[yocto] [meta-security][v3][PATCH] apparmor: ptest fail to build on arm

exclude arm and aarch64 ptest tasks [v2&3] Sent before committing. Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 18 ++ 1 file changed, 18 insertions(+) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.

[yocto] [meta-security][v2][PATCH] apparmor: ptest fail to build on arm

exclude arm and aarch64 ptest tasks Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 22 ++ 1 file changed, 22 insertions(+) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index d434fd3..ba7065b

[yocto] [meta-security][PATCH] apparmor: ptest fail to build on arm

exclude arm and aarch64 ptest tasks Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 22 ++ 1 file changed, 22 insertions(+) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index d434fd3..ba7065b

[yocto] [meta-security][PATCH] apparmor: fix systemd support so it works

[Yocto # 13568] Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb index 6183064..d434fd3 100644

[yocto] [meta-security][PATCH] checksec: add missing rdepends to readelf

update test to check for depends Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/checksec.py | 1 + recipes-security/checksec/checksec_2.1.0.bb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases

[yocto] [meta-security][PATCH] suricata: fix compile issue

cp: cannot stat '/./tmp-glibc/work/core2-32-oe-linux/suricata/4.1.5-r0/rules': No such file or directory | WARNING: exit code 1 from a shell command. Signed-off-by: Armin Kuster --- recipes-ids/suricata/suricata_4.1.5.bb | 3 --- 1 file changed, 3 deletions(-) diff --git a/recipes-ids

[yocto] [thud][PATCH] linux-yocto/4.14: meta-yocto-bsp update to 143

Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-yocto_4.14.bbappend | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14

[yocto] [meta-security][PATCH] layer.conf: Update for zeus series

Signed-off-by: Armin Kuster --- conf/layer.conf | 2 +- meta-integrity/conf/layer.conf | 2 +- meta-security-compliance/conf/layer.conf | 2 +- meta-tpm/conf/layer.conf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/conf

[yocto] [warrior 2/3] conf/poky: add debian-10 to the supported distribution list

From: Ross Burton Debian 10 is the new stable release and is being tested on the autobuilder, so add this to the supported distribution list. [ YOCTO #13432 ] Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-poky/conf/distro/poky.conf | 1 + 1

[yocto] [warrior 1/3] meta-yocto-bsp: Bump to the latest stable kernel for all the BSP

From: Kevin Hao Boot test for all these boards. Signed-off-by: Kevin Hao Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-yocto_4.19.bbappend | 20 ++-- .../recipes-kernel/linux/linux-yocto_5.0.bbappend| 20

[yocto] [warrior 3/3] conf/poky: add Fedora 30 and Opensuse Leap 15.1 to supported distributions

From: Ross Burton Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-poky/conf/distro/poky.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf index f2df2c1..de744f6 100644

[yocto] [warrior 0/3] Pull request

Please merge these changes to meta-yocto warrior The following changes since commit c16082ffa61f485e120670fbdf075f3fa8597494: poky.conf: Bump version for 2.7.1 warrior release (2019-06-30 22:41:39 +0100) are available in the git repository at: git://git.yoctoproject.org/poky-contrib

[yocto] [meta-security][PATCH 2/2] suricata-update: add package to pull rules

Signed-off-by: Armin Kuster --- .../suricata/python3-suricata-update_1.0.5.bb | 15 +++ 1 file changed, 15 insertions(+) create mode 100644 recipes-ids/suricata/python3-suricata-update_1.0.5.bb diff --git a/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/recipes-ids

[yocto] [PATCH 8/8] tpm2-pkcs11: update to tip

Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb index 222bb6d..2185749

[yocto] [PATCH 6/8] tpm2-totp: update to 0.1.2

Signed-off-by: Armin Kuster --- .../tpm2-totp/{tpm2-totp_0.1.1.bb => tpm2-totp_0.1.2.bb}| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-totp/{tpm2-totp_0.1.1.bb => tpm2-totp_0.1.2.bb} (90%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tot

[yocto] [PATCH 4/8] tpm2-tss: update to 2.3.0

drop patch already in update Signed-off-by: Armin Kuster --- ...-ax_code_coverage.m4-version-2019.01.patch | 84 --- .../{tpm2-tss_2.2.3.bb => tpm2-tss_2.3.1.bb} | 5 +- 2 files changed, 2 insertions(+), 87 deletions(-) delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/t

[yocto] [PATCH 5/8] tpm2-tss-engine: update to 1.0.1

Signed-off-by: Armin Kuster --- .../{tpm2-tss-engine_1.0.0.bb => tpm2-tss-engine_1.0.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tss-engine/{tpm2-tss-engine_1.0.0.bb => tpm2-tss-engine_1.0.1.bb} (95%) diff --git a/meta-tpm/recipe

[yocto] [PATCH 7/8] tpm2-tcti-uefi: update to tip

Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index

[yocto] [PATCH 3/8] tpm2-abrmd: update to 2.2.0

Signed-off-by: Armin Kuster --- .../tpm2-abrmd/{tpm2-abrmd_2.1.1.bb => tpm2-abrmd_2.2.0.bb}| 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename meta-tpm/recipes-tpm2/tpm2-abrmd/{tpm2-abrmd_2.1.1.bb => tpm2-abrmd_2.2.0.bb} (97%) diff --git a/meta-tpm/recipes-tpm2/tpm2-abrm

[yocto] [PATCH 2/8] swtpm: update to 0.2.0

Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm/swtpm/{swtpm_0.1.0.bb => swtpm_0.2.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm/swtpm/{swtpm_0.1.0.bb => swtpm_0.2.0.bb} (96%) diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.1.0.bb b/me

[yocto] [PATCH 1/8] libtpm: update to 0.7.0

Signed-off-by: Armin Kuster --- .../recipes-tpm/libtpm/{libtpm_0.6.0.bb => libtpm_0.7.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm/libtpm/{libtpm_0.6.0.bb => libtpm_0.7.0.bb} (88%) diff --git a/meta-tpm/recipes-tpm/libtpm/libtpm_0.6.0.bb

[yocto] [meta-security][PATCH 3/3] suricata: update to 4.1.4

Backport patch to fix build against newer kernels. Signed-off-by: Armin Kuster --- ...-packet-fix-build-on-recent-Linux-kernels.patch | 26 ++ .../{libhtp_0.5.29.bb => libhtp_0.5.30.bb} | 0 recipes-ids/suricata/suricata.inc |

[yocto] [meta-security][PATCH 2/3] oe-scap: Fix QA RDEPENDS error

ERROR: oe-scap-1.0-r0 do_package_qa: QA Issue: /usr/share/oe-scap/run_tests.sh contained in package oe-scap requires /bin/bash, but no providers found in RDEPENDS_oe-scap? [file-rdeps] Signed-off-by: Armin Kuster --- meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb | 2 +- 1

[yocto] [meta-security][PATCH 1/3] cryptsetup-tpm-incubator: fix QA error RDEPENDS

ERROR: cryptsetup-tpm-incubator-0.9.9-r0 do_package_qa: QA Issue: /usr/lib/libcryptsetup.so.12.3.0 contained in package cryptsetup-tpm-incubator requires libdevmapper.so.1.02(DM_1_02_97)(64bit), but no providers found in RDEPENDS_cryptsetup-tpm-incubator? [file-rdeps] Signed-off-by: Armin

[yocto] [meta-security][PATCH 2/2] scap-security-guide: add depends on openscap-native do_install

This ensures openscap-native does install the needed patches security guilde needs to build Minor recipe cleanup too Signed-off-by: Armin Kuster --- .../scap-security-guide/scap-security-guide.inc| 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta

[yocto] [meta-security][PATCH 1/2] openscap: Drop nostamp

add cleandir depends to do_install task This nostamp is causing issues with the yocto-check-layer when checking hash changes. Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git

[yocto] [meta-security][PATCH] apparmor: drop lsb RDEPENDS

remove lsb functions from init script Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.3.bb | 2 +- recipes-mac/AppArmor/files/apparmor | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor

[yocto] [meta-security][PATCH 4/4] initramfs-framework-ima: correct IMA_POLICY name

it had ima_policy_hashed and did not match the recipe ima-policy-hashed found by yocto-check-layer Signed-off-by: Armin Kuster --- .../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-integrity/recipes-core

[yocto] [meta-security][PATCH 3/4] busybox: fix sig changes when layer added

Signed-off-by: Armin Kuster --- recipes-core/busybox/busybox_%.bbappend| 4 +--- recipes-core/busybox/busybox_libsecomp.inc | 3 +++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 recipes-core/busybox/busybox_libsecomp.inc diff --git a/recipes-core/busybox/busybox_

[yocto] [meta-security][PATCH 2/4] packagegroup-core-security: update package name

Also remove tpm packagegroup reference Signed-off-by: Armin Kuster --- recipes-security/packagegroup/packagegroup-core-security.bb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup

[yocto] [meta-security][PATCH 1/4] packagegroup-core-security-ptest: only included if ptest is enabled

update python package names Signed-off-by: Armin Kuster --- .../packagegroup/packagegroup-core-security-ptest.bb| 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/recipes-security/packagegroup

[yocto] [meta-security][PATCH] python-scapy: drop py2 package

fixup run-ptest Signed-off-by: Armin Kuster --- recipes-security/scapy/files/run-ptest| 2 +- recipes-security/scapy/python-scapy.inc | 22 --- recipes-security/scapy/python-scapy_2.4.3.bb | 11 recipes-security/scapy/python3-scapy_2.4.3.bb | 27

[yocto] [meta-security][PATCH] integrity-image: IMA_EVM_KEY_DIR has no affect, remove

Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/images/integrity-image-minimal.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index e1bc6ff..1a3a30a

[yocto] [meta-security][PATCH] apparmor: update to 2.13.3

create the cache dir at install time Signed-off-by: Armin Kuster --- .../AppArmor/{apparmor_2.13.2.bb => apparmor_2.13.3.bb} | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) rename recipes-mac/AppArmor/{apparmor_2.13.2.bb => apparmor_2.13.3.bb} (96%) diff --git a/recip

[yocto] [meta-security][PATCH 2/2] apparmor: fix RDPENDS

apparmor-2.13.2-r0 do_package_qa: QA Issue: /usr/bin/aa-easyprof contained in package apparmor requires /usr/bin/python3, but no providers found in RDEPENDS_apparmor? [file-rdeps] Signed-off-by: Armin Kuster --- recipes-mac/AppArmor/apparmor_2.13.2.bb | 2 +- 1 file changed, 1 insertion(+), 1

[yocto] [meta-security][PATCH 1/2] linux-stable: rename to more generic bbappend

use wildcards Signed-off-by: Armin Kuster --- recipes-kernel/linux/{linux-stable_5.2.bbappend => linux-%_5.%.bbappend} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename recipes-kernel/linux/{linux-stable_5.2.bbappend => linux-%_5.%.bbappend} (100%) diff --git a/recipes-kernel

[yocto] [meta-security][PATCH 2/2] linux-yocto-dev: update to use kernel cache

Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-yocto-dev.bbappend | 13 ++--- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend index 68b2b8b..239e30e 100644

[yocto] [meta-security][PATCH 1/2] linux-yocto: use 4.19 kernel cache now

remove kernel fragments now that they are in the kernel-cache for 4.19 update bbappend accordingly. Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-yocto/apparmor.cfg | 15 --- .../linux/linux-yocto/apparmor_on_boot.cfg| 1 - .../linux/linux-yocto/smack

[yocto] [meta-security][PATCH 3/3] linux-stable/5.2: add stable bbappend

Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-stable_5.2.bbappend | 4 1 file changed, 4 insertions(+) create mode 100644 recipes-kernel/linux/linux-stable_5.2.bbappend diff --git a/recipes-kernel/linux/linux-stable_5.2.bbappend b/recipes-kernel/linux/linux-stable_5.2

[yocto] [meta-security][PATCH 2/3] meta-integrity: remove kernel fragments now in cache

Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-%.bbappend | 5 ++--- .../recipes-kernel/linux/linux/ima.cfg | 18 -- .../linux/linux/ima_evm_root_ca.cfg| 3 --- .../recipes-kernel/linux/linux/modsign.cfg | 5 - .../recipes

[yocto] [meta-security][PATCH 1/3] linux-%: remove kernel fragments now in cache

Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-%.bbapend | 9 - recipes-kernel/linux/linux/apparmor.cfg | 9 - recipes-kernel/linux/linux/apparmor_on_boot.cfg | 1 - recipes-kernel/linux/linux/smack-default-lsm.cfg | 2 -- recipes-kernel/linux

[yocto] [meta-integrity][PAYTCH] integrity-image: IMA_EVM_KEY_DIR has no affect, remove

Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/images/integrity-image-minimal.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index e1bc6ff..1a3a30a

[linux-yocto] [PATCH 4/4] kernel-cache: add yama security fragments

Signed-off-by: Armin Kuster --- features/yama/yama.cfg | 1 + features/yama/yama.scc | 4 2 files changed, 5 insertions(+) create mode 100644 features/yama/yama.cfg create mode 100644 features/yama/yama.scc diff --git a/features/yama/yama.cfg b/features/yama/yama.cfg new file mode 100644

[linux-yocto] [PATCH 2/4] kernel-cache: add smack

Signed-off-by: Armin Kuster --- features/smack/smack.cfg | 10 ++ features/smack/smack.scc | 4 2 files changed, 14 insertions(+) create mode 100644 features/smack/smack.cfg create mode 100644 features/smack/smack.scc diff --git a/features/smack/smack.cfg b/features/smack

[linux-yocto] [PATCH 1/4] kernel-cache: add apparmor fragments

Signed-off-by: Armin Kuster --- features/apparmor/apparmor.cfg | 7 +++ features/apparmor/apparmor.scc | 5 + features/apparmor/apparmor_on_boot.cfg | 1 + 3 files changed, 13 insertions(+) create mode 100644 features/apparmor/apparmor.cfg create mode 100644 features

[linux-yocto] [PATCH 3/4] kernel-cache: add ima fragments

Signed-off-by: Armin Kuster --- features/ima/ima.cfg | 18 ++ features/ima/ima.scc | 4 features/ima/ima_evm_root_ca.cfg | 3 +++ features/ima/modsign.cfg | 3 +++ features/ima/modsign.scc | 6 ++ 5 files changed, 34 insertions

[linux-yocto] [PATCH 0/4] More security fragments

It is time to move the kernel fragments out of meta-security to cache. It should make maintenance easier. Armin Kuster (4): kernel-cache: add apparmor fragments kernel-cache: add smack kernel-cache: add ima fragments kernel-cache: add yama security fragments features/apparmor

[yocto] [meta-security][v2][PATCH] kernel-modsign.bbclass: add support for kernel modules signing

From: Dmitry Eremin-Solenikov Add bbclass responsible for handling signing of kernel modules. Signed-off-by: Dmitry Eremin-Solenikov fixup class to avoid including in every configure task Signed-off-by: Armin Kuster --- meta-integrity/classes/kernel-modsign.bbclass | 29

[yocto] [meta-security][PATCH 2/2] waf-cross-answers: remove files

Signed-off-by: Armin Kuster --- files/waf-cross-answers/README | 3 -- files/waf-cross-answers/cross-answers-aarch64.txt | 39 - .../waf-cross-answers/cross-answers-aarch64_be.txt | 39 - files/waf-cross-answers/cross-answers-arm.txt

[yocto] [meta-security][PATCH 1/2] libldb: remove recipe

Signed-off-by: Armin Kuster --- .../libldb/avoid-openldap-unless-wanted.patch | 13 -- ...-import-target-module-while-cross-compile.patch | 58 --- recipes-support/libldb/libldb/options-1.3.1.patch | 193 - recipes-support/libldb/libldb_1.3.1.bb | 64

[yocto] [meta-security][PATCH] keyutils: remove from meta-security

now in meta-oe Signed-off-by: Armin Kuster --- .../files/fix_library_install_path.patch | 28 -- ...ror-report-by-adding-default-message.patch | 42 --- .../keyutils-test-fix-output-format.patch | 41 -- recipes-security/keyutils/files/run-ptest | 3

[yocto] [patchwork][PATCH] filters: Escape State names when generating selector HTML

for 1.16 context, CVE-2019-13122 ] Signed-off-by: Armin Kuster --- patchwork/filters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patchwork/filters.py b/patchwork/filters.py index 87c904f..b734207 100644 --- a/patchwork/filters.py +++ b/patchwork/filters.py @@ -212,7

[yocto] [patchwork][PATCH] security fix CVE-2019-13122

This is an untested backported patch from stable/2.0 patchwork for the OE version. It is a function already being used in the file so I have high confidence it wont introduce any new issues. Andrew Donnellan (1): filters: Escape State names when generating selector HTML

[yocto] [meta-security-compliance][PATCH 3/4] scap-security-guide: update to 0.1.44

create a PV version to track upstream git version includes OE changes Signed-off-by: Armin Kuster --- .../scap-security-guide.inc | 47 ++ .../scap-security-guide_0.1.44.bb | 8 +++ .../scap-security-guide_git.bb| 63

[yocto] [meta-security-compliance][PATCH 4/4] meta-security-compliance: add meta-python

with some for the recipe updates, more pyton support is needed Signed-off-by: Armin Kuster --- meta-security-compliance/conf/layer.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/meta-security-compliance/conf/layer.conf b/meta-security-compliance/conf/layer.conf

[yocto] [meta-security-compliance][PATCH 1/4] openscap_git: update to 1.3.0

removed unneeded patch convert over to cmake refactor files Signed-off-by: Armin Kuster --- .../openscap/files/crypto_pkgconfig.patch | 36 .../recipes-openscap/openscap/openscap.inc| 75 + .../recipes-openscap/openscap/openscap_git.bb | 83

[yocto] [meta-security-compliance][PATCH 2/4] openscap: add 1.3.1 recipes for upstream source

Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc| 11 +-- .../recipes-openscap/openscap/openscap_1.3.1.bb | 10 ++ .../recipes-openscap/openscap/openscap_git.bb | 4 ++-- 3 files changed, 17 insertions(+), 8 deletions

[yocto] [meta-security-compliance][PATCH 2/2] meta-security-compliance: update README

Signed-off-by: Armin Kuster --- meta-security-compliance/README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-security-compliance/README b/meta-security-compliance/README index b29c143..320f856 100644 --- a/meta-security-compliance/README +++ b/meta-security

[yocto] [meta-security-compliance][PATCH 1/2] lynis: update to 2.7.5

Signed-off-by: Armin Kuster --- .../recipes-auditors/lynis/{lynis_2.7.2.bb => lynis_2.7.5.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-security-compliance/recipes-auditors/lynis/{lynis_2.7.2.bb => lynis_2.7.5.bb} (89%) diff --git a/meta-security-compliance/r

[yocto] [meta-security][PATCH 2/2] clamav: minor recipe cleanup

Signed-off-by: Armin Kuster --- recipes-security/clamav/clamav_0.99.4.bb | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/recipes-security/clamav/clamav_0.99.4.bb b/recipes-security/clamav/clamav_0.99.4.bb index 7d8767e..7f04337 100644 --- a/recipes-security/clamav

[yocto] [meta-security][PATCH 1/2] libmspack: update SRC_URI and package

Signed-off-by: Armin Kuster --- .../{libmspack_0.10.1.bb => libmspack_1.9.1.bb}| 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) rename recipes-security/libmspack/{libmspack_0.10.1.bb => libmspack_1.9.1.bb} (53%) diff --git a/recipes-security/libmspack/libmspack_

[yocto] [meta-security][meta-tpm][PATCH 8/9] tpm2-totp: update to offical release v0.1.1

Clean up recipe to match actual app Signed-off-by: Armin Kuster --- .../recipes-tpm2/tpm2-totp/tpm2-totp_0.1.1.bb | 18 ++ .../recipes-tpm2/tpm2-totp/tpm2-totp_0.9.9.bb | 17 - 2 files changed, 18 insertions(+), 17 deletions(-) create mode 100644 meta-tpm

[yocto] [meta-security][meta-tpm][PATCH 7/9] tpm2-tss: update to 2.2.3

Signed-off-by: Armin Kuster --- .../tpm2-tss/{tpm2-tss_2.2.1.bb => tpm2-tss_2.2.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tss/{tpm2-tss_2.2.1.bb => tpm2-tss_2.2.3.bb} (97%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss

[yocto] [meta-security][meta-tpm][PATCH 6/9] tpm2-tools: update to 3.2.0

Signed-off-by: Armin Kuster --- .../tpm2-tools/{tpm2-tools_3.1.3.bb => tpm2-tools_3.2.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tools/{tpm2-tools_3.1.3.bb => tpm2-tools_3.2.0.bb} (86%) diff --git a/meta-tpm/recipes-tpm2/tpm2-tool

[yocto] [meta-security][meta-tpm][PATCH 3/9] tpm image: split out tpm2

Signed-off-by: Armin Kuster --- meta-tpm/recipes-core/images/security-tpm-image.bb | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/meta-tpm/recipes-core/images/security-tpm-image.bb b/meta-tpm/recipes-core/images/security-tpm-image.bb index a337076..dbdd309 100644

[yocto] [meta-security][meta-tpm][PATCH 9/9] tpm2-tss-engine: update to 1.0.0

Signed-off-by: Armin Kuster --- .../{tpm2-tss-engine_0.9.9.bb => tpm2-tss-engine_1.0.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-tpm/recipes-tpm2/tpm2-tss-engine/{tpm2-tss-engine_0.9.9.bb => tpm2-tss-engine_1.0.0.bb} (95%) diff --git a/meta-tpm/recipe

[yocto] [meta-security][meta-tpm][PATCH 4/9] tpm2-pkcs11/tpm2-pkcs11: update to tip

license-check-sum: Add SPDX format Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2

[yocto] [meta-security][meta-tpm][PATCH 5/9] tpm2-tcti-uefi: update to tip

Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb index

[yocto] [meta-security][meta-tpm][PATCH 2/9] tpm2 images: create tpm2 image and fix packagegroup

Signed-off-by: Armin Kuster --- .../recipes-core/images/security-tpm2-image.bb | 18 ++ .../packagegroup/packagegroup-security-tpm2.bb | 5 - 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 meta-tpm/recipes-core/images/security-tpm2-image.bb diff --git

[yocto] [meta-security][meta-tpm][PATCH 1/9] runtime: tpm2 fix names in packagecheck

Signed-off-by: Armin Kuster --- meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py index 240a9b3..c6f9d92 100644 --- a/meta-tpm/lib/oeqa/runtime/cases

[yocto] [meta-integrity][PATCH] ima-evm-utils: update to tip

Signed-off-by: Armin Kuster --- .../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm

[yocto] [meta-security][PATCH 12/14] initramfs: clean up to pull in packages.

Signed-off-by: Armin Kuster --- .../initrdscripts/initramfs-framework-ima.bb | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs

[yocto] [meta-security][PATCH 11/14] data: remove policies

Signed-off-by: Armin Kuster --- meta-integrity/data/ima_policy_appraise_all | 29 meta-integrity/data/ima_policy_hashed | 77 - meta-integrity/data/ima_policy_simple | 4 -- 3 files changed, 110 deletions(-) delete mode 100644 meta-integrity/data

[yocto] [meta-security][PATCH 06/14] linux: update bbappend

remove untested code Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux-%.bbappend | 117 +- 1 file changed, 2 insertions(+), 115 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux

[yocto] [meta-security][PATCH 14/14] image: add image for testing

Signed-off-by: Armin Kuster --- .../images/integrity-image-minimal.bb | 22 +++ 1 file changed, 22 insertions(+) create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb

[yocto] [meta-security][PATCH 09/14] ima_policy_simple: add another sample policy

Signed-off-by: Armin Kuster --- .../ima_policy_simple/files/ima_policy_simple | 4 .../ima_policy_simple/ima-policy-simple_1.0.bb | 18 ++ 2 files changed, 22 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple

[yocto] [meta-security][PATCH 13/14] runtime qa: moderize ima test

Signed-off-by: Armin Kuster --- meta-integrity/lib/oeqa/runtime/__init__.py | 0 meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++ meta-integrity/lib/oeqa/runtime/ima.py | 82 3 files changed, 129 insertions(+), 82 deletions(-) delete mode 100644

[yocto] [meta-security][PATCH 08/14] ima-policy-hashed: add new recipe

Signed-off-by: Armin Kuster --- .../ima_policy_hashed/files/ima_policy_hashed | 77 +++ .../ima-policy-hashed_1.0.bb | 20 + 2 files changed, 97 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed

[yocto] [meta-security][PATCH 10/14] policy: add ima appraise all policy

Signed-off-by: Armin Kuster --- .../files/ima_policy_appraise_all | 29 +++ .../ima-policy-appraise-all_1.0.bb| 18 2 files changed, 47 insertions(+) create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/files

[yocto] [meta-security][PATCH 07/14] base-files: add appending to automount securityfs

Signed-off-by: Armin Kuster --- meta-integrity/recipes-core/base-files/base-files-ima.inc| 5 + meta-integrity/recipes-core/base-files/base-files_%.bbappend | 1 + 2 files changed, 6 insertions(+) create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc create mode

[yocto] [meta-security][PATCH 01/14] meta-integrity: port over from meta-intel-iot-security

Signed-off-by: Armin Kuster --- meta-integrity/README.md | 253 ++ meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++ meta-integrity/conf/layer.conf| 22 ++ .../data/debug-keys/privkey_ima.pem | 16 ++ meta-integrity/data

[yocto] [meta-security][PATCH 04/14] ima-evm-utils: cleanup and update to tip

update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster --- .../ima-evm-utils/ima-evm-utils.inc | 19 -- ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++ ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43

[yocto] [meta-security][PATCH 05/14] ima.cfg: update to 5.0 kernel

Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux/ima.cfg| 28 ++- .../linux/linux/ima_evm_root_ca.cfg | 6 ++-- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity

[yocto] [meta-security][PATCH 03/14] README: update

Signed-off-by: Armin Kuster --- meta-integrity/README.md | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index ba96d8e..5bef76e 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -24,12 +24,9

[yocto] [meta-security][PATCH 02/14] layer.conf: add LAYERSERIES_COMPAT

Signed-off-by: Armin Kuster --- meta-integrity/conf/layer.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf index e8bb268..2f696cf 100644 --- a/meta-integrity/conf/layer.conf +++ b/meta-integrity/conf/layer.conf @@ -20,3

[yocto] [meta-security][PATCH 00/14] Port over meta-integrity

Copied meta-integrity from meta-intel-iot-security that Intel created, to carry on maintenance. This update that code base to work on master. runtime test passes on Arm H/w and qemux86-64 Armin Kuster (14): meta-integrity: port over from meta-intel-iot-security layer.conf: add

[yocto] [meta-security][PATCH] checksec: add runtime test

Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/checksec.py | 33 ++ 1 file changed, 33 insertions(+) create mode 100644 lib/oeqa/runtime/cases/checksec.py diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases/checksec.py new file mode

[yocto] [meta-security][v2][PATCH] keyutils: fix library install path

[v2] fix multilib support Als add native support Signed-off-by: Armin Kuster --- .../files/fix_library_install_path.patch | 28 +++ recipes-security/keyutils/keyutils_1.6.bb | 14 ++ 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 recipes

[yocto] [meta-security][PATCH] keyutils: fix library install path

Signed-off-by: Armin Kuster --- .../files/fix_library_install_path.patch | 28 +++ recipes-security/keyutils/keyutils_1.6.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 recipes-security/keyutils/files/fix_library_install_path.patch diff --git

[yocto] [meta-security][PATCH] checksec: update to 1.11.1

* checksec.sh: Add arm64 specific kernel checks * checksec.sh: Add REFCOUNT_FULL to kernel tests * checksec.sh: Remove OSX support Signed-off-by: Armin Kuster --- .../checksec/{checksec_1.11.bb => checksec_1.11.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename reci

[yocto] [PATCH 2/2] oeqa/systemd_boot: Drop OETestID

From: Richard Purdie Matching changes in OE-Core. drop OETestID. Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-yocto-bsp/lib/oeqa/selftest/cases/systemd_boot.py

[yocto] [PATCH 1/2] linux-yocto: update genericx86* SRCREV for 4.19

From: Naveen Saini Bump to kernel release v4.19.19 Signed-off-by: Naveen Saini Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.19.bbappend | 8 1 file changed, 4 insertions(+), 4 deletions

[yocto] [PATCH 0/2] meta-yocto warrior-next patch review

From: Armin Kuster please review these change for the next meta-yocto warrior update The following changes since commit 299b4150c66520985415fcc91119d563f7ba663c: poky.conf: Bump version for 2.7 warrior release (2019-04-12 13:50:29 +0100) are available in the git repository at: git

[yocto] [meta-security][PATCH 2/2] smack: kernel fragment update

Signed-off-by: Armin Kuster --- recipes-kernel/linux/linux-yocto-5.0/smack.cfg | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/recipes-kernel/linux/linux-yocto-5.0/smack.cfg index 62f465a..0d5fc64 100644

[yocto] [meta-security][PATCH 1/2] oe-selftest: add running cve checker

Signed-off-by: Armin Kuster --- lib/oeqa/selftest/cases/cvechecker.py | 27 +++ 1 file changed, 27 insertions(+) create mode 100644 lib/oeqa/selftest/cases/cvechecker.py diff --git a/lib/oeqa/selftest/cases/cvechecker.py b/lib/oeqa/selftest/cases/cvechecker.py new file

[yocto] [meta-security][PATCH] samhain: add more tests and fix ret checks

Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/samhain.py | 31 +++ 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/oeqa/runtime/cases/samhain.py b/lib/oeqa/runtime/cases/samhain.py index e4bae7b..5043a38 100644 --- a/lib/oeqa/runtime/cases

[yocto] [meta-security][PATCH 2/2] smack-test: add smack tests from meta-intel-iot-security

ported over smack tests Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/smack.py | 529 ++ recipes-mac/smack/mmap-smack-test/mmap.c | 7 + recipes-mac/smack/mmap-smack-test_1.0.bb | 16 + recipes-mac/smack/smack-test/notroot.py | 33

[yocto] [meta-security][PATCH 1/2] smack: move patch to smack dir

Signed-off-by: Armin Kuster --- recipes-mac/smack/{files => smack}/run-ptest | 0 .../smack/{files => smack}/smack_generator_make_fixup.patch | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename recipes-mac/smack/{files => smack}/run-ptest (100%

[yocto] [meta-security][PATCH] apparmor: add a few more runtime

Signed-off-by: Armin Kuster --- lib/oeqa/runtime/cases/apparmor.py | 19 +++ 1 file changed, 19 insertions(+) diff --git a/lib/oeqa/runtime/cases/apparmor.py b/lib/oeqa/runtime/cases/apparmor.py index e2cb316..b6a9537 100644 --- a/lib/oeqa/runtime/cases/apparmor.py +++ b/lib

[yocto] [meta-cgl][PATCH] cfg files: update do to 4.19 changes

Signed-off-by: Armin Kuster --- meta-cgl-common/recipes-kernel/linux/files/cfg/4-kgdb.cfg | 1 - meta-cgl-common/recipes-kernel/linux/files/cfg/5-quota.cfg | 2 -- meta-cgl-common/recipes-kernel/linux/files/cfg/9-filesystem-acl.cfg | 1 - meta-cgl-common/recipes

  1   2   3   4   5   6   >