[yocto] [meta-security][PATCH 00/14] Port over meta-integrity
Armin Kuster
akuster808 at gmail.com
Sun May 26 21:56:27 PDT 2019
Copied meta-integrity from meta-intel-iot-security that Intel created,
to carry on maintenance.
This update that code base to work on master.
runtime test passes on Arm H/w and qemux86-64
Armin Kuster (14):
meta-integrity: port over from meta-intel-iot-security
layer.conf: add LAYERSERIES_COMPAT
README: update
ima-evm-utils: cleanup and update to tip
ima.cfg: update to 5.0 kernel
linux: update bbappend
base-files: add appending to automount securityfs
ima-policy-hashed: add new recipe
ima_policy_simple: add another sample policy
policy: add ima appraise all policy
data: remove policies
initramfs: clean up to pull in packages.
runtime qa: moderize ima test
image: add image for testing
meta-integrity/README.md | 250 ++++++++++++++++++
meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++++++
meta-integrity/conf/layer.conf | 24 ++
.../data/debug-keys/privkey_ima.pem | 16 ++
meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes
meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++++++++
.../base-files/base-files-ima.inc | 5 +
.../base-files/base-files_%.bbappend | 1 +
.../images/integrity-image-minimal.bb | 22 ++
.../initrdscripts/initramfs-framework-ima.bb | 28 ++
.../initrdscripts/initramfs-framework-ima/ima | 52 ++++
.../packagegroup-ima-evm-utils.bb | 9 +
.../systemd/files/machine-id-commit-sync.conf | 2 +
.../systemd/files/random-seed-sync.conf | 3 +
.../recipes-core/systemd/systemd_%.bbappend | 13 +
.../recipes-kernel/linux/linux-%.bbappend | 3 +
.../0001-ima-fix-ima_inode_post_setattr.patch | 51 ++++
...for-creating-files-using-the-mknodat.patch | 138 ++++++++++
...-file-hash-setting-by-user-to-fix-an.patch | 60 +++++
.../recipes-kernel/linux/linux/ima.cfg | 18 ++
.../linux/linux/ima_evm_root_ca.cfg | 3 +
...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++++
...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 +++
...clude-hash-info.gen-into-distributio.patch | 31 +++
...ma-evm-utils-update-.gitignore-files.patch | 34 +++
...nd-line-apply-operation-to-all-paths.patch | 68 +++++
.../ima-evm-utils/disable-doc-creation.patch | 50 ++++
...t-depend-on-xattr.h-with-IMA-defines.patch | 47 ++++
.../ima-evm-utils/ima-evm-utils_git.bb | 41 +++
.../files/ima_policy_appraise_all | 29 ++
.../ima-policy-appraise-all_1.0.bb | 18 ++
.../ima_policy_hashed/files/ima_policy_hashed | 77 ++++++
.../ima-policy-hashed_1.0.bb | 20 ++
.../ima_policy_simple/files/ima_policy_simple | 4 +
.../ima-policy-simple_1.0.bb | 18 ++
meta-integrity/scripts/ima-gen-CA-signed.sh | 48 ++++
meta-integrity/scripts/ima-gen-local-ca.sh | 42 +++
meta-integrity/scripts/ima-gen-self-signed.sh | 41 +++
38 files changed, 1595 insertions(+)
create mode 100644 meta-integrity/README.md
create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass
create mode 100644 meta-integrity/conf/layer.conf
create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem
create mode 100644 meta-integrity/data/debug-keys/x509_ima.der
create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py
create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc
create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend
create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb
create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
create mode 100644 meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
create mode 100644 meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf
create mode 100644 meta-integrity/recipes-core/systemd/files/random-seed-sync.conf
create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend
create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend
create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
create mode 100644 meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
create mode 100644 meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
create mode 100755 meta-integrity/scripts/ima-gen-CA-signed.sh
create mode 100755 meta-integrity/scripts/ima-gen-local-ca.sh
create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh
--
2.17.1
More information about the yocto
mailing list