''' Test if IMA stores correct file hash '''
+ filename = "/etc/filetest"
+ ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements"
+ status, output = self.target.run("echo test > %s" % filename)
+ self.assertEqual(status, 0, "Cannot create file %s on target" % filename)
+
+ # wait for the IMA system to update the entry
+ maximum_tries = 30
+ tries = 0
+ status, output = self.target.run("sha1sum %s" %filename)
+ sleep(2)
+ current_hash = output.split()[0]
+ ima_hash = ""
+
+ while tries < maximum_tries:
+ status, output = self.target.run("cat %s | grep %s" \
+ % (ima_measure_file, filename))
+ # get last entry, 4th field
+ if status == 0:
+ tokens = output.split("\n")[-1].split()[3]
+ ima_hash = tokens.split(":")[1]
+ if ima_hash == current_hash:
+ break
+
+ tries += 1
+ sleep(1)
+
+ # clean target
+ self.target.run("rm %s" % filename)
+ if ima_hash != current_hash:
+ self.fail("Hash stored by IMA does not match actual hash")
+
+
+ @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+ def test_ima_signature(self):
+ ''' Test if IMA stores correct signature for system binaries'''
+ passed = 0
+ failed = 0
+ for b in self.binaries:
+ if b in blacklist:
+ continue
+ status, output = self.target.run("evmctl ima_verify %s" % b)
+ if status != 0:
+ failed += 1
+ else:
+ passed += 1
+
+ if failed == self.total:
+ self.fail("Signature verifications failed (%s)" % self.total)
+
+ #bb.warn("pass: %s, fail: %s, Total: %s" % (passed, failed, total))
+
+ @OETestDepends(['ima.IMACheck.test_ima_enabled'])
+ def test_ima_overwrite(self):
+ ''' Test if IMA prevents overwriting signed files '''
+ passed = 0
+ failed = 0
+ for b in self.binaries:
+ if b in blacklist:
+ continue
+ self.target.run("echo 'foo' >> %s" % b )
+ status, output = self.target.run("evmctl ima_verify %s" % b)
+
+ if status != 0:
+ failed += 1
+ else:
+ passed += 1
+
+ if failed == self.total:
+ self.fail("Overwritting verifications failed (%s)" % self.total)
diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc
new file mode 100644
index 0000000..7e9e210
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc
@@ -0,0 +1,5 @@
+# Append iversion option for auto types
+do_install_append() {
+ sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab"
+ echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab"
+}
diff --git a/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..c006f0e
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)}
diff --git a/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
new file mode 100644
index 0000000..6ed724d
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
@@ -0,0 +1,22 @@
+DESCRIPTION = "An image as an exmaple for Ima support"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+
+IMAGE_INSTALL = "\
+ packagegroup-base \
+ packagegroup-core-boot \
+ packagegroup-ima-evm-utils \
+ os-release"
+
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "integrity-image-minimal"
+
+INHERIT += "ima-evm-rootfs"
+IMA_EVM_KEY_DIR = "${IMA_EVM_BASE}/data/debug-keys"
+
+QB_KERNEL_CMDLINE_APPEND_append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb"
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
new file mode 100644
index 0000000..6057e8d
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -0,0 +1,28 @@
+# This recipe creates a module for the initramfs-framework in OE-core
+# which initializes IMA by loading a policy before transferring
+# control to the init process in the rootfs. The advantage over having
+# that init process doing the policy loading (which systemd could do)
+# is that already the integrity of the init binary itself will be
+# checked by the kernel.
+
+SUMMARY = "IMA module for the modular initramfs system"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_hashed"
+
+SRC_URI = " file://ima"
+
+do_install () {
+ install -d ${D}/${sysconfdir}/ima
+ install -d ${D}/init.d
+ install ${WORKDIR}/ima ${D}/init.d/20-ima
+}
+
+FILES_${PN} = "/init.d ${sysconfdir}"
+
+RDEPENDS_${PN} = "keyutils ${IMA_POLICY}"
+RDEPENDS_${PN} += "initramfs-framework-base"
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
new file mode 100644
index 0000000..8616f99
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Loads IMA policy into the kernel.
+
+ima_enabled() {
+ if [ "$bootparam_no_ima" = "true" ]; then
+ return 1
+ fi
+}
+
+ima_run() {
+ info "Initializing IMA (can be skipped with no_ima boot parameter)."
+ if ! grep -w securityfs /proc/mounts >/dev/null; then
+ if ! mount -t securityfs securityfs /sys/kernel/security; then
+ fatal "Could not mount securityfs."
+ fi
+ fi
+ if [ ! -d /sys/kernel/security/ima ]; then
+ fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel."
+ fi
+
+ # Instead of depending on the kernel to load the IMA X.509 certificate,
+ # use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492)
+ # where the loaded key was not checked sufficiently. We use keyctl here because it is
+ # slightly smaller than evmctl and is needed anyway.
+ # (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349).
+ for kind in ima evm; do
+ key=/etc/keys/x509_$kind.der
+ if [ -s $key ]; then
+ id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1)
+ if [ "$id" ]; then
+ id=$(printf "%d" 0x$id)
+ fi
+ if [ -z "$id" ]; then
+ id=`keyctl search @u keyring _$kind 2>/dev/null`
+ if [ -z "$id" ]; then
+ id=`keyctl newring _$kind @u`
+ fi
+ fi
+ info "Loading $key into $kind keyring $id"
+ keyctl padd asymmetric "" $id <$key
+ fi
+ done
+
+ # In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly
+ # ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
+ # checking the write of each line. To minimize the risk of policy loading going wrong we
+ # also remove comments and blank lines ourselves.
+ if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then
+ fatal "Could not load IMA policy."
+ fi
+}
diff --git a/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
new file mode 100644
index 0000000..18acc9d
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
@@ -0,0 +1,9 @@
+SUMMARY = "IMA/EVM userspace tools"
+LICENSE = "MIT"
+
+inherit packagegroup
+
+# Only one at the moment, but perhaps more will come in the future.
+RDEPENDS_${PN} = " \
+ ima-evm-utils \
+"
diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf
new file mode 100644
index 0000000..d6d3240
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=/bin/sync
diff --git a/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf
new file mode 100644
index 0000000..f4c170b
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStopPost=/bin/sync
+ExecStartPost=/bin/sync
diff --git a/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 0000000..3b45541
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1,13 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI += " \
+ file://machine-id-commit-sync.conf \
+ file://random-seed-sync.conf \
+"
+
+do_install_append () {
+ for i in machine-id-commit random-seed; do
+ install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d
+ install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d
+ done
+}
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
new file mode 100644
index 0000000..931854e
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
+
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://ima.cfg', '', d)}"
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
new file mode 100644
index 0000000..64016dd
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
@@ -0,0 +1,51 @@
+From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Tue, 8 Mar 2016 16:43:55 -0500
+Subject: [PATCH] ima: fix ima_inode_post_setattr
+
+Changing file metadata (eg. uid, guid) could result in having to
+re-appraise a file's integrity, but does not change the "new file"
+status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and
+IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch
+only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
+
+With this patch, changing the file timestamp will not remove the
+file signature on new files.
+
+Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
+
+Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+---
+ security/integrity/ima/ima_appraise.c | 2 +-
+ security/integrity/integrity.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 4df493e..a384ba1 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
+ if (iint) {
+ iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
+ IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
+- IMA_ACTION_FLAGS);
++ IMA_ACTION_RULE_FLAGS);
+ if (must_appraise)
+ iint->flags |= IMA_APPRAISE;
+ }
+diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
+index 0fc9519..f9decae 100644
+--- a/security/integrity/integrity.h
++++ b/security/integrity/integrity.h
+@@ -28,6 +28,7 @@
+
+ /* iint cache flags */
+ #define IMA_ACTION_FLAGS 0xff000000
++#define IMA_ACTION_RULE_FLAGS 0x06000000
+ #define IMA_DIGSIG 0x01000000
+ #define IMA_DIGSIG_REQUIRED 0x02000000
+ #define IMA_PERMIT_DIRECTIO 0x04000000
+--
+2.5.0
+
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
new file mode 100644
index 0000000..6ab7ce2
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
@@ -0,0 +1,138 @@
+From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Thu, 10 Mar 2016 18:19:20 +0200
+Subject: [PATCH] ima: add support for creating files using the mknodat
+ syscall
+
+Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
+stopped identifying empty files as new files. However new empty files
+can be created using the mknodat syscall. On systems with IMA-appraisal
+enabled, these empty files are not labeled with security.ima extended
+attributes properly, preventing them from subsequently being opened in
+order to write the file data contents. This patch marks these empty
+files, created using mknodat, as new in order to allow the file data
+contents to be written.
+
+Files with security.ima xattrs containing a file signature are considered
+"immutable" and can not be modified. The file contents need to be
+written, before signing the file. This patch relaxes this requirement
+for new files, allowing the file signature to be written before the file
+contents.
+
+Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+---
+ fs/namei.c | 2 ++
+ include/linux/ima.h | 7 ++++++-
+ security/integrity/ima/ima_appraise.c | 3 +++
+ security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++-
+ 4 files changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index ccd7f98..19502da 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3526,6 +3526,8 @@ retry:
+ switch (mode & S_IFMT) {
+ case 0: case S_IFREG:
+ error = vfs_create(path.dentry->d_inode,dentry,mode,true);
++ if (!error)
++ ima_post_path_mknod(dentry);
+ break;
+ case S_IFCHR: case S_IFBLK:
+ error = vfs_mknod(path.dentry->d_inode,dentry,mode,
+diff --git a/include/linux/ima.h b/include/linux/ima.h
+index 120ccc5..7f51971 100644
+--- a/include/linux/ima.h
++++ b/include/linux/ima.h
+@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
+ extern int ima_file_mmap(struct file *file, unsigned long prot);
+ extern int ima_module_check(struct file *file);
+ extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
+-
++extern void ima_post_path_mknod(struct dentry *dentry);
+ #else
+ static inline int ima_bprm_check(struct linux_binprm *bprm)
+ {
+@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
+ return 0;
+ }
+
++static inline void ima_post_path_mknod(struct dentry *dentry)
++{
++ return;
++}
++
+ #endif /* CONFIG_IMA */
+
+ #ifdef CONFIG_IMA_APPRAISE
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 4df493e..20806ea 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -274,6 +274,11 @@ out:
+ xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
+ if (!ima_fix_xattr(dentry, iint))
+ status = INTEGRITY_PASS;
++ } else if ((inode->i_size == 0) &&
++ (iint->flags & IMA_NEW_FILE) &&
++ (xattr_value &&
++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
++ status = INTEGRITY_PASS;
+ }
+ integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ op, cause, rc, 0);
+diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
+index eeee00dc..705bf78 100644
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
+ ima_audit_measurement(iint, pathname);
+
+ out_digsig:
+- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
++ !(iint->flags & IMA_NEW_FILE))
+ rc = -EACCES;
+ kfree(xattr_value);
+ out_free:
+@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
+ EXPORT_SYMBOL_GPL(ima_file_check);
+
+ /**
++ * ima_post_path_mknod - mark as a new inode
++ * @dentry: newly created dentry
++ *
++ * Mark files created via the mknodat syscall as new, so that the
++ * file data can be written later.
++ */
++void ima_post_path_mknod(struct dentry *dentry)
++{
++ struct integrity_iint_cache *iint;
++ struct inode *inode;
++ int must_appraise;
++
++ if (!dentry || !dentry->d_inode)
++ return;
++
++ inode = dentry->d_inode;
++ if (inode->i_size != 0)
++ return;
++
++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
++ if (!must_appraise)
++ return;
++
++ iint = integrity_inode_get(inode);
++ if (iint)
++ iint->flags |= IMA_NEW_FILE;
++}
++
++/**
+ * ima_module_check - based on policy, collect/store/appraise measurement.
+ * @file: pointer to the file to be measured/appraised
+ *
+--
+2.5.0
+
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
new file mode 100644
index 0000000..157c007
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
@@ -0,0 +1,60 @@
+From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Tue, 15 Nov 2016 10:10:23 +0100
+Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
+ modes"
+
+This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
+
+The original motivation was security hardening ("File hashes are
+automatically set and updated and should not be manually set.")
+
+However, that hardening ignores and breaks some valid use cases:
+- File hashes might not be set because the file is currently
+ outside of the policy and therefore have to be set by the
+ creator. Examples:
+ - Booting into an initramfs with an IMA-enabled kernel but
+ without setting an IMA policy, then installing
+ the OS onto the target partition by unpacking a rootfs archive
+ which has the file hashes pre-computed.
+ - Unpacking a file into a staging area with meta data (like owner)
+ that leaves the file outside of the current policy, then changing
+ the meta data such that it becomes part of the current policy.
+- "should not be set manually" implies that the creator is aware
+ of IMA semantic, the current system's configuration, and then
+ skips setting file hashes in security.ima if (and only if) the
+ kernel would prevent it. That's not the case for standard, unmodified
+ tools. Example: unpacking an archive with security.ima xattrs with
+ bsdtar or GNU tar.
+
+Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ security/integrity/ima/ima_appraise.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 4b9b4a4..b8b2dd9 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+ result = ima_protect_xattr(dentry, xattr_name, xattr_value,
+ xattr_value_len);
+ if (result == 1) {
+- bool digsig;
+-
+ if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
+ return -EINVAL;
+- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
+- return -EPERM;
+- ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
++ ima_reset_appraise_flags(d_backing_inode(dentry),
++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
+ result = 0;
+ }
+ return result;
+--
+2.1.4
+
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg
new file mode 100644
index 0000000..b3e47ba
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -0,0 +1,18 @@
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA1=y
+CONFIG_IMA_DEFAULT_HASH="sha1"
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_SIGNATURE=y
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+
+#CONFIG_INTEGRITY_SIGNATURE=y
+#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+#CONFIG_INTEGRITY_TRUSTED_KEYRING=y
diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
new file mode 100644
index 0000000..9a45425
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
@@ -0,0 +1,3 @@
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
new file mode 100644
index 0000000..5ccb73d
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
@@ -0,0 +1,65 @@
+From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Wed, 6 Mar 2019 01:08:43 +0300
+Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL
+
+There is no need to link to full libssl. evmctl uses functions from
+libcrypto, so let's link only against that library.
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+---
+ configure.ac | 4 +---
+ src/Makefile.am | 9 ++++-----
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 60f3684..32e8d85 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -24,9 +24,7 @@ LT_INIT
+ # Checks for header files.
+ AC_HEADER_STDC
+
+-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
+-AC_SUBST(OPENSSL_CFLAGS)
+-AC_SUBST(OPENSSL_LIBS)
++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
+ AC_SUBST(KERNEL_HEADERS)
+ AC_CHECK_HEADER(unistd.h)
+ AC_CHECK_HEADERS(openssl/conf.h)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index d74fc6f..b81281a 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,11 +1,11 @@
+ lib_LTLIBRARIES = libimaevm.la
+
+ libimaevm_la_SOURCES = libimaevm.c
+-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
+ # current[:revision[:age]]
+ # result: [current-age].age.revision
+ libimaevm_la_LDFLAGS = -version-info 0:0:0
+-libimaevm_la_LIBADD = $(OPENSSL_LIBS)
++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS)
+
+ include_HEADERS = imaevm.h
+
+@@ -17,12 +17,11 @@ hash_info.h: Makefile
+ bin_PROGRAMS = evmctl
+
+ evmctl_SOURCES = evmctl.c
+-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
+ evmctl_LDFLAGS = $(LDFLAGS_READLINE)
+-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la
++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+
+ INCLUDES = -I$(top_srcdir) -include config.h
+
+ CLEANFILES = hash_info.h
+ DISTCLEANFILES = @DISTCLEANFILES@
+-
+--
+2.17.1
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
new file mode 100644
index 0000000..8237274
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
@@ -0,0 +1,43 @@
+From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Wed, 6 Mar 2019 01:17:12 +0300
+Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS
+
+Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning
+about deprecated variable usage.
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+---
+ src/Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index b81281a..164e7e4 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,7 +1,7 @@
+ lib_LTLIBRARIES = libimaevm.la
+
+ libimaevm_la_SOURCES = libimaevm.c
+-libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
++libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
+ # current[:revision[:age]]
+ # result: [current-age].age.revision
+ libimaevm_la_LDFLAGS = -version-info 0:0:0
+@@ -17,11 +17,11 @@ hash_info.h: Makefile
+ bin_PROGRAMS = evmctl
+
+ evmctl_SOURCES = evmctl.c
+-evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
++evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
+ evmctl_LDFLAGS = $(LDFLAGS_READLINE)
+ evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+
+-INCLUDES = -I$(top_srcdir) -include config.h
++AM_CPPFLAGS = -I$(top_srcdir) -include config.h
+
+ CLEANFILES = hash_info.h
+ DISTCLEANFILES = @DISTCLEANFILES@
+--
+2.17.1
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
new file mode 100644
index 0000000..3d250d2
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
@@ -0,0 +1,31 @@
+From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Wed, 6 Mar 2019 01:22:30 +0300
+Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution
+
+Include hash-info.gen into tarball and call it from the sourcedir to fix
+out-of-tree build (and thus 'make distcheck').
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+---
+ src/Makefile.am | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 164e7e4..9c037e2 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h
+
+ nodist_libimaevm_la_SOURCES = hash_info.h
+ BUILT_SOURCES = hash_info.h
++EXTRA_DIST = hash_info.gen
+ hash_info.h: Makefile
+- ./hash_info.gen $(KERNEL_HEADERS) >$@
++ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@
+
+ bin_PROGRAMS = evmctl
+
+--
+2.17.1
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch
new file mode 100644
index 0000000..4ada1a2
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch
@@ -0,0 +1,34 @@
+From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Wed, 6 Mar 2019 01:24:04 +0300
+Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+---
+ .gitignore | 1 +
+ src/.gitignore | 1 +
+ 2 files changed, 2 insertions(+)
+ create mode 100644 src/.gitignore
+
+diff --git a/.gitignore b/.gitignore
+index ca7a06e..cb82166 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -45,6 +45,7 @@ cscope.*
+ ncscope.*
+
+ # Generated documentation
++*.1
+ *.8
+ *.5
+ manpage.links
+diff --git a/src/.gitignore b/src/.gitignore
+new file mode 100644
+index 0000000..38e8e3c
+--- /dev/null
++++ b/src/.gitignore
+@@ -0,0 +1 @@
++hash_info.h
+--
+2.17.1
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
new file mode 100644
index 0000000..35c3162
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
@@ -0,0 +1,68 @@
+From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Fri, 30 Sep 2016 10:22:16 +0200
+Subject: [PATCH] command line: apply operation to all paths
+
+Previously, invocations like "evmctl ima_hash foo bar" silently
+ignored all parameters after the first path name ("foo" in this
+example).
+
+Now evmctl iterates over all specified paths. It aborts with an
+error as soon as the selected operation fails for a path.
+
+Supporting more than one parameter is useful in combination with
+"find" and "xargs" because it is noticably faster than invoking
+evmutil separately for each file, in particular when run under pseudo
+(a fakeroot environment used by the OpenEmbedded build system).
+
+This complements the recursive mode and can be used when more control
+over file selection is needed.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ src/evmctl.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 23cf54c..2072034 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type)
+ static int do_cmd(struct command *cmd, find_cb_t func)
+ {
+ char *path = g_argv[optind++];
+- int err, dts = REG_MASK; /* only regular files by default */
++ int err = 0, dts = REG_MASK; /* only regular files by default */
+
+ if (!path) {
+ log_err("Parameters missing\n");
+@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func)
+ return -1;
+ }
+
+- if (recursive) {
+- if (search_type) {
+- dts = get_file_type(path, search_type);
+- if (dts < 0)
+- return dts;
++ while (path && !err) {
++ if (recursive) {
++ if (search_type) {
++ dts = get_file_type(path, search_type);
++ if (dts < 0)
++ return dts;
++ }
++ err = find(path, dts, func);
++ } else {
++ err = func(path);
+ }
+- err = find(path, dts, func);
+- } else {
+- err = func(path);
++ path = g_argv[optind++];
+ }
+
+ return err;
+--
+2.1.4
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
new file mode 100644
index 0000000..75076f5
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
@@ -0,0 +1,50 @@
+From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 13 May 2015 03:41:02 -0700
+Subject: [PATCH] Makefile.am: disable man page creation
+
+Depends on asciidoc, which is not available.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ Makefile.am | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 06ebf59..4ddd52c 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,5 +1,5 @@
+ SUBDIRS = src
+-dist_man_MANS = evmctl.1
++# dist_man_MANS = evmctl.1
+
+ doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+ EXTRA_DIST = autogen.sh $(doc_DATA)
+@@ -39,4 +39,21 @@ rmman:
+
+ doc: evmctl.1.html rmman evmctl.1
+
++# requires asciidoc, xslproc, docbook-xsl
++# FIXME Disabled until docbook-xsl is unavaliable on tizen.org
++#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
++#
++#evmctl.1.html: README
++# @asciidoc -o $@ $<
++#
++#evmctl.1:
++# asciidoc -d manpage -b docbook -o evmctl.1.xsl README
++# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
++# rm -f evmctl.1.xsl
++#
++#rmman:
++# rm -f evmctl.1
++#
++#doc: evmctl.1.html rmman evmctl.1
++
+ .PHONY: $(tarname)
+--
+1.8.4.5
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
new file mode 100644
index 0000000..c0bdd9b
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
@@ -0,0 +1,47 @@
+From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 17 Jun 2015 14:28:18 +0200
+Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines
+
+Compilation on older Linux distros (like Ubuntu 12.04) fails
+because linux/xattr.h does not yet have the IMA defines. Compiling
+there makes sense when only the tools are needed, for example when
+signing an image in cross-compile mode.
+
+To support this, add fallbacks for the two defines which are needed.
+Their value is part of the Linux ABI and thus fixed.
+
+Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ src/evmctl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index c54efbb..23cf54c 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -56,6 +56,18 @@
+ #include <ctype.h>
+ #include <termios.h>
+
++/*
++ * linux/xattr.h might be old to have this. Allow compilation on older
++ * Linux distros (like Ubuntu 12.04) by falling back to our own
++ * definition.
++ */
++#ifndef XATTR_IMA_SUFFIX
++# define XATTR_IMA_SUFFIX "ima"
++#endif
++#ifndef XATTR_NAME_IMA
++# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
++#endif
++
+ #include <openssl/sha.h>
+ #include <openssl/pem.h>
+ #include <openssl/hmac.h>
+--
+2.1.4
+
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
new file mode 100644
index 0000000..929d853
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
@@ -0,0 +1,41 @@
+DESCRIPTION = "IMA/EVM control utility"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS += "openssl attr keyutils"
+
+DEPENDS_class-native += "openssl-native keyutils-native"
+
+PV = "1.0+git${SRCPV}"
+SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167"
+SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils"
+
+# Documentation depends on asciidoc, which we do not have, so
+# do not build documentation.
+SRC_URI += "file://disable-doc-creation.patch"
+
+# Workaround for upstream incompatibility with older Linux distros.
+# Relevant for us when compiling ima-evm-utils-native.
+SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
+
+# Required for xargs with more than one path as argument (better for performance).
+SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"
+
+SRC_URI += "\
+ file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \
+ file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \
+ file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \
+ file://0004-ima-evm-utils-update-.gitignore-files.patch \
+"
+S = "${WORKDIR}/git"
+
+inherit pkgconfig autotools
+
+EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
+
+# blkid is called by evmctl when creating evm checksums.
+# This is less useful when signing files on the build host,
+# so disable it when compiling on the host.
+RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
new file mode 100644
index 0000000..36e71a7
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -0,0 +1,29 @@
+#
+# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
+#
+# Do not measure anything, but appraise everything
+#
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
+dont_appraise fsmagic=0x6e736673
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+
+appraise
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
new file mode 100644
index 0000000..b58d3fe
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "IMA sample simple appraise policy "
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_appraise_all"
+
+SRC_URI = " file://${IMA_POLICY}"
+
+do_install () {
+ install -d ${D}/${sysconfdir}/ima
+ install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
new file mode 100644
index 0000000..7f89c8d
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
@@ -0,0 +1,77 @@
+# With this policy, all files on regular partitions are
+# appraised. Files with signed IMA hash and normal hash are
+# accepted. Signed files cannot be modified while hashed files can be
+# (which will also update the hash). However, signed files can
+# be deleted, so in practice it is still possible to replace them
+# with a modified version.
+#
+# Without EVM, this is obviously not very secure, so this policy is
+# just an example and/or basis for further improvements. For that
+# purpose, some comments show what could be added to make the policy
+# more secure.
+#
+# With EVM the situation might be different because access
+# to the EVM key can be restricted.
+#
+# Files which are appraised are also measured. This allows
+# debugging whether a file is in policy by looking at
+# /sys/kernel/security/ima/ascii_runtime_measurements
+
+# PROC_SUPER_MAGIC
+dont_appraise fsmagic=0x9fa0
+dont_measure fsmagic=0x9fa0
+# SYSFS_MAGIC
+dont_appraise fsmagic=0x62656572
+dont_measure fsmagic=0x62656572
+# DEBUGFS_MAGIC
+dont_appraise fsmagic=0x64626720
+dont_measure fsmagic=0x64626720
+# TMPFS_MAGIC
+dont_appraise fsmagic=0x01021994
+dont_measure fsmagic=0x01021994
+# RAMFS_MAGIC
+dont_appraise fsmagic=0x858458f6
+dont_measure fsmagic=0x858458f6
+# DEVPTS_SUPER_MAGIC
+dont_appraise fsmagic=0x1cd1
+dont_measure fsmagic=0x1cd1
+# BIFMT
+dont_appraise fsmagic=0x42494e4d
+dont_measure fsmagic=0x42494e4d
+# SECURITYFS_MAGIC
+dont_appraise fsmagic=0x73636673
+dont_measure fsmagic=0x73636673
+# SELINUXFS_MAGIC
+dont_appraise fsmagic=0xf97cff8c
+dont_measure fsmagic=0xf97cff8c
+# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
+dont_appraise fsmagic=0x6e736673
+dont_measure fsmagic=0x6e736673
+# SMACK_MAGIC
+dont_appraise fsmagic=0x43415d53
+dont_measure fsmagic=0x43415d53
+# CGROUP_SUPER_MAGIC
+dont_appraise fsmagic=0x27e0eb
+dont_measure fsmagic=0x27e0eb
+# EFIVARFS_MAGIC
+dont_appraise fsmagic=0xde5e81e4
+dont_measure fsmagic=0xde5e81e4
+
+# Special partition, no checking done.
+# dont_measure fsuuid=a11234...
+# dont_appraise fsuuid=a11243...
+
+# Special immutable group.
+# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
+
+# All executables must be signed - too strict, we need to
+# allow installing executables on the device.
+# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
+# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
+
+# Default rule. Would be needed also when other rules were added that
+# determine what to do in case of reading (mask=MAY_READ or
+# mask=MAY_EXEC) because otherwise writing does not update the file
+# hash.
+appraise
+measure
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
new file mode 100644
index 0000000..3352daa
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -0,0 +1,20 @@
+SUMMARY = "IMA sample hash policy"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_hashed"
+
+SRC_URI = " \
+ file://${IMA_POLICY} \
+"
+
+do_install () {
+ install -d ${D}/${sysconfdir}/ima
+ install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
new file mode 100644
index 0000000..38ca8f5
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
@@ -0,0 +1,4 @@
+# Very simple policy demonstrating the systemd policy loading bug
+# (policy with one line works, two lines don't).
+dont_appraise fsmagic=0x9fa0
+dont_appraise fsmagic=0x62656572
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
new file mode 100644
index 0000000..17132aa
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "IMA sample simple policy"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima_policy_simple"
+
+SRC_URI = " file://${IMA_POLICY}"
+
+do_install () {
+ install -d ${D}/${sysconfdir}/ima
+ install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
+}
+
+FILES_${PN} = "${sysconfdir}/ima"
+RDEPENDS_${PN} = "ima-evm-utils"
diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
new file mode 100755
index 0000000..5f3a728
--- /dev/null
+++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+#
+# Copied from ima-evm-utils.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+GENKEY=ima.genkey
+CA=${1:-ima-local-ca.pem}
+CAKEY=${2:-ima-local-ca.priv}
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = example.com
+CN = meta-intel-iot-security example signing key
+emailAddress = john.doe@example.com
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+ -out csr_ima.pem -keyout privkey_ima.pem
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+ -CA $CA -CAkey $CAKEY -CAcreateserial \
+ -outform DER -out x509_ima.der
diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
new file mode 100755
index 0000000..b600761
--- /dev/null
+++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# Copied from ima-evm-utils.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = example.com
+CN = meta-intel-iot-security example certificate signing key
+emailAddress = john.doe@example.com
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
new file mode 100755
index 0000000..5ee876c
--- /dev/null
+++ b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# Copied from ima-evm-utils.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = example.com
+CN = meta-intel-iot-security example signing key
+emailAddress = john.doe@example.com
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+ -x509 -config $GENKEY \
+ -outform DER -out x509_ima.der -keyout privkey_ima.pem
diff --git a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb
index 812408e..0f53a8c 100644
--- a/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb
+++ b/meta-security/recipes-ids/samhain/samhain-client_4.3.2.bb
@@ -9,3 +9,4 @@
"
RDEPENDS_${PN} = "acl zlib attr bash"
+RCONFLICTS_${PN} = "samhain-standalone"
diff --git a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb
index 9341d44..d304912 100644
--- a/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb
+++ b/meta-security/recipes-ids/samhain/samhain-server_4.3.2.bb
@@ -18,3 +18,4 @@
}
RDEPENDS_${PN} += "gmp bash perl"
+RCONFLICTS_${PN} = "samhain-standalone"
diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
index 152c03a..e9accb5 100644
--- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb
+++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
@@ -41,8 +41,7 @@
do_install () {
install -d ${D}${sbindir}
- install -d ${D}${libdir}/perl/site_perl/Curses
- ln -sf perl ${D}/${libdir}/perl5
+ install -d ${D}${libdir}/perl5/site_perl/Curses
install -d ${D}${libdir}/Bastille
install -d ${D}${libdir}/Bastille/API
@@ -51,7 +50,6 @@
install -d ${D}${datadir}/Bastille/OSMap/Modules
install -d ${D}${datadir}/Bastille/Questions
install -d ${D}${datadir}/Bastille/FKL/configs/
- install -d ${D}${localstatedir}/lock/subsys/bastille
install -d ${D}${localstatedir}/log/Bastille
install -d ${D}${sysconfdir}/Bastille
install -m 0755 AutomatedBastille ${D}${sbindir}
diff --git a/meta-security/recipes-security/checksec/checksec_1.11.bb b/meta-security/recipes-security/checksec/checksec_1.11.1.bb
similarity index 90%
rename from meta-security/recipes-security/checksec/checksec_1.11.bb
rename to meta-security/recipes-security/checksec/checksec_1.11.1.bb
index 59a67bd..835dffc 100644
--- a/meta-security/recipes-security/checksec/checksec_1.11.bb
+++ b/meta-security/recipes-security/checksec/checksec_1.11.1.bb
@@ -6,7 +6,7 @@
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a"
-SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447"
+SRCREV = "3c15cb89641c700096fdec0c1904a0cf9b83c5e2"
SRC_URI = "git://github.com/slimm609/checksec.sh"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
new file mode 100644
index 0000000..7f0812c
--- /dev/null
+++ b/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
@@ -0,0 +1,28 @@
+From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@cn.fujitsu.com>
+Date: Thu, 9 May 2019 14:44:51 +0900
+Subject: [PATCH] To fix build error of xrange.
+
+NameError: name 'xrange' is not defined
+
+Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
+---
+ fail2ban/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py
+index fa6dcf7..61789a4 100644
+--- a/fail2ban/__init__.py
++++ b/fail2ban/__init__.py
+@@ -82,7 +82,7 @@ strptime("2012", "%Y")
+
+ # short names for pure numeric log-level ("Level 25" could be truncated by short formats):
+ def _init():
+- for i in xrange(50):
++ for i in range(50):
+ if logging.getLevelName(i).startswith('Level'):
+ logging.addLevelName(i, '#%02d-Lev.' % i)
+ _init()
+--
+2.7.4
+
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
index 5c887e8..23ef027 100644
--- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
+++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
@@ -2,3 +2,7 @@
require python-fail2ban.inc
RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
+
+SRC_URI += " \
+ file://0001-To-fix-build-error-of-xrang.patch \
+"
diff --git a/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch
new file mode 100644
index 0000000..938fe2e
--- /dev/null
+++ b/meta-security/recipes-security/keyutils/files/fix_library_install_path.patch
@@ -0,0 +1,28 @@
+From b0355cc205543ffd33752874295139d57c4fbc3e Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Tue, 26 Sep 2017 07:59:51 +0000
+Subject: [PATCH] Subject: [PATCH] keyutils: use relative path for link
+
+The absolute path of the symlink will be invalid
+when populated in sysroot, so use relative path instead.
+
+Upstream-Status: Pending
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+{rebased for 1.6]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: keyutils-1.6/Makefile
+===================================================================
+--- keyutils-1.6.orig/Makefile
++++ keyutils-1.6/Makefile
+@@ -184,7 +184,7 @@ ifeq ($(NO_SOLIB),0)
+ $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
+ $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
+ mkdir -p $(DESTDIR)$(USRLIBDIR)
+- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
+ sed \
+ -e 's,@VERSION\@,$(VERSION),g' \
+ -e 's,@prefix\@,$(PREFIX),g' \
diff --git a/meta-security/recipes-security/keyutils/keyutils_1.6.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb
index c961fa2..4d3a96f 100644
--- a/meta-security/recipes-security/keyutils/keyutils_1.6.bb
+++ b/meta-security/recipes-security/keyutils/keyutils_1.6.bb
@@ -12,13 +12,13 @@
LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \
file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f"
-
-inherit siteinfo ptest
+inherit siteinfo autotools-brokensep ptest
SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \
file://keyutils-test-fix-output-format.patch \
file://keyutils-fix-error-report-by-adding-default-message.patch \
file://run-ptest \
+ file://fix_library_install_path.patch \
"
SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808"
@@ -28,14 +28,15 @@
NO_ARLIB=1 \
BINDIR=${base_bindir} \
SBINDIR=${base_sbindir} \
- LIBDIR=${base_libdir} \
- USRLIBDIR=${base_libdir} \
+ LIBDIR=${libdir} \
+ USRLIBDIR=${libdir} \
+ INCLUDEDIR=${includedir} \
BUILDFOR=${SITEINFO_BITS}-bit \
NO_GLIBC_KEYERR=1 \
"
do_install () {
- install -d ${D}/${nonarch_base_libdir}/pkgconfig
+ install -d ${D}/${libdir}/pkgconfig
oe_runmake DESTDIR=${D} install
}
@@ -44,8 +45,9 @@
sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh
}
-FILES_${PN}-dev += "${nonarch_base_libdir}/pkgconfig/libkeyutils.pc"
RDEPENDS_${PN}-ptest += "lsb"
RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils"
RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc
index 99f30a7..baa69b2 100644
--- a/meta-security/recipes-security/scapy/python-scapy.inc
+++ b/meta-security/recipes-security/scapy/python-scapy.inc
@@ -12,13 +12,6 @@
inherit ptest
-do_install_append() {
- if [ "${PYTHON_PN}" = "python3" ]; then
- sed -i -e 's/python/python3/' ${D}${bindir}/scapy
- sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy
- fi
-}
-
do_install_ptest() {
install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH}
sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest
diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb
index 98db1fd..982620e 100644
--- a/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb
+++ b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb
@@ -4,3 +4,8 @@
SRC_URI += "file://run-ptest"
RDEPENDS_${PN} += "${PYTHON_PN}-subprocess"
+
+do_install_append() {
+ mv ${D}${bindir}/scapy ${D}${bindir}/scapy2
+ mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy2
+}
diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb
index 83c79f4..abcaeeb 100644
--- a/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb
+++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb
@@ -3,3 +3,7 @@
SRC_URI += "file://run-ptest"
+do_install_append() {
+ mv ${D}${bindir}/scapy ${D}${bindir}/scapy3
+ mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3
+}