Copied meta-integrity from meta-intel-iot-security that Intel created, to carry on maintenance.
This update that code base to work on master. runtime test passes on Arm H/w and qemux86-64 Armin Kuster (14): meta-integrity: port over from meta-intel-iot-security layer.conf: add LAYERSERIES_COMPAT README: update ima-evm-utils: cleanup and update to tip ima.cfg: update to 5.0 kernel linux: update bbappend base-files: add appending to automount securityfs ima-policy-hashed: add new recipe ima_policy_simple: add another sample policy policy: add ima appraise all policy data: remove policies initramfs: clean up to pull in packages. runtime qa: moderize ima test image: add image for testing meta-integrity/README.md | 250 ++++++++++++++++++ meta-integrity/classes/ima-evm-rootfs.bbclass | 92 +++++++ meta-integrity/conf/layer.conf | 24 ++ .../data/debug-keys/privkey_ima.pem | 16 ++ meta-integrity/data/debug-keys/x509_ima.der | Bin 0 -> 707 bytes meta-integrity/lib/oeqa/runtime/cases/ima.py | 129 +++++++++ .../base-files/base-files-ima.inc | 5 + .../base-files/base-files_%.bbappend | 1 + .../images/integrity-image-minimal.bb | 22 ++ .../initrdscripts/initramfs-framework-ima.bb | 28 ++ .../initrdscripts/initramfs-framework-ima/ima | 52 ++++ .../packagegroup-ima-evm-utils.bb | 9 + .../systemd/files/machine-id-commit-sync.conf | 2 + .../systemd/files/random-seed-sync.conf | 3 + .../recipes-core/systemd/systemd_%.bbappend | 13 + .../recipes-kernel/linux/linux-%.bbappend | 3 + .../0001-ima-fix-ima_inode_post_setattr.patch | 51 ++++ ...for-creating-files-using-the-mknodat.patch | 138 ++++++++++ ...-file-hash-setting-by-user-to-fix-an.patch | 60 +++++ .../recipes-kernel/linux/linux/ima.cfg | 18 ++ .../linux/linux/ima_evm_root_ca.cfg | 3 + ...link-to-libcrypto-instead-of-OpenSSL.patch | 65 +++++ ...ls-replace-INCLUDES-with-AM_CPPFLAGS.patch | 43 +++ ...clude-hash-info.gen-into-distributio.patch | 31 +++ ...ma-evm-utils-update-.gitignore-files.patch | 34 +++ ...nd-line-apply-operation-to-all-paths.patch | 68 +++++ .../ima-evm-utils/disable-doc-creation.patch | 50 ++++ ...t-depend-on-xattr.h-with-IMA-defines.patch | 47 ++++ .../ima-evm-utils/ima-evm-utils_git.bb | 41 +++ .../files/ima_policy_appraise_all | 29 ++ .../ima-policy-appraise-all_1.0.bb | 18 ++ .../ima_policy_hashed/files/ima_policy_hashed | 77 ++++++ .../ima-policy-hashed_1.0.bb | 20 ++ .../ima_policy_simple/files/ima_policy_simple | 4 + .../ima-policy-simple_1.0.bb | 18 ++ meta-integrity/scripts/ima-gen-CA-signed.sh | 48 ++++ meta-integrity/scripts/ima-gen-local-ca.sh | 42 +++ meta-integrity/scripts/ima-gen-self-signed.sh | 41 +++ 38 files changed, 1595 insertions(+) create mode 100644 meta-integrity/README.md create mode 100644 meta-integrity/classes/ima-evm-rootfs.bbclass create mode 100644 meta-integrity/conf/layer.conf create mode 100644 meta-integrity/data/debug-keys/privkey_ima.pem create mode 100644 meta-integrity/data/debug-keys/x509_ima.der create mode 100644 meta-integrity/lib/oeqa/runtime/cases/ima.py create mode 100644 meta-integrity/recipes-core/base-files/base-files-ima.inc create mode 100644 meta-integrity/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-integrity/recipes-core/images/integrity-image-minimal.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb create mode 100644 meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima create mode 100644 meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb create mode 100644 meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/files/random-seed-sync.conf create mode 100644 meta-integrity/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux-%.bbappend create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-ima-evm-utils-link-to-libcrypto-instead-of-OpenSSL.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0002-ima-evm-utils-replace-INCLUDES-with-AM_CPPFLAGS.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0003-ima-evm-utils-include-hash-info.gen-into-distributio.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0004-ima-evm-utils-update-.gitignore-files.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all create mode 100644 meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed create mode 100644 meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb create mode 100644 meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple create mode 100644 meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb create mode 100755 meta-integrity/scripts/ima-gen-CA-signed.sh create mode 100755 meta-integrity/scripts/ima-gen-local-ca.sh create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh -- 2.17.1 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto