AM, liu.min...@gmail.com wrote:
> > From: Ming Liu
> >
> > Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
> > patches applied, I could run a ima enabled image with sysvinit/systemd
> > on qemuarm/qemuarm64 and some NXP machines.
> >
&
From: Ming Liu
IMA_POLICY is being referred as policy recipe name in some places and it
is also being referred as policy file in other places, they are
conflicting with each other which make it impossible to set a IMA_POLICY
global variable in config file.
Fix it by dropping IMA_POLICY
From: Ming Liu
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.
Signed-off-by: Ming Liu
---
meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-integrity/recipes-security
From: Ming Liu
Otherwise, ima script would not run as intended.
Signed-off-by: Ming Liu
Signed-off-by: Armin Kuster
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 1 +
1 file changed, 1 insertion(+)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs
From: Ming Liu
Signed-off-by: Ming Liu
Signed-off-by: Armin Kuster
---
.../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
b/meta-integrity
From: Ming Liu
Create a recipe to package IMA/EMV public keys.
Signed-off-by: Ming Liu
Signed-off-by: Armin Kuster
---
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16
1 file changed, 16 insertions(+)
create mode 100644
meta-integrity/recipes-security/ima-evm-keys
From: Ming Liu
Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
patches applied, I could run a ima enabled image with sysvinit/systemd
on qemuarm/qemuarm64 and some NXP machines.
Ming Liu (9):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework
From: Ming Liu
/etc/ima-policy > /etc/ima/ima-policy.
Signed-off-by: Ming Liu
Signed-off-by: Armin Kuster
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-integrity/recipes-core/initrdscri
From: Ming Liu
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/ima
From: Ming Liu
Or else wic will fail without "--no-fstab-update" option.
Signed-off-by: Ming Liu
Signed-off-by: Armin Kuster
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbcla
From: Ming Liu
This fixes following systemd boot issues:
[7.455580] systemd[1]: Failed to create /init.scope control group:
Permission denied
[7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!] Failed to allocate manager object.
[7.459270] systemd[1
From: Ming Liu
This fixes following systemd boot issues:
[7.455580] systemd[1]: Failed to create /init.scope control group:
Permission denied
[7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!] Failed to allocate manager object.
[7.459270] systemd[1
From: Ming Liu
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.
This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel
From: Ming Liu
Ming Liu (3):
ima-evm-keys: add file-checksums to IMA_EVM_X509
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
.../initrdscripts/initramfs-framework-ima.bb | 5 +
.../initrdscripts/initramfs-framework-ima/ima
From: Ming Liu
This ensures when a end user change the IMA_EVM_X509 key file,
ima-evm-keys recipe will be rebuilt.
Signed-off-by: Ming Liu
Signed-off-by: Armin Kuster
---
meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta
From: Ming Liu
Introduce IMA_FORCE to allow the IMA policy be applied forcely even
'no_ima' boot parameter is available.
This ensures the end users have a way to disable 'no_ima' support if
they want to, because it may expose a security risk if an attacker can
find a way to change kernel
From: Ming Liu
IMA_POLICY is being referred as policy recipe name in some places and it
is also being referred as policy file in other places, they are
conflicting with each other which make it impossible to set a IMA_POLICY
global variable in config file.
Fix it by dropping IMA_POLICY
From: Ming Liu
/etc/ima-policy > /etc/ima/ima-policy.
Signed-off-by: Ming Liu
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
b/m
From: Ming Liu
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/ima
From: Ming Liu
Ming Liu (5):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
meta: refactor IMA/EVM sign rootfs
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
meta
From: Ming Liu
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check, this fixes a following error:
Signed-off-by: Ming Liu
---
.../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-integrity
From: Ming Liu
Otherwise, ima script would not run as intended.
Signed-off-by: Ming Liu
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 1 +
1 file changed, 1 insertion(+)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
b/meta
From: Ming Liu
Or else wic will fail without "--no-fstab-update" option.
Signed-off-by: Ming Liu
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass
b/meta-integrity/class
From: Ming Liu
Signed-off-by: Ming Liu
---
.../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
b/meta-integrity/recipes-core/initrdscripts
From: Ming Liu
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.
Signed-off-by: Ming Liu
---
.../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-integrity/recipes
From: Ming Liu
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/ima
From: Ming Liu
Or else wic will fail without "--no-fstab-update" option.
Signed-off-by: Ming Liu
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass
b/meta-integrity/class
From: Ming Liu
/etc/ima-policy > /etc/ima/ima-policy.
Signed-off-by: Ming Liu
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
b/m
From: Ming Liu
Create a recipe to package IMA/EMV public keys.
Signed-off-by: Ming Liu
---
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16
1 file changed, 16 insertions(+)
create mode 100644
meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
diff --git
From: Ming Liu
Changes in patch set V2:
1 Split patches as suggested by Dmitry Baryshkov.
Ming Liu (8):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
From: Ming Liu
Signed-off-by: Ming Liu
---
meta-integrity/README.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 4607948..5048fba 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -73,8
From: Ming Liu
Otherwise, ima script would not run as intended.
Signed-off-by: Ming Liu
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 1 +
1 file changed, 1 insertion(+)
diff --git
a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
b/meta
32 matches
Mail list logo
