[yocto] [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip
Armin Kuster
akuster808 at gmail.com
Sun May 26 21:56:31 PDT 2019
update to tip
backported patches to fix build issues.
fix native support
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../ima-evm-utils/ima-evm-utils.inc | 19 ------
...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++++++++++++++++++
...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 ++++++++++++
...clude-hash-info.gen-into-distributio.patch | 31 +++++++++
...ma-evm-utils-update-.gitignore-files.patch | 34 ++++++++++
.../ima-evm-utils/ima-evm-utils_git.bb | 30 ++++++++-
6 files changed, 200 insertions(+), 22 deletions(-)
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
deleted file mode 100644
index 72a13f7..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils.inc
+++ /dev/null
@@ -1,19 +0,0 @@
-DESCRIPTION = "IMA/EVM control utility"
-LICENSE = "GPL-2.0-with-OpenSSL-exception"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-DEPENDS = " \
-openssl \
-attr \
-keyutils \
-pkgconfig \
-"
-
-# blkid is called by evmctl when creating evm checksums.
-# This is less useful when signing files on the build host,
-# so disable it when compiling on the host.
-RDEPENDS_${PN}_append_class-target = " util-linux-blkid"
-
-inherit autotools
-
-BBCLASSEXTEND = "native"
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
new file mode 100644
index 0000000..5ccb73d
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch
@@ -0,0 +1,65 @@
+From 4feaf9b61f93e4043eca26b4ec9f9f68d0cf5e68 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+Date: Wed, 6 Mar 2019 01:08:43 +0300
+Subject: [PATCH 1/4] ima-evm-utils: link to libcrypto instead of OpenSSL
+
+There is no need to link to full libssl. evmctl uses functions from
+libcrypto, so let's link only against that library.
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+---
+ configure.ac | 4 +---
+ src/Makefile.am | 9 ++++-----
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 60f3684..32e8d85 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -24,9 +24,7 @@ LT_INIT
+ # Checks for header files.
+ AC_HEADER_STDC
+
+-PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
+-AC_SUBST(OPENSSL_CFLAGS)
+-AC_SUBST(OPENSSL_LIBS)
++PKG_CHECK_MODULES(LIBCRYPTO, [libcrypto >= 0.9.8 ])
+ AC_SUBST(KERNEL_HEADERS)
+ AC_CHECK_HEADER(unistd.h)
+ AC_CHECK_HEADERS(openssl/conf.h)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index d74fc6f..b81281a 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,11 +1,11 @@
+ lib_LTLIBRARIES = libimaevm.la
+
+ libimaevm_la_SOURCES = libimaevm.c
+-libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
++libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
+ # current[:revision[:age]]
+ # result: [current-age].age.revision
+ libimaevm_la_LDFLAGS = -version-info 0:0:0
+-libimaevm_la_LIBADD = $(OPENSSL_LIBS)
++libimaevm_la_LIBADD = $(LIBCRYPTO_LIBS)
+
+ include_HEADERS = imaevm.h
+
+@@ -17,12 +17,11 @@ hash_info.h: Makefile
+ bin_PROGRAMS = evmctl
+
+ evmctl_SOURCES = evmctl.c
+-evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
++evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
+ evmctl_LDFLAGS = $(LDFLAGS_READLINE)
+-evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la
++evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+
+ INCLUDES = -I$(top_srcdir) -include config.h
+
+ CLEANFILES = hash_info.h
+ DISTCLEANFILES = @DISTCLEANFILES@
+-
+--
+2.17.1
+
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
new file mode 100644
index 0000000..8237274
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch
@@ -0,0 +1,43 @@
+From 5bb10f3da420f4c46e44423276a9da0d4bc1b691 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+Date: Wed, 6 Mar 2019 01:17:12 +0300
+Subject: [PATCH 2/4] ima-evm-utils: replace INCLUDES with AM_CPPFLAGS
+
+Replace INCLUDES variable with AM_CPPFLAGS to stop Automake from warning
+about deprecated variable usage.
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+---
+ src/Makefile.am | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index b81281a..164e7e4 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1,7 +1,7 @@
+ lib_LTLIBRARIES = libimaevm.la
+
+ libimaevm_la_SOURCES = libimaevm.c
+-libimaevm_la_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
++libimaevm_la_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
+ # current[:revision[:age]]
+ # result: [current-age].age.revision
+ libimaevm_la_LDFLAGS = -version-info 0:0:0
+@@ -17,11 +17,11 @@ hash_info.h: Makefile
+ bin_PROGRAMS = evmctl
+
+ evmctl_SOURCES = evmctl.c
+-evmctl_CPPFLAGS = $(LIBCRYPTO_CFLAGS)
++evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS)
+ evmctl_LDFLAGS = $(LDFLAGS_READLINE)
+ evmctl_LDADD = $(LIBCRYPTO_LIBS) -lkeyutils libimaevm.la
+
+-INCLUDES = -I$(top_srcdir) -include config.h
++AM_CPPFLAGS = -I$(top_srcdir) -include config.h
+
+ CLEANFILES = hash_info.h
+ DISTCLEANFILES = @DISTCLEANFILES@
+--
+2.17.1
+
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
new file mode 100644
index 0000000..3d250d2
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch
@@ -0,0 +1,31 @@
+From c587ec307a6259a990bfab727cea7db28dba4c23 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+Date: Wed, 6 Mar 2019 01:22:30 +0300
+Subject: [PATCH 3/4] ima-evm-utils: include hash-info.gen into distribution
+
+Include hash-info.gen into tarball and call it from the sourcedir to fix
+out-of-tree build (and thus 'make distcheck').
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+---
+ src/Makefile.am | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 164e7e4..9c037e2 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -11,8 +11,9 @@ include_HEADERS = imaevm.h
+
+ nodist_libimaevm_la_SOURCES = hash_info.h
+ BUILT_SOURCES = hash_info.h
++EXTRA_DIST = hash_info.gen
+ hash_info.h: Makefile
+- ./hash_info.gen $(KERNEL_HEADERS) >$@
++ $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@
+
+ bin_PROGRAMS = evmctl
+
+--
+2.17.1
+
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch
new file mode 100644
index 0000000..4ada1a2
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch
@@ -0,0 +1,34 @@
+From b9f327c5c513ccea9cb56d4bbd50c1f66d629099 Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+Date: Wed, 6 Mar 2019 01:24:04 +0300
+Subject: [PATCH 4/4] ima-evm-utils: update .gitignore files
+
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov at gmail.com>
+---
+ .gitignore | 1 +
+ src/.gitignore | 1 +
+ 2 files changed, 2 insertions(+)
+ create mode 100644 src/.gitignore
+
+diff --git a/.gitignore b/.gitignore
+index ca7a06e..cb82166 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -45,6 +45,7 @@ cscope.*
+ ncscope.*
+
+ # Generated documentation
++*.1
+ *.8
+ *.5
+ manpage.links
+diff --git a/src/.gitignore b/src/.gitignore
+new file mode 100644
+index 0000000..38e8e3c
+--- /dev/null
++++ b/src/.gitignore
+@@ -0,0 +1 @@
++hash_info.h
+--
+2.17.1
+
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
index 8a9999f..929d853 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
@@ -1,9 +1,14 @@
-require ima-evm-utils.inc
+DESCRIPTION = "IMA/EVM control utility"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS += "openssl attr keyutils"
+
+DEPENDS_class-native += "openssl-native keyutils-native"
PV = "1.0+git${SRCPV}"
-SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7"
+SRCREV = "0267fa16990fd0ddcc89984a8e55b27d43e80167"
SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils"
-S = "${WORKDIR}/git"
# Documentation depends on asciidoc, which we do not have, so
# do not build documentation.
@@ -15,3 +20,22 @@ SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
# Required for xargs with more than one path as argument (better for performance).
SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"
+
+SRC_URI += "\
+ file://0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch \
+ file://0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch \
+ file://0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch \
+ file://0004-ima-evm-utils-update-.gitignore-files.patch \
+"
+S = "${WORKDIR}/git"
+
+inherit pkgconfig autotools
+
+EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
+
+# blkid is called by evmctl when creating evm checksums.
+# This is less useful when signing files on the build host,
+# so disable it when compiling on the host.
+RDEPENDS_${PN}_append_class-target = " util-linux-blkid libcrypto attr libattr keyutils"
+
+BBCLASSEXTEND = "native nativesdk"
--
2.17.1
More information about the yocto
mailing list