subject:"\[yocto\] \[meta\-security\]\[PATCH\] Upgrade parsec\-service to 1.0.0 and parsec\-tool to 0.5.2"

Re: [yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2

2022-04-14 Thread Armin Kuster


thanks,
merged.

On 4/7/22 09:31, Anton Antonov wrote:

Signed-off-by: Anton Antonov 
---
  meta-parsec/README.md |  36 ++-
  .../parsec-service/files/systemd.patch|  21 +-
  .../parsec-service/parsec-service_0.8.1.inc   | 246 --
  ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} |  12 +-
  .../parsec-service/parsec-service_1.0.0.inc   | 232 +
  ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} |   0
  ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +--
  7 files changed, 351 insertions(+), 344 deletions(-)
  delete mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
  rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => 
parsec-service_1.0.0.bb} (96%)
  create mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc
  rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => 
parsec-tool_0.5.2.bb} (100%)
  rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => 
parsec-tool_0.5.2.inc} (61%)

diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 85e0d10..97026ea 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -43,20 +43,34 @@ local.conf:
  IMAGE_INSTALL:append = " parsec-service"
  
By default the Parsec service will be deployed into the image with

-TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in
-and with the default config file from the Parsec repository:
-https://github.com/parallaxsecond/parsec/blob/main/config.toml
+PKCS11 and MBED-CRYPTO providers build-in.
+  The TPM provider will also be built by default if:
+- DISTRO_FEATURES contains "tmp2" and
+- "tpm-layer" (meta-tpm) is included in BBLAYERS
  
-  You can use PACKAGECONFIG for Parsec servic recipe to define

-what providers should be built in. For example,
  
-PACKAGECONFIG:pn-parsec-service = "TPM"

+You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example:
  
-  The default Parsec service config file contains the MbedCrypto provider

-enabled. The config file needs to be updated to use the Parsec service
-with other providers like TPM or PKCS11. The required procedures are
-covered in Parsec documentation.
-https://parallaxsecond.github.io/parsec-book/
+PACKAGECONFIG:pn-parsec-service = "TS"
+
+
+The default Parsec service config file is taken from the Parsec repository:
+https://github.com/parallaxsecond/parsec/blob/main/config.toml
+This config file contains the MbedCrypto provider enabled.
+The config needs to be updated to use the Parsec service
+with other providers like TPM or PKCS11. The required changes are
+covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/
+
+  PARSEC_CONFIG can be used in a bbappend file to replace the default config.
+For example:
+
+```
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://config-TS.toml \
+   "
+PARSEC_CONFIG = "${WORKDIR}/config-TS.toml"
+```
  
  Updating recipes

  
diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch 
b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
index c01ff06..2525898 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
+++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
@@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ 
working directory.
  Signed-off-by: Anton Antonov 
  Upstream-Status: Inappropriate [deployment configuration]
  
 a/systemd-daemon/parsec.service	2021-03-28 18:34:18.703196235 +0100

-+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100
-@@ -3,7 +3,9 @@
+diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service
+index c07c3b9..a6fe6a3 100644
+--- a/systemd-daemon/parsec.service
 b/systemd-daemon/parsec.service
+@@ -3,13 +3,15 @@ Description=Parsec Service
   
Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
-
+
   [Service]
  -WorkingDirectory=/home/parsec/
  +User=parsec
  +Group=parsec
  +WorkingDirectory=/var/lib/parsec/
   ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
-
- [Install]
+ # Systemd hardening
+ ProtectSystem=full
+ ProtectHome=true
+ ProtectHostname=true
+-ProtectKernelTunables=true
++#ProtectKernelTunables=true
+ ProtectKernelModules=true
+ ProtectKernelLogs=true
+ ProtectControlGroups=true
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc 
b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
deleted file mode 100644
index fd88e87..000
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
+++ /dev/null
@@ -1,246 +0,0 @@
-# This file is created from parsec-service repository Cargo.lock using 
cargo-bitbake tool
-
-SRC_URI += " \
-crate://crates.io/addr2line/0.15.2 \
-crate://crates.io/adler/1.0.2 \
-

Re: [yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2

2022-04-07 Thread Armin Kuster


I just branched for kirtstone. Should this be backported?

-armin

On 4/7/22 09:31, Anton Antonov wrote:

Signed-off-by: Anton Antonov 
---
  meta-parsec/README.md |  36 ++-
  .../parsec-service/files/systemd.patch|  21 +-
  .../parsec-service/parsec-service_0.8.1.inc   | 246 --
  ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} |  12 +-
  .../parsec-service/parsec-service_1.0.0.inc   | 232 +
  ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} |   0
  ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +--
  7 files changed, 351 insertions(+), 344 deletions(-)
  delete mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
  rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => 
parsec-service_1.0.0.bb} (96%)
  create mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc
  rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => 
parsec-tool_0.5.2.bb} (100%)
  rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => 
parsec-tool_0.5.2.inc} (61%)

diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 85e0d10..97026ea 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -43,20 +43,34 @@ local.conf:
  IMAGE_INSTALL:append = " parsec-service"
  
By default the Parsec service will be deployed into the image with

-TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in
-and with the default config file from the Parsec repository:
-https://github.com/parallaxsecond/parsec/blob/main/config.toml
+PKCS11 and MBED-CRYPTO providers build-in.
+  The TPM provider will also be built by default if:
+- DISTRO_FEATURES contains "tmp2" and
+- "tpm-layer" (meta-tpm) is included in BBLAYERS
  
-  You can use PACKAGECONFIG for Parsec servic recipe to define

-what providers should be built in. For example,
  
-PACKAGECONFIG:pn-parsec-service = "TPM"

+You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example:
  
-  The default Parsec service config file contains the MbedCrypto provider

-enabled. The config file needs to be updated to use the Parsec service
-with other providers like TPM or PKCS11. The required procedures are
-covered in Parsec documentation.
-https://parallaxsecond.github.io/parsec-book/
+PACKAGECONFIG:pn-parsec-service = "TS"
+
+
+The default Parsec service config file is taken from the Parsec repository:
+https://github.com/parallaxsecond/parsec/blob/main/config.toml
+This config file contains the MbedCrypto provider enabled.
+The config needs to be updated to use the Parsec service
+with other providers like TPM or PKCS11. The required changes are
+covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/
+
+  PARSEC_CONFIG can be used in a bbappend file to replace the default config.
+For example:
+
+```
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://config-TS.toml \
+   "
+PARSEC_CONFIG = "${WORKDIR}/config-TS.toml"
+```
  
  Updating recipes

  
diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch 
b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
index c01ff06..2525898 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
+++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
@@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ 
working directory.
  Signed-off-by: Anton Antonov 
  Upstream-Status: Inappropriate [deployment configuration]
  
 a/systemd-daemon/parsec.service	2021-03-28 18:34:18.703196235 +0100

-+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100
-@@ -3,7 +3,9 @@
+diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service
+index c07c3b9..a6fe6a3 100644
+--- a/systemd-daemon/parsec.service
 b/systemd-daemon/parsec.service
+@@ -3,13 +3,15 @@ Description=Parsec Service
   
Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
-
+
   [Service]
  -WorkingDirectory=/home/parsec/
  +User=parsec
  +Group=parsec
  +WorkingDirectory=/var/lib/parsec/
   ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
-
- [Install]
+ # Systemd hardening
+ ProtectSystem=full
+ ProtectHome=true
+ ProtectHostname=true
+-ProtectKernelTunables=true
++#ProtectKernelTunables=true
+ ProtectKernelModules=true
+ ProtectKernelLogs=true
+ ProtectControlGroups=true
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc 
b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
deleted file mode 100644
index fd88e87..000
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
+++ /dev/null
@@ -1,246 +0,0 @@
-# This file is created from parsec-service repository Cargo.lock using 
cargo-bitbake tool
-
-SRC_URI += " \
-crate://crates.io/addr2li

[yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2

2022-04-07 Thread Anton Antonov

Signed-off-by: Anton Antonov 
---
 meta-parsec/README.md |  36 ++-
 .../parsec-service/files/systemd.patch|  21 +-
 .../parsec-service/parsec-service_0.8.1.inc   | 246 --
 ...rvice_0.8.1.bb => parsec-service_1.0.0.bb} |  12 +-
 .../parsec-service/parsec-service_1.0.0.inc   | 232 +
 ...sec-tool_0.5.1.bb => parsec-tool_0.5.2.bb} |   0
 ...c-tool_0.5.1.inc => parsec-tool_0.5.2.inc} | 148 +--
 7 files changed, 351 insertions(+), 344 deletions(-)
 delete mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
 rename meta-parsec/recipes-parsec/parsec-service/{parsec-service_0.8.1.bb => 
parsec-service_1.0.0.bb} (96%)
 create mode 100644 
meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.inc
 rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.bb => 
parsec-tool_0.5.2.bb} (100%)
 rename meta-parsec/recipes-parsec/parsec-tool/{parsec-tool_0.5.1.inc => 
parsec-tool_0.5.2.inc} (61%)

diff --git a/meta-parsec/README.md b/meta-parsec/README.md
index 85e0d10..97026ea 100644
--- a/meta-parsec/README.md
+++ b/meta-parsec/README.md
@@ -43,20 +43,34 @@ local.conf:
 IMAGE_INSTALL:append = " parsec-service"
 
   By default the Parsec service will be deployed into the image with
-TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in
-and with the default config file from the Parsec repository:
-https://github.com/parallaxsecond/parsec/blob/main/config.toml
+PKCS11 and MBED-CRYPTO providers build-in.
+  The TPM provider will also be built by default if:
+- DISTRO_FEATURES contains "tmp2" and
+- "tpm-layer" (meta-tpm) is included in BBLAYERS
 
-  You can use PACKAGECONFIG for Parsec servic recipe to define
-what providers should be built in. For example,
 
-PACKAGECONFIG:pn-parsec-service = "TPM"
+You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example:
 
-  The default Parsec service config file contains the MbedCrypto provider
-enabled. The config file needs to be updated to use the Parsec service
-with other providers like TPM or PKCS11. The required procedures are
-covered in Parsec documentation.
-https://parallaxsecond.github.io/parsec-book/
+PACKAGECONFIG:pn-parsec-service = "TS"
+
+
+The default Parsec service config file is taken from the Parsec repository:
+https://github.com/parallaxsecond/parsec/blob/main/config.toml
+This config file contains the MbedCrypto provider enabled.
+The config needs to be updated to use the Parsec service
+with other providers like TPM or PKCS11. The required changes are
+covered in Parsec documentation https://parallaxsecond.github.io/parsec-book/
+
+  PARSEC_CONFIG can be used in a bbappend file to replace the default config.
+For example:
+
+```
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://config-TS.toml \
+   "
+PARSEC_CONFIG = "${WORKDIR}/config-TS.toml"
+```
 
 Updating recipes
 
diff --git a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch 
b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
index c01ff06..2525898 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
+++ b/meta-parsec/recipes-parsec/parsec-service/files/systemd.patch
@@ -4,16 +4,25 @@ Run the Parsec service as parsec user in /var/lib/parsec/ 
working directory.
 Signed-off-by: Anton Antonov 
 Upstream-Status: Inappropriate [deployment configuration]
 
 a/systemd-daemon/parsec.service2021-03-28 18:34:18.703196235 +0100
-+++ b/systemd-daemon/parsec.service2021-03-28 18:35:14.279830299 +0100
-@@ -3,7 +3,9 @@
+diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service
+index c07c3b9..a6fe6a3 100644
+--- a/systemd-daemon/parsec.service
 b/systemd-daemon/parsec.service
+@@ -3,13 +3,15 @@ Description=Parsec Service
  
Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/install_parsec_linux.html
- 
+
  [Service]
 -WorkingDirectory=/home/parsec/
 +User=parsec
 +Group=parsec
 +WorkingDirectory=/var/lib/parsec/
  ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
- 
- [Install]
+ # Systemd hardening
+ ProtectSystem=full
+ ProtectHome=true
+ ProtectHostname=true
+-ProtectKernelTunables=true
++#ProtectKernelTunables=true
+ ProtectKernelModules=true
+ ProtectKernelLogs=true
+ ProtectControlGroups=true
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc 
b/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
deleted file mode 100644
index fd88e87..000
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.inc
+++ /dev/null
@@ -1,246 +0,0 @@
-# This file is created from parsec-service repository Cargo.lock using 
cargo-bitbake tool
-
-SRC_URI += " \
-crate://crates.io/addr2line/0.15.2 \
-crate://crates.io/adler/1.0.2 \
-crate://crates.io/aho-corasick/0.7.15 \
-crate://crates.io/ansi_term/0.11.0 \
-

Re: [yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2

Re: [yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2

[yocto] [meta-security][PATCH] Upgrade parsec-service to 1.0.0 and parsec-tool to 0.5.2

3 matches

Site Navigation

Mail list logo

Footer information