This series of patches fixes the current support for IMA and EVM by removing outdated patches for example and adding kernel config options. I have tried out these patches with OpenBMC where the appraisal policy now enforces signed executables and libraries.
Stefan Stefan Berger (8): ima: Document and replace keys and adapt scripts for EC keys ima: Fix the ima_policy_appraise_all to appraise executables & libraries ima: Fix the IMA kernel feature ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY ima: Sign all executables and the ima-policy in the root filesystem integrity: Update the README for IMA support linux: overlayfs: Add kernel patch resolving a file change notification issue ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch meta-integrity/README.md | 22 +-- meta-integrity/classes/ima-evm-rootfs.bbclass | 34 ++++- meta-integrity/data/debug-keys/README.md | 17 +++ .../data/debug-keys/ima-local-ca.pem | 15 ++ .../data/debug-keys/ima-local-ca.priv | 7 + .../data/debug-keys/privkey_ima.pem | 17 +-- meta-integrity/data/debug-keys/x509_ima.der | Bin 707 -> 620 bytes .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ------- ...Increment-iversion-upon-file-changes.patch | 42 ++++++ ...for-creating-files-using-the-mknodat.patch | 138 ------------------ ...-file-hash-setting-by-user-to-fix-an.patch | 60 -------- .../recipes-kernel/linux/linux/ima.cfg | 46 ++++++ .../recipes-kernel/linux/linux/ima.scc | 4 + .../recipes-kernel/linux/linux_ima.inc | 11 +- ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++ ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +- .../files/ima_policy_appraise_all | 9 +- meta-integrity/scripts/ima-gen-CA-signed.sh | 9 +- meta-integrity/scripts/ima-gen-local-ca.sh | 6 +- meta-integrity/scripts/ima-gen-self-signed.sh | 41 ------ 20 files changed, 240 insertions(+), 333 deletions(-) create mode 100644 meta-integrity/data/debug-keys/README.md create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%) delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59797): https://lists.yoctoproject.org/g/yocto/message/59797 Mute This Topic: https://lists.yoctoproject.org/mt/98557294/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-