meta-security: subtree update:787ba6faea..d6baccc068
Armin Kuster (20):
trousers: update to tip
upload-error-report: add script to upload errors
kas/kas-security-base.yml: lets enable error reporting
.gitlab: send error reports
cryptsetup-tpm-incubator: drop recipe
sssd: Avoid nss function conflicts with glibc nss.h
cryptsetup-tpm-incubator: remove reference from other files
packagegroup-core-security: dont include suricata on riscv or ppc
kas-security-base: add testimage
kas: add test config
kas: add one dm-verify image build
gitlab-ci: add dm-verify-image
gitlab-ci: add testimage
meta-harden: Add a layer to demo harding OE/YP
kas-security-base: define sections as base
packagegroup-core-security: add more pkgs to base group
apparmor: exclude mips64, not supported
kas: add alt and mutli build images
kas-security-base: set RPM and disable ptest
qemu test: set ptest
Charlie Davies (1):
clamav: update SO_VER to 9.0.4
Jens Rehsack (2):
ibmswtpm2: update to 1637
ibmtpm2tss: add recipe
Jonatan Pålsson (1):
sssd: Make manpages buildable
Qi.Chen@windriver.com (1):
nss: update patch to fix do_patch error
Zheng Ruoqin (1):
trousers: Fix the problem that do_package fails when multilib is enabled.
niko.mauno@vaisala.com (12):
dm-verity-img.bbclass: Fix bashisms
dm-verity-img.bbclass: Reorder parse-time check
dm-verity-image-initramfs: Ensure verity hash sync
dm-verity-image-initramfs: Bind at do_image instead
linux-yocto(-dev): Add dm-verity fragment as needed
dm-verity-img.bbclass: Stage verity.env file
initramfs-framework: Add dmverity module
dm-verity-image-initramfs: Use initramfs-framework
dm-verity-initramfs-image: Cosmetic improvements
dm-verity-image-initramfs: Add base-passwd package
dm-verity-image-initramfs: Drop locales from image
beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index 132eb78..46468fd 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -5,17 +5,21 @@
stage: build
image: crops/poky
before_script:
+ - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
+ - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
- export PATH=~/.local/bin:$PATH
- wget https://bootstrap.pypa.io/get-pip.py
- python3 get-pip.py
- python3 -m pip install kas
- - wget -q 'https://downloads.rclone.org/rclone-current-linux-amd64.zip'
- - unzip -q rclone-current-linux-amd64.zip
- - mv rclone-*-linux-amd64/rclone ~/.local/bin/
- - rm -rf rclone-*-linux-amd64*
after_script:
+ - cd $CI_PROJECT_DIR/poky
+ - . ./oe-init-build-env $CI_PROJECT_DIR/build
+ - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do
+ - send-error-report -y tmp/log/error-report/$x
+ - done
+ - cd $CI_PROJECT_DIR
- rm -rf build
- - ./scripts/ci-cleanup.sh
+ - $CI_PROJECT_DIR/scripts/ci-cleanup.sh
cache:
paths:
- layers
@@ -84,3 +88,47 @@
extends: .build
script:
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME.yml
+
+qemux86-64-dm-verify:
+ extends: .build
+ script:
+ - kas build --target core-image-minimal kas/qemux86-64.yml
+ - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME.yml
+
+
+qemuarm64-alt:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemuarm64-multi:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemumips64-alt:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemumips64-multi:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemux86-64-alt:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+qemux86-64-multi:
+ extends: .build
+ script:
+ - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+
+
+qemux86-test:
+ extends: .build
+ script:
+ - kas build --target security-test-image kas/$CI_JOB_NAME.yml
+ - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index 1c0e29b..16d395b 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -18,12 +18,18 @@
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.
+# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
+# is stored where it can be installed into associated initramfs rootfs.
+STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
+
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
- local ENV="$OUTPUT.env"
+ local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
+ install -d ${STAGING_VERITY_DIR}
+ rm -f $ENV
# Each line contains a key and a value string delimited by ':'. Read the
# two parts into separate variables and process them separately. For the
@@ -32,15 +38,13 @@
# just trim all white-spaces.
IFS=":"
while read KEY VAL; do
- echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV
- echo -ne "=" >> $ENV
- echo "$VAL" | tr -d " \t" >> $ENV
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
done
# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
-
- ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env
}
verity_setup() {
@@ -68,13 +72,13 @@
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')
- if verity_image != pn:
- return # This doesn't concern this image
-
if not verity_image or not verity_type:
bb.warn('dm-verity-img class inherited but not used')
return
+ if verity_image != pn:
+ return # This doesn't concern this image
+
if len(verity_type.split()) is not 1:
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index 768390e..cd87d1d 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -29,7 +29,7 @@
meta-networking:
local_conf_header:
- meta-security: |
+ base: |
CONF_VERSION = "1"
SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/"
SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n"
@@ -37,6 +37,14 @@
DL_DIR = "/home/srv/downloads/master"
BB_HASHSERVE = "auto"
BB_SIGNATURE_HANDLER = "OEEquivHash"
+ INHERIT += "buildstats buildstats-summary buildhistory"
+ INHERIT += "report-error"
+ INHERIT += "testimage"
+ TEST_QEMUBOOT_TIMEOUT = "1500"
+ EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
+ DISTRO_FEATURES_remove = " ptest"
+ PACKAGE_CLASSES = "package_rpm"
+
diskmon: |
BB_DISKMON_DIRS = "\
@@ -50,7 +58,7 @@
ABORT,/tmp,10M,1K"
bblayers_conf_header:
- meta-security: |
+ base: |
POKY_BBLAYERS_CONF_VERSION = "2"
BBPATH = "${TOPDIR}"
BBFILES ?= ""
diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml
new file mode 100644
index 0000000..7ce0e9d
--- /dev/null
+++ b/meta-security/kas/kas-security-dm.yml
@@ -0,0 +1,13 @@
+header:
+ version: 9
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ dm-verify: |
+ DM_VERITY_IMAGE = "core-image-minimal"
+ DM_VERITY_IMAGE_TYPE = "ext4"
+ IMAGE_CLASSES += "dm-verity-img"
+ INITRAMFS_IMAGE_BUNDLE = "1"
+ INITRAMFS_IMAGE = "dm-verity-image-initramfs"
+
diff --git a/meta-security/kas/qemuarm64-alt.yml b/meta-security/kas/qemuarm64-alt.yml
new file mode 100644
index 0000000..d23e38e
--- /dev/null
+++ b/meta-security/kas/qemuarm64-alt.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ alt: |
+ DISTRO_FEATURES_append = " apparmor pam systemd"
+
+machine: qemuarm64
diff --git a/meta-security/kas/qemuarm64-multi.yml b/meta-security/kas/qemuarm64-multi.yml
new file mode 100644
index 0000000..d79142c
--- /dev/null
+++ b/meta-security/kas/qemuarm64-multi.yml
@@ -0,0 +1,12 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ multi: |
+ require conf/multilib.conf
+ MULTILIBS = "multilib:lib32"
+ DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon"
+
+machine: qemuarm64
diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml
new file mode 100644
index 0000000..923c213
--- /dev/null
+++ b/meta-security/kas/qemumips64-alt.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ alt: |
+ DISTRO_FEATURES_append = " pam systmed"
+
+machine: qemumips64
diff --git a/meta-security/kas/qemumips64-multi.yml b/meta-security/kas/qemumips64-multi.yml
new file mode 100644
index 0000000..c8cf94b
--- /dev/null
+++ b/meta-security/kas/qemumips64-multi.yml
@@ -0,0 +1,14 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ multi: |
+ require conf/multilib.conf
+ MULTILIBS = "multilib:lib64 multilib:lib32"
+ DEFAULTTUNE = "mips64-n32"
+ DEFAULTTUNE_virtclass-multilib-lib64 = "mips64"
+ DEFAULTTUNE_virtclass-multilib-lib32 = "mips32r2"
+
+machine: qemumips64
diff --git a/meta-security/kas/qemux86-64-alt.yml b/meta-security/kas/qemux86-64-alt.yml
new file mode 100644
index 0000000..4364bf5
--- /dev/null
+++ b/meta-security/kas/qemux86-64-alt.yml
@@ -0,0 +1,10 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ alt: |
+ DISTRO_FEATURES_append = " apparmor pam systmed"
+
+machine: qemux86-64
diff --git a/meta-security/kas/qemux86-64-dm-verify.yml b/meta-security/kas/qemux86-64-dm-verify.yml
new file mode 100644
index 0000000..1f26008
--- /dev/null
+++ b/meta-security/kas/qemux86-64-dm-verify.yml
@@ -0,0 +1,6 @@
+header:
+ version: 8
+ includes:
+ - kas-security-dm.yml
+
+machine: qemux86-64
diff --git a/meta-security/kas/qemux86-64-multi.yml b/meta-security/kas/qemux86-64-multi.yml
new file mode 100644
index 0000000..711ce28
--- /dev/null
+++ b/meta-security/kas/qemux86-64-multi.yml
@@ -0,0 +1,12 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+local_conf_header:
+ multi: |
+ require conf/multilib.conf
+ MULTILIBS = "multilib:lib32"
+ DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
+
+machine: qemux86-64
diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml
new file mode 100644
index 0000000..823a8b2
--- /dev/null
+++ b/meta-security/kas/qemux86-test.yml
@@ -0,0 +1,11 @@
+header:
+ version: 8
+ includes:
+ - kas-security-base.yml
+
+
+local_conf_header:
+ meta-security: |
+ DISTRO_FEATURES_append = " ptest apparmor pam"
+
+machine: qemux86
diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README
new file mode 100644
index 0000000..37a0b7e
--- /dev/null
+++ b/meta-security/meta-hardening/README
@@ -0,0 +1,86 @@
+# This is an example for Security hardening an OE or Poky image
+
+
+Meta-hardening
+=============
+
+This layer provides examples for hardening OE/Yocto images.
+This layer does not provide 100% security protection. This is only
+a framework from which a user can build from and can possible contribute to.
+The goal here is to capture use cases and examples the community decided shares for
+everyones benefit.
+
+Building the meta-hardening layer
+-------------------------------
+In order to add hardening support to the poky/OE build this layer should be added
+to your projects bblayers.conf file.
+
+By default the hardening components are disabled. This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+
+In order to use the components in this layer to take affect the 'harden' keyword must
+set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework.
+
+If one wants the a more complete example of a hardened image, one must also build the image:
+harden-image-minimal
+
+There are default example userid and passwards:
+These can be over written in your local.conf via:
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+
+example:
+local.conf
+DISTRO = "harden"
+
+The default user and password are:
+User: "myadmin"
+Password: "1SimplePw!"
+
+bitbake {qemu machine} harden-image-minimal
+
+Dependencies
+============
+
+Branch: master
+
+This layer depends on:
+
+URI: git://git.yoctoproject.org/poky
+
+or this normal combo:
+
+URI: git://git.openembedded.org/meta-openembedded/meta-oe
+
+URI: git://git.openembedded.org/bitbake
+
+plus:
+
+URI: git://git.openembedded.org/meta-openembedded
+layers: meta-oe
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-hardening][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers: Armin Kuster <akuster808@gmail.com>
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf
new file mode 100644
index 0000000..66db9b7
--- /dev/null
+++ b/meta-security/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
+DISTRO = "harden"
+DISTRO_NAME = "Simple Security hardening example"
+DISTRO_VERSION = "1.0"
+
+DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
+
+VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
+IMAGE_ROOTFS_EXTRA_SPACE = "524288"
+EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+
+DISABLE_ROOT ?= "True"
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
new file mode 100644
index 0000000..5896214
--- /dev/null
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "harden-layer"
+BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_harden-layer = "10"
+
+LAYERSERIES_COMPAT_harden-layer = "dunfell"
+
+LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
+do_install_append_harden () {
+ # to hardend
+ sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+
+ if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+ fi
+}
diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..3956304
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+ sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
new file mode 100644
index 0000000..daed3fb
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A small image for an example hardening OE."
+
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL_append = " os-release"
+
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit core-image extrausers
+
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+
+EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
+EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
+EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"
diff --git a/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh
new file mode 100755
index 0000000..e093f96
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: mountall
+# Required-Start: mountvirtfs
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+
+. /etc/default/rcS
+
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+ rm -f /dev/initctl
+ mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+
+: exit 0
+
diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100644
index 0000000..896b039
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_harden = " file://mountall.sh"
+
+do_install_append_harden() {
+ install -d ${D}${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}
diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
new file mode 100644
index 0000000..1dcd5fc
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
+#
+#
+#
+
+SUMMARY = "Hardening example group"
+
+inherit packagegroup
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN} \
+ packagegroup-${PN} \
+"
+
+RDEPENDS_${PN} = "\
+ init-ifupdown \
+ ${VIRTUAL-RUNTIME_base-utils-syslog} \
+ sudo \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"
diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..3f363f0
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+ # to hardend
+ sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+ sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..a31c081
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
+
+PACKAGECONFIG_append_harden = " pam-wheel"
+do_install_append_harden () {
+ if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+ sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
+ fi
+}
diff --git a/meta-security/meta-tpm/conf/distro/include/maintainers.inc b/meta-security/meta-tpm/conf/distro/include/maintainers.inc
index 74c1a18..dcf53d0 100644
--- a/meta-security/meta-tpm/conf/distro/include/maintainers.inc
+++ b/meta-security/meta-tpm/conf/distro/include/maintainers.inc
@@ -33,7 +33,6 @@
RECIPE_MAINTAINER_pn-tpm2-tss-engine = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER_pn-tpm2-pkcs11 = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER_pn-tpm2-tss = "Armin Kuster <akuster808@gmail.com>"
-RECIPE_MAINTAINER_pn-cryptsetup-tpm-incubator = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER_pn-tpm2-tools = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER_pn-ibmswtpm2 = "Armin Kuster <akuster808@gmail.com>"
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index a553a63..8b6f030 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -7,7 +7,6 @@
PACKAGES = "${PN}"
-PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator"
SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
RDEPENDS_packagegroup-security-tpm2 = " \
tpm2-tools \
@@ -20,5 +19,4 @@
tpm2-abrmd \
tpm2-pkcs11 \
ibmswtpm2 \
- ${PREFERRED_PROVIDER_cryptsetup} \
"
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch b/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
deleted file mode 100644
index 72c81d1..0000000
--- a/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-Correct-multiple-security-issues-that-are-present-if.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
-From: Matthias Gerstner <mgerstner@suse.de>
-Date: Fri, 14 Aug 2020 22:14:36 -0700
-Subject: [PATCH] Correct multiple security issues that are present if the tcsd
- is started by root instead of the tss user.
-
-Patch fixes the following 3 CVEs:
-
-CVE-2020-24332
-If the tcsd daemon is started with root privileges,
-the creation of the system.data file is prone to symlink attacks
-
-CVE-2020-24330
-If the tcsd daemon is started with root privileges,
-it fails to drop the root gid after it is no longer needed
-
-CVE-2020-24331
-If the tcsd daemon is started with root privileges,
-the tss user has read and write access to the /etc/tcsd.conf file
-
-Authored-by: Matthias Gerstner <mgerstner@suse.de>
-Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
-
-Upstream-Status: Backport
-CVE: CVE-2020-24332
-CVE: CVE-2020-24330
-CVE: CVE-2020-24331
-
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/tcs/ps/tcsps.c | 2 +-
- src/tcsd/svrside.c | 1 +
- src/tcsd/tcsd_conf.c | 10 +++++-----
- 3 files changed, 7 insertions(+), 6 deletions(-)
-
-Index: git/src/tcs/ps/tcsps.c
-===================================================================
---- git.orig/src/tcs/ps/tcsps.c
-+++ git/src/tcs/ps/tcsps.c
-@@ -72,7 +72,7 @@ get_file()
- }
-
- /* open and lock the file */
-- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
-+ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
- if (system_ps_fd < 0) {
- LogError("system PS: open() of %s failed: %s",
- tcsd_options.system_ps_file, strerror(errno));
-Index: git/src/tcsd/svrside.c
-===================================================================
---- git.orig/src/tcsd/svrside.c
-+++ git/src/tcsd/svrside.c
-@@ -473,6 +473,7 @@ main(int argc, char **argv)
- }
- return TCSERR(TSS_E_INTERNAL_ERROR);
- }
-+ setgid(pwd->pw_gid);
- setuid(pwd->pw_uid);
- #endif
- #endif
-Index: git/src/tcsd/tcsd_conf.c
-===================================================================
---- git.orig/src/tcsd/tcsd_conf.c
-+++ git/src/tcsd/tcsd_conf.c
-@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
- #ifndef SOLARIS
- struct group *grp;
- struct passwd *pw;
-- mode_t mode = (S_IRUSR|S_IWUSR);
-+ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
- #endif /* SOLARIS */
- TSS_RESULT result;
-
-@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
- }
-
- /* make sure user/group TSS owns the conf file */
-- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
-+ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
- LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
-- TSS_USER_NAME, TSS_GROUP_NAME);
-+ "root", TSS_GROUP_NAME);
- return TCSERR(TSS_E_INTERNAL_ERROR);
- }
-
-- /* make sure only the tss user can manipulate the config file */
-+ /* make sure only the tss user can read (but not manipulate) the config file */
- if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
-- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
-+ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
- return TCSERR(TSS_E_INTERNAL_ERROR);
- }
- #endif /* SOLARIS */
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index 95e821b..27b4e2f 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -6,7 +6,7 @@
DEPENDS = "openssl"
-SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0"
+SRCREV = "e74dd1d96753b0538192143adf58d04fcd3b242b"
PV = "0.3.14+git${SRCPV}"
SRC_URI = " \
@@ -16,7 +16,6 @@
file://tcsd.service \
file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
- file://0001-Correct-multiple-security-issues-that-are-present-if.patch \
"
S = "${WORKDIR}/git"
@@ -105,6 +104,8 @@
${mandir}/man8 \
"
+FILES_${PN} += "${systemd_unitdir}/*"
+
INITSCRIPT_NAME = "trousers"
INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
deleted file mode 100644
index 2617162..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
+++ /dev/null
@@ -1,47 +0,0 @@
-SUMMARY = "An extension to cryptsetup/LUKS that enables use of the TPM 2.0 via tpm2-tss"
-DESCRIPTION = "Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module."
-
-SECTION = "security/tpm"
-LICENSE = "LGPL-2.1 | GPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=32107dd283b1dfeb66c9b3e6be312326 \
- file://COPYING.LGPL;md5=1960515788100ce5f9c98ea78a65dc52 \
- "
-
-DEPENDS = "autoconf-archive pkgconfig gettext libtss2-dev libdevmapper popt libgcrypt json-c"
-
-SRC_URI = "git://github.com/AndreasFuchsSIT/cryptsetup-tpm-incubator.git;branch=luks2tpm \
- file://configure_fix.patch "
-
-SRCREV = "15c283195f19f1d980e39ba45448683d5e383179"
-
-S = "${WORKDIR}/git"
-
-inherit autotools pkgconfig gettext
-
-PACKAGECONFIG ??= "openssl"
-PACKAGECONFIG[openssl] = "--with-crypto_backend=openssl,,openssl"
-PACKAGECONFIG[gcrypt] = "--with-crypto_backend=gcrypt,,libgcrypt"
-
-EXTRA_OECONF = "--enable-static"
-
-RRECOMMENDS_${PN} = "kernel-module-aes-generic \
- kernel-module-dm-crypt \
- kernel-module-md5 \
- kernel-module-cbc \
- kernel-module-sha256-generic \
- kernel-module-xts \
- "
-
-FILES_${PN} += "${libdir}/tmpfiles.d"
-RDEPENDS_${PN} += "lvm2 libdevmapper"
-RRECOMMENDS_${PN} += "lvm2-udevrules"
-
-RPROVIDES_${PN} = "cryptsetup"
-RREPLACES_${PN} = "cryptsetup"
-RCONFLICTS_${PN} ="cryptsetup"
-
-RPROVIDES_${PN}-dev = "cryptsetup-dev"
-RREPLACES_${PN}-dev = "cryptsetup-dev"
-RCONFLICTS_${PN}-dev ="cryptsetup-dev"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch
deleted file mode 100644
index 8c7b6da..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/files/configure_fix.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: git/configure.ac
-===================================================================
---- git.orig/configure.ac
-+++ git/configure.ac
-@@ -16,7 +16,7 @@ AC_CONFIG_HEADERS([config.h:config.h.in]
-
- # For old automake use this
- #AM_INIT_AUTOMAKE(dist-xz subdir-objects)
--AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects])
-+AM_INIT_AUTOMAKE([dist-xz 1.12 serial-tests subdir-objects foreign])
-
- if test "x$prefix" = "xNONE"; then
- sysconfdir=/etc
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
new file mode 100644
index 0000000..f2938e0
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
@@ -0,0 +1,27 @@
+Fix strict aliasing issue of gcc10
+
+fixes:
+
+TpmFail.c: In function 'TpmLogFailure':
+TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
+ 217 | s_failFunction = *(UINT32 *)&function; /* kgold */
+ | ^~~~~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+Upstream-Status: Submitted
+
+Signed-off-by: Jens Rehsack <sno@NetBSD.org>
+
+Index: src/TpmFail.c
+===================================================================
+--- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200
++++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200
+@@ -214,7 +214,7 @@
+ // On a 64-bit machine, this may truncate the address of the string
+ // of the function name where the error occurred.
+ #if FAIL_TRACE
+- s_failFunction = *(UINT32 *)&function; /* kgold */
++ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */
+ s_failLine = line;
+ #else
+ s_failFunction = 0;
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
deleted file mode 100644
index 2919e2e..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Allow recipe to overide optimization.
-
-fixes:
-
-397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
-| | ^~~~~~~
-| cc1: all warnings being treated as errors
-
-
-Upstream-Status: OE specific
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: src/makefile
-===================================================================
---- src.orig/makefile
-+++ src/makefile
-@@ -43,7 +43,7 @@ CC = /usr/bin/gcc
- CCFLAGS = -Wall \
- -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
- -Werror -Wsign-compare \
-- -c -ggdb -O0 \
-+ -c -ggdb -O \
- -DTPM_POSIX \
- -D_POSIX_ \
- -DTPM_NUVOTON
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
new file mode 100644
index 0000000..eebddb9
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
@@ -0,0 +1,50 @@
+1) Allow recipe to overide optimization.
+
+fixes:
+
+397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+| | ^~~~~~~
+| cc1: all warnings being treated as errors
+
+2) Allow recipe to override OE related compile-/link-flags
+
+fixes:
+
+ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
+
+Upstream-Status: OE specific
+
+Signed-off-by: Jens Rehsack <sno@NetBSD.org>
+
+Index: src/makefile
+===================================================================
+--- src.orig/makefile
++++ src/makefile
+@@ -38,12 +38,10 @@
+ #################################################################################
+
+
+-CC = /usr/bin/gcc
+-
+ CCFLAGS = -Wall \
+ -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
+ -Werror -Wsign-compare \
+- -c -ggdb -O0 \
++ -c -ggdb -O \
+ -DTPM_POSIX \
+ -D_POSIX_ \
+ -DTPM_NUVOTON
+@@ -79,11 +77,11 @@
+ .PRECIOUS: %.o
+
+ tpm_server: $(OBJFILES)
+- $(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server
++ $(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server
+
+ clean:
+ rm -f *.o tpm_server *~
+
+ %.o: %.c
+- $(CC) $(CCFLAGS) $< -o $@
++ $(CC) $(CCFLAGS) $(CFLAGS) $< -o $@
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
deleted file mode 100644
index 3373a30..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-SUMMARY = "IBM's Software TPM 2.0"
-LICENSE = "BSD"
-SECTION = "securty/tpm"
-LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
-
-DEPENDS = "openssl"
-
-SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
- file://remove_optimization.patch \
- "
-SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259"
-SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3"
-SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f"
-SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91"
-SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0"
-
-S = "${WORKDIR}/src"
-
-do_compile () {
- make CC='${CC}'
-}
-
-do_install () {
- install -d ${D}/${bindir}
- install -m 0755 tpm_server ${D}/${bindir}
-}
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
new file mode 100644
index 0000000..32afd37
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
@@ -0,0 +1,39 @@
+SUMMARY = "IBM's Software TPM 2.0"
+DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \
+education, and virtualization. \
+\
+The intent is that an application can be developed using the software TPM. \
+The application should then run using a hardware TPM without changes. \
+Advantages of this approach: \
+* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \
+* Application software errors are easily reversed by simply removing the TPM state and starting over. \
+* Difficult crypto errors are quickly debugged by looking inside the TPM."
+HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl"
+
+SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
+ file://tune-makefile.patch \
+ file://fix-wrong-cast.patch \
+ "
+SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c"
+SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327"
+SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e"
+SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d"
+SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed"
+
+S = "${WORKDIR}/src"
+
+CFLAGS += "-Wno-error=maybe-uninitialized"
+
+do_compile () {
+ make CC='${CC}'
+}
+
+do_install () {
+ install -d ${D}/${bindir}
+ install -m 0755 tpm_server ${D}/${bindir}
+}
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch
new file mode 100644
index 0000000..8b13fb6
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss/0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch
@@ -0,0 +1,125 @@
+From 26091b7830d84a12308442b238652ee9475d407b Mon Sep 17 00:00:00 2001
+From: Jens Rehsack <sno@netbsd.org>
+Date: Fri, 11 Sep 2020 07:46:41 +0200
+Subject: [PATCH] utils{,12}/Makefile.am: expand wildcards in prereqs
+
+Expand wildcards of required sources to avoid errors like:
+make[2]: *** No rule to make target 'man/man1/*.1', needed by 'all-am'. Stop.
+make[2]: *** Waiting for unfinished jobs....
+
+Upstream-Status: Submitted
+
+Signed-off-by: Jens Rehsack <sno@netbsd.org>
+---
+ utils/Makefile.am | 75 +++++++++++++++++++++++++++++++++++++++++++--
+ utils12/Makefile.am | 8 ++++-
+ 2 files changed, 79 insertions(+), 4 deletions(-)
+
+diff --git a/utils/Makefile.am b/utils/Makefile.am
+index 1e51fe3..170a26e 100644
+--- a/utils/Makefile.am
++++ b/utils/Makefile.am
+@@ -81,9 +81,78 @@ libibmtssutils_la_LIBADD = libibmtss.la $(LIBCRYPTO_LIBS)
+
+ noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h tssccattributes.h
+ # install every header in ibmtss
+-nobase_include_HEADERS = ibmtss/*.h
+-
+-notrans_man_MANS = man/man1/*.1
++nobase_include_HEADERS = ibmtss/ActivateCredential_fp.h ibmtss/ActivateIdentity_fp.h ibmtss/BaseTypes.h \
++ ibmtss/CertifyCreation_fp.h ibmtss/Certify_fp.h ibmtss/CertifyX509_fp.h ibmtss/ChangeEPS_fp.h \
++ ibmtss/ChangePPS_fp.h ibmtss/ClearControl_fp.h ibmtss/Clear_fp.h ibmtss/ClockRateAdjust_fp.h \
++ ibmtss/ClockSet_fp.h ibmtss/Commit_fp.h ibmtss/ContextLoad_fp.h ibmtss/ContextSave_fp.h \
++ ibmtss/CreateEndorsementKeyPair_fp.h ibmtss/Create_fp.h ibmtss/CreateLoaded_fp.h \
++ ibmtss/CreatePrimary_fp.h ibmtss/CreateWrapKey_fp.h ibmtss/DictionaryAttackLockReset_fp.h \
++ ibmtss/DictionaryAttackParameters_fp.h ibmtss/Duplicate_fp.h ibmtss/ECC_Parameters_fp.h \
++ ibmtss/ECDH_KeyGen_fp.h ibmtss/ECDH_ZGen_fp.h ibmtss/EC_Ephemeral_fp.h ibmtss/EncryptDecrypt2_fp.h \
++ ibmtss/EncryptDecrypt_fp.h ibmtss/EventSequenceComplete_fp.h ibmtss/EvictControl_fp.h ibmtss/Extend_fp.h \
++ ibmtss/FlushContext_fp.h ibmtss/FlushSpecific_fp.h ibmtss/GetCapability12_fp.h ibmtss/GetCapability_fp.h \
++ ibmtss/GetCommandAuditDigest_fp.h ibmtss/GetRandom_fp.h ibmtss/GetSessionAuditDigest_fp.h \
++ ibmtss/GetTestResult_fp.h ibmtss/GetTime_fp.h ibmtss/Hash_fp.h ibmtss/HashSequenceStart_fp.h \
++ ibmtss/HierarchyChangeAuth_fp.h ibmtss/HierarchyControl_fp.h ibmtss/HMAC_fp.h ibmtss/HMAC_Start_fp.h \
++ ibmtss/Implementation.h ibmtss/Import_fp.h ibmtss/IncrementalSelfTest_fp.h ibmtss/LoadExternal_fp.h \
++ ibmtss/Load_fp.h ibmtss/LoadKey2_fp.h ibmtss/MakeCredential_fp.h ibmtss/MakeIdentity_fp.h ibmtss/NTC_fp.h \
++ ibmtss/NV_Certify_fp.h ibmtss/NV_ChangeAuth_fp.h ibmtss/NV_DefineSpace12_fp.h ibmtss/NV_DefineSpace_fp.h \
++ ibmtss/NV_Extend_fp.h ibmtss/NV_GlobalWriteLock_fp.h ibmtss/NV_Increment_fp.h ibmtss/NV_Read_fp.h \
++ ibmtss/NV_ReadLock_fp.h ibmtss/NV_ReadPublic_fp.h ibmtss/NV_ReadValueAuth_fp.h ibmtss/NV_ReadValue_fp.h \
++ ibmtss/NV_SetBits_fp.h ibmtss/NV_UndefineSpace_fp.h ibmtss/NV_UndefineSpaceSpecial_fp.h ibmtss/NV_Write_fp.h \
++ ibmtss/NV_WriteLock_fp.h ibmtss/NV_WriteValueAuth_fp.h ibmtss/NV_WriteValue_fp.h ibmtss/ObjectChangeAuth_fp.h \
++ ibmtss/OIAP_fp.h ibmtss/OSAP_fp.h ibmtss/OwnerReadInternalPub_fp.h ibmtss/OwnerSetDisable_fp.h \
++ ibmtss/Parameters12.h ibmtss/Parameters.h ibmtss/PCR_Allocate_fp.h ibmtss/PCR_Event_fp.h ibmtss/PCR_Extend_fp.h \
++ ibmtss/PcrRead12_fp.h ibmtss/PCR_Read_fp.h ibmtss/PCR_Reset12_fp.h ibmtss/PCR_Reset_fp.h ibmtss/PCR_SetAuthPolicy_fp.h \
++ ibmtss/PCR_SetAuthValue_fp.h ibmtss/PolicyAuthorize_fp.h ibmtss/PolicyAuthorizeNV_fp.h ibmtss/PolicyAuthValue_fp.h \
++ ibmtss/PolicyCommandCode_fp.h ibmtss/PolicyCounterTimer_fp.h ibmtss/PolicyCpHash_fp.h ibmtss/PolicyDuplicationSelect_fp.h \
++ ibmtss/PolicyGetDigest_fp.h ibmtss/PolicyLocality_fp.h ibmtss/PolicyNameHash_fp.h ibmtss/PolicyNV_fp.h \
++ ibmtss/PolicyNvWritten_fp.h ibmtss/PolicyOR_fp.h ibmtss/PolicyPassword_fp.h ibmtss/PolicyPCR_fp.h \
++ ibmtss/PolicyPhysicalPresence_fp.h ibmtss/PolicyRestart_fp.h ibmtss/PolicySecret_fp.h ibmtss/PolicySigned_fp.h \
++ ibmtss/PolicyTemplate_fp.h ibmtss/PolicyTicket_fp.h ibmtss/PP_Commands_fp.h ibmtss/Quote2_fp.h ibmtss/Quote_fp.h \
++ ibmtss/ReadClock_fp.h ibmtss/ReadPubek_fp.h ibmtss/ReadPublic_fp.h ibmtss/Rewrap_fp.h ibmtss/RSA_Decrypt_fp.h \
++ ibmtss/RSA_Encrypt_fp.h ibmtss/SelfTest_fp.h ibmtss/SequenceComplete_fp.h ibmtss/SequenceUpdate_fp.h \
++ ibmtss/SetAlgorithmSet_fp.h ibmtss/SetCommandCodeAuditStatus_fp.h ibmtss/SetPrimaryPolicy_fp.h ibmtss/Shutdown_fp.h \
++ ibmtss/Sign12_fp.h ibmtss/Sign_fp.h ibmtss/StartAuthSession_fp.h ibmtss/Startup12_fp.h ibmtss/Startup_fp.h \
++ ibmtss/StirRandom_fp.h ibmtss/TakeOwnership_fp.h ibmtss/TestParms_fp.h ibmtss/TPMB.h ibmtss/TpmBuildSwitches.h \
++ ibmtss/tpmconstants12.h ibmtss/tpmstructures12.h ibmtss/tpmtypes12.h ibmtss/TPM_Types.h ibmtss/tsscrypto.h \
++ ibmtss/tsscryptoh.h ibmtss/tsserror12.h ibmtss/tsserror.h ibmtss/tssfile.h ibmtss/tss.h ibmtss/tssmarshal12.h \
++ ibmtss/tssmarshal.h ibmtss/tssprintcmd.h ibmtss/tssprint.h ibmtss/tssresponsecode.h ibmtss/tsstransmit.h \
++ ibmtss/tssutils.h ibmtss/Unmarshal12_fp.h ibmtss/Unmarshal_fp.h ibmtss/Unseal_fp.h ibmtss/VerifySignature_fp.h \
++ ibmtss/ZGen_2Phase_fp.h
++
++notrans_man_MANS = man/man1/tssactivatecredential.1 man/man1/tsscertify.1 man/man1/tsscertifycreation.1 \
++ man/man1/tsscertifyx509.1 man/man1/tsschangeeps.1 man/man1/tsschangepps.1 man/man1/tssclear.1 \
++ man/man1/tssclearcontrol.1 man/man1/tssclockrateadjust.1 man/man1/tssclockset.1 man/man1/tsscommit.1 \
++ man/man1/tsscontextload.1 man/man1/tsscontextsave.1 man/man1/tsscreate.1 man/man1/tsscreateek.1 \
++ man/man1/tsscreateekcert.1 man/man1/tsscreateloaded.1 man/man1/tsscreateprimary.1 \
++ man/man1/tssdictionaryattacklockreset.1 man/man1/tssdictionaryattackparameters.1 man/man1/tssduplicate.1 \
++ man/man1/tsseccparameters.1 man/man1/tssecephemeral.1 man/man1/tssencryptdecrypt.1 man/man1/tsseventextend.1 \
++ man/man1/tsseventsequencecomplete.1 man/man1/tssevictcontrol.1 man/man1/tssflushcontext.1 man/man1/tssgetcapability.1 \
++ man/man1/tssgetcommandauditdigest.1 man/man1/tssgetcryptolibrary.1 man/man1/tssgetrandom.1 \
++ man/man1/tssgetsessionauditdigest.1 man/man1/tssgettestresult.1 man/man1/tssgettime.1 man/man1/tsshash.1 \
++ man/man1/tsshashsequencestart.1 man/man1/tsshierarchychangeauth.1 man/man1/tsshierarchycontrol.1 \
++ man/man1/tsshmac.1 man/man1/tsshmacstart.1 man/man1/tssimaextend.1 man/man1/tssimport.1 man/man1/tssimportpem.1 \
++ man/man1/tssload.1 man/man1/tssloadexternal.1 man/man1/tssmakecredential.1 man/man1/tssntc2getconfig.1 \
++ man/man1/tssntc2lockconfig.1 man/man1/tssntc2preconfig.1 man/man1/tssnvcertify.1 man/man1/tssnvchangeauth.1 \
++ man/man1/tssnvdefinespace.1 man/man1/tssnvextend.1 man/man1/tssnvglobalwritelock.1 man/man1/tssnvincrement.1 \
++ man/man1/tssnvread.1 man/man1/tssnvreadlock.1 man/man1/tssnvreadpublic.1 man/man1/tssnvsetbits.1 \
++ man/man1/tssnvundefinespace.1 man/man1/tssnvundefinespacespecial.1 man/man1/tssnvwrite.1 man/man1/tssnvwritelock.1 \
++ man/man1/tssobjectchangeauth.1 man/man1/tsspcrallocate.1 man/man1/tsspcrevent.1 man/man1/tsspcrextend.1 \
++ man/man1/tsspcrread.1 man/man1/tsspcrreset.1 man/man1/tsspolicyauthorize.1 man/man1/tsspolicyauthorizenv.1 \
++ man/man1/tsspolicyauthvalue.1 man/man1/tsspolicycommandcode.1 man/man1/tsspolicycountertimer.1 \
++ man/man1/tsspolicycphash.1 man/man1/tsspolicyduplicationselect.1 man/man1/tsspolicygetdigest.1 \
++ man/man1/tsspolicymaker.1 man/man1/tsspolicymakerpcr.1 man/man1/tsspolicynamehash.1 man/man1/tsspolicynv.1 \
++ man/man1/tsspolicynvwritten.1 man/man1/tsspolicyor.1 man/man1/tsspolicypassword.1 man/man1/tsspolicypcr.1 \
++ man/man1/tsspolicyrestart.1 man/man1/tsspolicysecret.1 man/man1/tsspolicysigned.1 man/man1/tsspolicytemplate.1 \
++ man/man1/tsspolicyticket.1 man/man1/tsspowerup.1 man/man1/tssprintattr.1 man/man1/tsspublicname.1 \
++ man/man1/tssquote.1 man/man1/tssreadclock.1 man/man1/tssreadpublic.1 man/man1/tssreturncode.1 \
++ man/man1/tssrewrap.1 man/man1/tssrsadecrypt.1 man/man1/tssrsaencrypt.1 man/man1/tsssequencecomplete.1 \
++ man/man1/tsssequenceupdate.1 man/man1/tsssetcommandcodeauditstatus.1 man/man1/tsssetprimarypolicy.1 \
++ man/man1/tssshutdown.1 man/man1/tsssign.1 man/man1/tsssignapp.1 man/man1/tssstartauthsession.1 \
++ man/man1/tssstartup.1 man/man1/tssstirrandom.1 man/man1/tsstimepacket.1 man/man1/tsstpm2pem.1 \
++ man/man1/tsstpmcmd.1 man/man1/tsstpmpublic2eccpoint.1 man/man1/tssunseal.1 man/man1/tssverifysignature.1 \
++ man/man1/tsswriteapp.1 man/man1/tsszgen2phase.1
+
+ if CONFIG_TPM20
+ noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h
+diff --git a/utils12/Makefile.am b/utils12/Makefile.am
+index a01f47c..e9fe61e 100644
+--- a/utils12/Makefile.am
++++ b/utils12/Makefile.am
+@@ -9,7 +9,13 @@ libibmtssutils12_la_CFLAGS = -I$(top_srcdir)/utils
+ # result: [current-age].age.revision
+ libibmtssutils12_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@ ../utils/libibmtss.la
+
+-notrans_man_MANS = man/man1/*.1
++notrans_man_MANS = man/man1/tss1activateidentity.1 man/man1/tss1createekcert.1 man/man1/tss1createendorsementkeypair.1 \
++ man/man1/tss1createwrapkey.1 man/man1/tss1eventextend.1 man/man1/tss1extend.1 man/man1/tss1flushspecific.1 \
++ man/man1/tss1getcapability.1 man/man1/tss1imaextend.1 man/man1/tss1loadkey2.1 man/man1/tss1makeekblob.1 \
++ man/man1/tss1makeidentity.1 man/man1/tss1nvdefinespace.1 man/man1/tss1nvreadvalue.1 man/man1/tss1nvreadvalueauth.1 \
++ man/man1/tss1nvwritevalue.1 man/man1/tss1nvwritevalueauth.1 man/man1/tss1oiap.1 man/man1/tss1osap.1 \
++ man/man1/tss1ownerreadinternalpub.1 man/man1/tss1ownersetdisable.1 man/man1/tss1pcrread.1 man/man1/tss1quote2.1 \
++ man/man1/tss1sign.1 man/man1/tss1startup.1 man/man1/tss1takeownership.1 man/man1/tss1tpminit.1
+ noinst_HEADERS = ekutils12.h
+
+ bin_PROGRAMS = activateidentity createendorsementkeypair createwrapkey extend flushspecific getcapability loadkey2 makeidentity nvdefinespace nvreadvalueauth nvreadvalue nvwritevalueauth nvwritevalue oiap osap ownerreadinternalpub ownersetdisable pcrread quote2 sign startup takeownership tpminit createekcert makeekblob eventextend imaextend
+--
+2.17.1
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb
new file mode 100644
index 0000000..18ad7eb
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.5.0.bb
@@ -0,0 +1,27 @@
+SUMMARY = "IBM's Software TPM 2.0 TSS"
+DESCRIPTION = "This is a user space TSS for TPM 2.0. It implements the \
+functionality equivalent to (but not API compatible with) the TCG TSS \
+working group's ESAPI, SAPI, and TCTI API's (and perhaps more) but with a \
+hopefully simpler interface. \
+It comes with over 110 'TPM tools' samples that can be used for scripted \
+apps, rapid prototyping, education, and debugging. \
+It also comes with a web based TPM interface, suitable for a demo to an \
+audience that is unfamiliar with TCG technology. It is also useful for \
+basic TPM management."
+HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmtss2.html"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl ibmswtpm2"
+
+inherit autotools pkgconfig
+
+SRCREV = "aa6c6ec83793ba21782033c03439977c26d3cc87"
+SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \
+ file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
+ "
+
+EXTRA_OECONF = "--disable-tpm-1.2"
+
+S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb
index f9ea376..187aeae 100644
--- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb
@@ -1,26 +1,34 @@
DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
-# We want a clean, minimal image.
-IMAGE_FEATURES = ""
+inherit core-image
PACKAGE_INSTALL = " \
- initramfs-dm-verity \
base-files \
+ base-passwd \
busybox \
- util-linux-mount \
- udev \
cryptsetup \
+ initramfs-module-dmverity \
+ initramfs-module-udev \
lvm2-udevrules \
+ udev \
+ util-linux-mount \
"
+# We want a clean, minimal image.
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""
+
# Can we somehow inspect reverse dependencies to avoid these variables?
-do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+
+# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
+do_image[nostamp] = "1"
IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
-inherit core-image
-
deploy_verity_hash() {
- install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env
+ install -D -m 0644 \
+ ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
+ ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
}
-ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;"
+IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb
deleted file mode 100644
index b614956..0000000
--- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-SRC_URI = "file://init-dm-verity.sh"
-
-do_install() {
- install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init
- install -d ${D}/dev
- mknod -m 622 ${D}/dev/console c 5 1
-}
-
-FILES_${PN} = "/init /dev/console"
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
deleted file mode 100644
index 307d2c7..0000000
--- a/meta-security/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-RDEV=""
-ROOT_DIR="/new_root"
-
-mkdir -p /proc
-mkdir -p /sys
-mkdir -p /run
-mkdir -p /tmp
-mount -t proc proc /proc
-mount -t sysfs sysfs /sys
-mount -t devtmpfs none /dev
-
-udevd --daemon
-udevadm trigger --type=subsystems --action=add
-udevadm trigger --type=devices --action=add
-udevadm settle --timeout=10
-
-for PARAM in $(cat /proc/cmdline); do
- case $PARAM in
- root=*)
- RDEV=${PARAM#root=}
- ;;
- esac
-done
-
-if ! [ -b $RDEV ]; then
- echo "Missing root command line argument!"
- exit 1
-fi
-
-case $RDEV in
- UUID=*)
- RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=})
- ;;
-esac
-
-. /usr/share/dm-verity.env
-
-echo "Mounting $RDEV over dm-verity as the root filesystem"
-
-veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH
-mkdir -p $ROOT_DIR
-mount -o ro /dev/mapper/rootfs $ROOT_DIR
-exec switch_root $ROOT_DIR /sbin/init
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
new file mode 100644
index 0000000..bb07aab
--- /dev/null
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+dmverity_enabled() {
+ return 0
+}
+
+dmverity_run() {
+ DATA_SIZE="__not_set__"
+ ROOT_HASH="__not_set__"
+
+ . /usr/share/misc/dm-verity.env
+
+ case "${bootparam_root}" in
+ ID=*)
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ ;;
+ LABEL=*)
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ ;;
+ PARTLABEL=*)
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ ;;
+ PARTUUID=*)
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ ;;
+ PATH=*)
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ ;;
+ UUID=*)
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ ;;
+ *)
+ RDEV="${bootparam_root}"
+ esac
+
+ if ! [ -b "${RDEV}" ]; then
+ echo "Root device resolution failed"
+ exit 1
+ fi
+
+ veritysetup \
+ --data-block-size=1024 \
+ --hash-offset=${DATA_SIZE} \
+ create rootfs \
+ ${RDEV} \
+ ${RDEV} \
+ ${ROOT_HASH}
+
+ mount \
+ -o ro \
+ /dev/mapper/rootfs \
+ ${ROOTFS_DIR} || exit 2
+}
diff --git a/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
new file mode 100644
index 0000000..dad9c96
--- /dev/null
+++ b/meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -0,0 +1,16 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append = "\
+ file://dmverity \
+"
+
+do_install_append() {
+ # dm-verity
+ install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+
+PACKAGES_append = " initramfs-module-dmverity"
+
+SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS_initramfs-module-dmverity = "${PN}-base"
+FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index c6342fd..1d01800 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -9,6 +9,8 @@
packagegroup-core-security \
packagegroup-security-utils \
packagegroup-security-scanners \
+ packagegroup-security-audit \
+ packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
"
@@ -16,6 +18,8 @@
RDEPENDS_packagegroup-core-security = "\
packagegroup-security-utils \
packagegroup-security-scanners \
+ packagegroup-security-audit \
+ packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
"
@@ -23,18 +27,23 @@
SUMMARY_packagegroup-security-utils = "Security utilities"
RDEPENDS_packagegroup-security-utils = "\
checksec \
+ ding-libs \
+ ecryptfs-utils \
+ fscryptctl \
+ keyutils \
nmap \
pinentry \
+ python3-privacyidea \
+ python3-fail2ban \
python3-scapy \
- ding-libs \
- keyutils \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
"
SUMMARY_packagegroup-security-scanners = "Security scanners"
RDEPENDS_packagegroup-security-scanners = "\
+ isic \
nikto \
checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
@@ -55,7 +64,7 @@
RDEPENDS_packagegroup-security-ids = " \
tripwire \
samhain-standalone \
- suricata \
+ ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \
"
SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend
index 39d4e6f..fa536d0 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ b/meta-security/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -1,2 +1,3 @@
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
diff --git a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend
index 39d4e6f..fa536d0 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/meta-security/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,2 +1,3 @@
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
index 552cac7..dcdc1f7 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -30,6 +30,8 @@
PARALLEL_MAKE = ""
+COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
+
inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check
REQUIRED_DISTRO_FEATURES = "apparmor"
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
index 770186a..47fbae4 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -23,7 +23,7 @@
S = "${WORKDIR}/git"
LEAD_SONAME = "libclamav.so"
-SO_VER = "9.0.2"
+SO_VER = "9.0.4"
inherit autotools pkgconfig useradd systemd multilib_header multilib_script
diff --git a/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
new file mode 100644
index 0000000..b64670c
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch
@@ -0,0 +1,34 @@
+From d54aa109600bcd02bf72cfe64c01935890a102a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonatan=20P=C3=A5lsson?= <jonatan.p@gmail.com>
+Date: Fri, 21 Aug 2020 14:45:10 +0200
+Subject: [PATCH] build: Don't use AC_CHECK_FILE when building manpages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AC_CHECK_FILE does not support cross-compilation, and will only check
+the host rootfs. Replace AC_CHECK_FILE with a 'test -f <FILE>' instead,
+to allow building manpages when cross-compiling.
+
+Upstream-status: Submitted [https://github.com/SSSD/sssd/pull/5289]
+Signed-off-by: Jonatan Pålsson <jonatan.p@gmail.com>
+---
+ src/external/docbook.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/external/docbook.m4 b/src/external/docbook.m4
+index deb8632fa..acdc89a68 100644
+--- a/src/external/docbook.m4
++++ b/src/external/docbook.m4
+@@ -18,7 +18,7 @@ dnl Checks if the XML catalog given by FILE exists and
+ dnl if a particular URI appears in the XML catalog
+ AC_DEFUN([CHECK_STYLESHEET],
+ [
+- AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])])
++ AS_IF([test -f "$1"], [], [AC_MSG_ERROR([could not find XML catalog])])
+
+ AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog])
+ if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then
+--
+2.26.1
+
diff --git a/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
new file mode 100644
index 0000000..c319269
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/0001-nss-Collision-with-external-nss-symbol.patch
@@ -0,0 +1,78 @@
+From 05c315100a70d3372e891e9a0ea981a875b2ec90 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Thu, 27 Feb 2020 06:50:40 +0100
+Subject: [PATCH] nss: Collision with external nss symbol
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+One of our internal static function names started
+to collide with external nss symbol. Additional
+sss_ suffix was added to avoid the collision.
+
+This is needed to unblock Fedora Rawhide's
+SSSD build.
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd.git]
+Signed-off-by: Hongxu.jia@windriver.com
+Signed-off-by: Qi.Chen@windriver.com
+---
+ src/responder/nss/nss_cmd.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
+index 25e663ed5..a4d4cfc0b 100644
+--- a/src/responder/nss/nss_cmd.c
++++ b/src/responder/nss/nss_cmd.c
+@@ -728,11 +728,13 @@ done:
+ talloc_free(cmd_ctx);
+ }
+
+-static void nss_setnetgrent_done(struct tevent_req *subreq);
++static void sss_nss_setnetgrent_done(struct tevent_req *subreq);
+
+-static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
+- enum cache_req_type type,
+- nss_protocol_fill_packet_fn fill_fn)
++/* This function's name started to collide with external nss symbol,
++ * so it has additional sss_* prefix unlike other functions here. */
++static errno_t sss_nss_setnetgrent(struct cli_ctx *cli_ctx,
++ enum cache_req_type type,
++ nss_protocol_fill_packet_fn fill_fn)
+ {
+ struct nss_ctx *nss_ctx;
+ struct nss_state_ctx *state_ctx;
+@@ -774,7 +776,7 @@ static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx,
+ goto done;
+ }
+
+- tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx);
++ tevent_req_set_callback(subreq, sss_nss_setnetgrent_done, cmd_ctx);
+
+ ret = EOK;
+
+@@ -787,7 +789,7 @@ done:
+ return EOK;
+ }
+
+-static void nss_setnetgrent_done(struct tevent_req *subreq)
++static void sss_nss_setnetgrent_done(struct tevent_req *subreq)
+ {
+ struct nss_cmd_ctx *cmd_ctx;
+ errno_t ret;
+@@ -1037,8 +1039,8 @@ static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx)
+
+ static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx)
+ {
+- return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
+- nss_protocol_fill_setnetgrent);
++ return sss_nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME,
++ nss_protocol_fill_setnetgrent);
+ }
+
+ static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx)
+--
+2.21.0
+
diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
index 2c3c803..e54fa98 100644
--- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb
+++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
@@ -17,6 +17,8 @@
file://sssd.conf \
file://volatiles.99_sssd \
file://fix-ldblibdir.patch \
+ file://0001-build-Don-t-use-AC_CHECK_FILE-when-building-manpages.patch \
+ file://0001-nss-Collision-with-external-nss-symbol.patch \
"
SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
@@ -41,7 +43,7 @@
PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto"
PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
-PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
+PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
@@ -60,6 +62,7 @@
--enable-pammoddir=${base_libdir}/security \
--without-python2-bindings \
--without-secrets \
+ --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
"
do_configure_prepend() {
diff --git a/meta-security/scripts/upload-error-report b/meta-security/scripts/upload-error-report
new file mode 100755
index 0000000..56bd24e
--- /dev/null
+++ b/meta-security/scripts/upload-error-report
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+ERR_REPORT_USERNAME=$1
+ERR_REPORT_EMAIL=$2
+BUILDDIR=$3
+
+shift
+shift
+shift
+
+if [ ! -e $BUILDDIR ]; then
+ exit 0
+fi
+
+cd $BUILDDIR/../poky
+
+if [ -d $BUILDDIR/tmp/log/error-report/ ]; then
+ echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
+ echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
+
+ . ./oe-init-build-env $BUILDDIR
+
+ for x in `ls $BUILDDIR/tmp/log/error-report/ | grep error_report_`; do
+ send-error-report -y tmp/log/error-report/$x
+ done
+fi
diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in
index cd1702e..658018b 100644
--- a/meta-security/wic/beaglebone-yocto-verity.wks.in
+++ b/meta-security/wic/beaglebone-yocto-verity.wks.in
@@ -11,5 +11,5 @@
# This .wks only works with the dm-verity-img class.
part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
-part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
bootloader --append="console=ttyS0,115200"