subtree updates

meta-security: 53c5cc794f..ddf301c45c:
  Adrian Zaharia (1):
        libmhash: fix multilib header conflict - mutils/mhash_config.h

  Alexander Kanavin (1): rename to avoid clashes with oe-core

  Armin Kuster (15):
        meta-tpm: rename recipes-tpm to recipes-tpm1
        recipes-tpm: use this for common tpm recipes
        swtpm: update to 0.8.0
        libtpm: update to 0.9.6
        ossec-hids: update to tip of 3.7.0
        libhtp: update to 0.5.43
        suricata: update to 6.0.11
        fscryptctl: update to 1.0.1
        oeqa: fix hash test to match new changes
        integrity-image-minimal: adapt QEMU cmdline to new changes
        lynis: Add decoding OE and Poky
        os-release.bbappend: drop now CPE_NAME is in core
        openembedded-release: drop as os-release does this now
        tpm2-tss: drop vendor from PACKAGECONFIG
        packagegroup-security-tpm2: restore pkgs removed earlier

  Paul Gortmaker (4):
        dm-verity: ensure people don't ignore the DISTRO_FEATURES warning
        dm-verity: don't make read-only-rootfs sound like a requirement
        dm-verity: document the meta-intel dependency in the systemd example
        dm-verity: add x86-64 systemd based example instructions

  Peter Hoyes (1):
        meta-parsec/layer.conf: Insert addpylib declaration

  Peter Kjellerstedt (1):
        tpm2-tools: Remove unnecessary and optional dependencies

  Stefan Berger (12):
        ima: Document and replace keys and adapt scripts for EC keys
        ima: Fix the ima_policy_appraise_all to appraise executables & libraries
        ima: Fix the IMA kernel feature
        ima: Sign all executables and the ima-policy in the root filesystem
        integrity: Update the README for IMA support
        linux: overlayfs: Add kernel patch resolving a file change notification issue
        ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
        linux: overlayfs: Drop kernel patch resolving a file change notification issue
        ima: Drop kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg
        integrity: Fix the do_configure function
        integrity: Rename linux-%.bbappend to linux-yocto%.bbappend

meta-raspberrypi: bf948e0aa8..928bb234bb:
  Martin Jansa (3):
        rpi-libcamera-apps: fix flags used in aarch64 builds
        rpi-libcamera-apps: fix version generation on hosts with older python
        rpi-libcamera-apps: bump to latest SRCREV and set PV

meta-arm: 0b5724266a..f9d80e1a14:
  Emekcan Aras (2):
        arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
        arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
Signed-off-by: Andrew Geissler <>
Change-Id: I56f7d26070d879e3138618332841c30cf57eb7d9
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
index 57de2f6..98c4bc1 100644
--- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@
 # with a .x509 suffix. See linux-%.bbappend for details.
 # ima-local-ca.x509 is what creates.
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 # Sign all regular files by default.
 IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@
 # Avoid re-generating fstab when ima is enabled.
 WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
 ima_evm_sign_rootfs () {
     cd ${IMAGE_ROOTFS}
@@ -59,17 +62,32 @@
        perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
-    # Sign file with private IMA key. EVM not supported at the moment.
-    bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
-    find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
-    bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
-    find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+    # Detect 32bit target to pass --m32 to evmctl by looking at libc
+    tmp="$(file "${IMAGE_ROOTFS}/lib/" | grep -o 'ELF .*-bit')"
+    if [ "${tmp}" = "ELF 32-bit" ]; then
+        evmctl_param="--m32"
+    elif [ "${tmp}" = "ELF 64-bit" ]; then
+        evmctl_param=""
+    else
+        bberror "Unknown target architecture bitness: '${tmp}'" >&2
+        exit 1
+    fi
+    bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
+    evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+    # check signing key and signature verification key
+    evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/" || exit 1
+    evmctl verify     ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/" || exit 1
     # Optionally install custom policy for loading by systemd.
-    if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+    if [ "${IMA_EVM_POLICY}" ]; then
         install -d ./${sysconfdir}/ima
         rm -f ./${sysconfdir}/ima/ima-policy
-        install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+        install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+        bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
+        evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"