Re: [yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2
thanks, merged. On 4/7/22 09:31, Anton Antonov wrote: Signed-off-by: Anton Antonov --- meta-parsec/README.md | 36 ++- .../parsec-service/files/systemd.patch| 21 +- .../parsec-service/parsec-service_0.8.1.inc | 246 -- ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} | 12 +- .../parsec-service/parsec-service_1.0.0.inc | 232 + ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} | 0 ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +-- 7 files changed, 351 insertions(+), 344 deletions(-) delete mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => parsec-service_1.0.0.bb} (96%) create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} (100%) rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => parsec-tool_0.5.2.inc} (61%) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 85e0d10..97026ea 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -43,20 +43,34 @@ local.conf: IMAGE_INSTALL:append = " parsec-service" By default the Parsec service will be deployed into the image with -TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in -and with the default config file from the Parsec repository: -https://github.com/parallaxsecond/parsec/blob/main/config.toml +PKCS11 and MBED-CRYPTO providers build-in. + The TPM provider will also be built by default if: +- DISTRO_FEATURES contains "tmp2" and +- "tpm-layer" (meta-tpm) is included in BBLAYERS - You can use PACKAGECONFIG for Parsec servic recipe to define -what providers should be built in. For example, -PACKAGECONFIG:pn-parsec-service = "TPM" +You can use PACKAGECONFIG for Parsec servic recipe to define +what providers should be built in. For example: - The default Parsec service config file contains the MbedCrypto provider -enabled. The config file needs to be updated to use the Parsec service -with other providers like TPM or PKCS11. The required procedures are -covered in Parsec documentation. -https://parallaxsecond.github.io/parsec-book/ +PACKAGECONFIG:pn-parsec-service = "TS" + + +The default Parsec service config file is taken from the Parsec repository: +https://github.com/parallaxsecond/parsec/blob/main/config.toml +This config file contains the MbedCrypto provider enabled. +The config needs to be updated to use the Parsec service +with other providers like TPM or PKCS11. The required changes are +covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/ + + PARSEC_CONFIG can be used in a bbappend file to replace the default config. +For example: + +``` +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://config-TS.toml \ + " +PARSEC_CONFIG = "${WORKDIR}/config-TS.toml" +``` Updating recipes diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch index c01ff06..2525898 100644 --- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch +++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch @@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ working directory. Signed-off-by: Anton Antonov Upstream-Status: Inappropriate [deployment configuration] a/systemd-daemon/parsec.service 2021-03-28 18:34:18.703196235 +0100 -+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100 -@@ -3,7 +3,9 @@ +diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +index c07c3b9..a6fe6a3 100644 +--- a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +@@ -3,13 +3,15 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html - + [Service] -WorkingDirectory=/home/parsec/ +User=parsec +Group=parsec +WorkingDirectory=/var/lib/parsec/ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml - - [Install] + # Systemd hardening + ProtectSystem=full + ProtectHome=true + ProtectHostname=true +-ProtectKernelTunables=true ++#ProtectKernelTunables=true + ProtectKernelModules=true + ProtectKernelLogs=true + ProtectControlGroups=true diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc deleted file mode 100644 index fd88e87..000 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc +++ /dev/null @@ -1,246 +0,0 @@ -# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool - -SRC_URI += " \ -crate://crates.io/addr2line/0.15.2 \ -crate://crates.io/adler/1.0.2 \ -
Re: [yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2
I just branched for kirtstone. Should this be backported? -armin On 4/7/22 09:31, Anton Antonov wrote: Signed-off-by: Anton Antonov --- meta-parsec/README.md | 36 ++- .../parsec-service/files/systemd.patch| 21 +- .../parsec-service/parsec-service_0.8.1.inc | 246 -- ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} | 12 +- .../parsec-service/parsec-service_1.0.0.inc | 232 + ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} | 0 ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +-- 7 files changed, 351 insertions(+), 344 deletions(-) delete mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => parsec-service_1.0.0.bb} (96%) create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} (100%) rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => parsec-tool_0.5.2.inc} (61%) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 85e0d10..97026ea 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -43,20 +43,34 @@ local.conf: IMAGE_INSTALL:append = " parsec-service" By default the Parsec service will be deployed into the image with -TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in -and with the default config file from the Parsec repository: -https://github.com/parallaxsecond/parsec/blob/main/config.toml +PKCS11 and MBED-CRYPTO providers build-in. + The TPM provider will also be built by default if: +- DISTRO_FEATURES contains "tmp2" and +- "tpm-layer" (meta-tpm) is included in BBLAYERS - You can use PACKAGECONFIG for Parsec servic recipe to define -what providers should be built in. For example, -PACKAGECONFIG:pn-parsec-service = "TPM" +You can use PACKAGECONFIG for Parsec servic recipe to define +what providers should be built in. For example: - The default Parsec service config file contains the MbedCrypto provider -enabled. The config file needs to be updated to use the Parsec service -with other providers like TPM or PKCS11. The required procedures are -covered in Parsec documentation. -https://parallaxsecond.github.io/parsec-book/ +PACKAGECONFIG:pn-parsec-service = "TS" + + +The default Parsec service config file is taken from the Parsec repository: +https://github.com/parallaxsecond/parsec/blob/main/config.toml +This config file contains the MbedCrypto provider enabled. +The config needs to be updated to use the Parsec service +with other providers like TPM or PKCS11. The required changes are +covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/ + + PARSEC_CONFIG can be used in a bbappend file to replace the default config. +For example: + +``` +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://config-TS.toml \ + " +PARSEC_CONFIG = "${WORKDIR}/config-TS.toml" +``` Updating recipes diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch index c01ff06..2525898 100644 --- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch +++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch @@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ working directory. Signed-off-by: Anton Antonov Upstream-Status: Inappropriate [deployment configuration] a/systemd-daemon/parsec.service 2021-03-28 18:34:18.703196235 +0100 -+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100 -@@ -3,7 +3,9 @@ +diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +index c07c3b9..a6fe6a3 100644 +--- a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +@@ -3,13 +3,15 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html - + [Service] -WorkingDirectory=/home/parsec/ +User=parsec +Group=parsec +WorkingDirectory=/var/lib/parsec/ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml - - [Install] + # Systemd hardening + ProtectSystem=full + ProtectHome=true + ProtectHostname=true +-ProtectKernelTunables=true ++#ProtectKernelTunables=true + ProtectKernelModules=true + ProtectKernelLogs=true + ProtectControlGroups=true diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc deleted file mode 100644 index fd88e87..000 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc +++ /dev/null @@ -1,246 +0,0 @@ -# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool - -SRC_URI += " \ -crate://crates.io/addr2li
[yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2
Signed-off-by: Anton Antonov --- meta-parsec/README.md | 36 ++- .../parsec-service/files/systemd.patch| 21 +- .../parsec-service/parsec-service_0.8.1.inc | 246 -- ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} | 12 +- .../parsec-service/parsec-service_1.0.0.inc | 232 + ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} | 0 ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +-- 7 files changed, 351 insertions(+), 344 deletions(-) delete mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => parsec-service_1.0.0.bb} (96%) create mode 100644 meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} (100%) rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => parsec-tool_0.5.2.inc} (61%) diff --git a/meta-parsec/README.md b/meta-parsec/README.md index 85e0d10..97026ea 100644 --- a/meta-parsec/README.md +++ b/meta-parsec/README.md @@ -43,20 +43,34 @@ local.conf: IMAGE_INSTALL:append = " parsec-service" By default the Parsec service will be deployed into the image with -TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in -and with the default config file from the Parsec repository: -https://github.com/parallaxsecond/parsec/blob/main/config.toml +PKCS11 and MBED-CRYPTO providers build-in. + The TPM provider will also be built by default if: +- DISTRO_FEATURES contains "tmp2" and +- "tpm-layer" (meta-tpm) is included in BBLAYERS - You can use PACKAGECONFIG for Parsec servic recipe to define -what providers should be built in. For example, -PACKAGECONFIG:pn-parsec-service = "TPM" +You can use PACKAGECONFIG for Parsec servic recipe to define +what providers should be built in. For example: - The default Parsec service config file contains the MbedCrypto provider -enabled. The config file needs to be updated to use the Parsec service -with other providers like TPM or PKCS11. The required procedures are -covered in Parsec documentation. -https://parallaxsecond.github.io/parsec-book/ +PACKAGECONFIG:pn-parsec-service = "TS" + + +The default Parsec service config file is taken from the Parsec repository: +https://github.com/parallaxsecond/parsec/blob/main/config.toml +This config file contains the MbedCrypto provider enabled. +The config needs to be updated to use the Parsec service +with other providers like TPM or PKCS11. The required changes are +covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/ + + PARSEC_CONFIG can be used in a bbappend file to replace the default config. +For example: + +``` +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://config-TS.toml \ + " +PARSEC_CONFIG = "${WORKDIR}/config-TS.toml" +``` Updating recipes diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch index c01ff06..2525898 100644 --- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch +++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch @@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ working directory. Signed-off-by: Anton Antonov Upstream-Status: Inappropriate [deployment configuration] a/systemd-daemon/parsec.service2021-03-28 18:34:18.703196235 +0100 -+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100 -@@ -3,7 +3,9 @@ +diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +index c07c3b9..a6fe6a3 100644 +--- a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service +@@ -3,13 +3,15 @@ Description=Parsec Service Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html - + [Service] -WorkingDirectory=/home/parsec/ +User=parsec +Group=parsec +WorkingDirectory=/var/lib/parsec/ ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml - - [Install] + # Systemd hardening + ProtectSystem=full + ProtectHome=true + ProtectHostname=true +-ProtectKernelTunables=true ++#ProtectKernelTunables=true + ProtectKernelModules=true + ProtectKernelLogs=true + ProtectControlGroups=true diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc deleted file mode 100644 index fd88e87..000 --- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc +++ /dev/null @@ -1,246 +0,0 @@ -# This file is created from parsec-service repository Cargo.lock using cargo-bitbake tool - -SRC_URI += " \ -crate://crates.io/addr2line/0.15.2 \ -crate://crates.io/adler/1.0.2 \ -crate://crates.io/aho-corasick/0.7.15 \ -crate://crates.io/ansi_term/0.11.0 \ -