* [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch
@ 2021-03-02 14:57 Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 1/9] ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty Ming Liu
` (9 more replies)
0 siblings, 10 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <ming.liu@toradex.com>
Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
patches applied, I could run a ima enabled image with sysvinit/systemd
on qemuarm/qemuarm64 and some NXP machines.
Ming Liu (9):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in
ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
meta-integrity/README.md | 4 ++-
meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
.../initrdscripts/initramfs-framework-ima.bb | 2 +-
.../initrdscripts/initramfs-framework-ima/ima | 3 +-
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
.../ima-evm-utils/ima-evm-utils_git.bb | 1 +
.../ima_policy_hashed/files/ima_policy_hashed | 3 ++
7 files changed, 41 insertions(+), 21 deletions(-)
create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
--
2.29.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 1/9] ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 2/9] initramfs-framework-ima: fix a wrong path Ming Liu
` (8 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
index 7f649c2..bd85583 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
@@ -26,6 +26,7 @@ S = "${WORKDIR}/git"
inherit pkgconfig autotools features_check
REQUIRED_DISTRO_FEATURES = "ima"
+REQUIRED_DISTRO_FEATURES_class-native = ""
EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 2/9] initramfs-framework-ima: fix a wrong path
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 1/9] ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 3/9] ima-evm-keys: add recipe Ming Liu
` (7 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
/etc/ima-policy > /etc/ima/ima-policy.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
index 8616f99..16ed53f 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -46,7 +46,7 @@ ima_run() {
# ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
# checking the write of each line. To minimize the risk of policy loading going wrong we
# also remove comments and blank lines ourselves.
- if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys/kernel/security/ima/policy; then
+ if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then
fatal "Could not load IMA policy."
fi
}
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 3/9] ima-evm-keys: add recipe
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 1/9] ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 2/9] initramfs-framework-ima: fix a wrong path Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 4/9] initramfs-framework-ima: RDEPENDS on ima-evm-keys Ming Liu
` (6 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
Create a recipe to package IMA/EMV public keys.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
new file mode 100644
index 0000000..62685bb
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "IMA/EMV public keys"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ima"
+
+ALLOW_EMPTY_${PN} = "1"
+
+do_install () {
+ if [ -e "${IMA_EVM_X509}" ]; then
+ install -d ${D}/${sysconfdir}/keys
+ install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der
+ lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der
+ fi
+}
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 4/9] initramfs-framework-ima: RDEPENDS on ima-evm-keys
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (2 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 3/9] ima-evm-keys: add recipe Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 5/9] meta: refactor IMA/EVM sign rootfs Ming Liu
` (5 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index dacdc8b..77f6f7c 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -27,5 +27,5 @@ do_install () {
FILES_${PN} = "/init.d ${sysconfdir}"
-RDEPENDS_${PN} = "keyutils ${IMA_POLICY}"
+RDEPENDS_${PN} = "keyutils ima-evm-keys ${IMA_POLICY}"
RDEPENDS_${PN} += "initramfs-framework-base"
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 5/9] meta: refactor IMA/EVM sign rootfs
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (3 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 4/9] initramfs-framework-ima: RDEPENDS on ima-evm-keys Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 6/9] README.md: update according to the refactoring in ima-evm-rootfs.bbclass Ming Liu
` (4 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:
| IMAGE_PREPROCESS_COMMAND_append = " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "
and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.
To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.
Also add ima-evm-keys to IMAGE_INSTALL.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 30 ++++++++-----------
1 file changed, 12 insertions(+), 18 deletions(-)
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index d6ade3b..4359af0 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -37,15 +37,6 @@ ima_evm_sign_rootfs () {
# reasons (including a change of the signing keys) without also
# re-running do_rootfs.
- # Copy file(s) which must be on the device. Note that
- # evmctl uses x509_evm.der also for "ima_verify", which is probably
- # a bug (should default to x509_ima.der). Does not matter for us
- # because we use the same key for both.
- install -d ./${sysconfdir}/keys
- rm -f ./${sysconfdir}/keys/x509_evm.der
- install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der
- ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der
-
# Fix /etc/fstab: it must include the "i_version" mount option for
# those file systems where writing files is allowed, otherwise
# these changes will not get detected at runtime.
@@ -80,13 +71,16 @@ ima_evm_sign_rootfs () {
}
# Signing must run as late as possible in the do_rootfs task.
-# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so
-# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with
-# _append instead of += because _append gets evaluated later. In
-# particular, we must run after prelink_image in
-# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables.
-
-IMAGE_PREPROCESS_COMMAND_append = " ima_evm_sign_rootfs ; "
+# To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in
+# RecipePreFinalise event handler, this ensures it's the last
+# function in IMAGE_PREPROCESS_COMMAND.
+python ima_evm_sign_handler () {
+ if not e.data or 'ima' not in e.data.getVar('DISTRO_FEATURES').split():
+ return
-# evmctl must have been installed first.
-do_rootfs[depends] += "ima-evm-utils-native:do_populate_sysroot"
+ e.data.appendVar('IMAGE_PREPROCESS_COMMAND', ' ima_evm_sign_rootfs; ')
+ e.data.appendVar('IMAGE_INSTALL', ' ima-evm-keys')
+ e.data.appendVarFlag('do_rootfs', 'depends', ' ima-evm-utils-native:do_populate_sysroot')
+}
+addhandler ima_evm_sign_handler
+ima_evm_sign_handler[eventmask] = "bb.event.RecipePreFinalise"
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 6/9] README.md: update according to the refactoring in ima-evm-rootfs.bbclass
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (4 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 5/9] meta: refactor IMA/EVM sign rootfs Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 7/9] initramfs-framework-ima: let ima_enabled return 0 Ming Liu
` (3 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-integrity/README.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index f08a164..8f525a6 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -69,8 +69,10 @@ Adding the layer only enables IMA (see below regarding EVM) during
compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
- INHERIT += "ima-evm-rootfs"
+ IMAGE_CLASSES += "ima-evm-rootfs"
IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
+ IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+ IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
This uses the default keys provided in the "data" directory of the layer.
Because everyone has access to these private keys, such an image
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 7/9] initramfs-framework-ima: let ima_enabled return 0
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (5 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 6/9] README.md: update according to the refactoring in ima-evm-rootfs.bbclass Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 8/9] ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic Ming Liu
` (2 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
Otherwise, ima script would not run as intended.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
index 16ed53f..cff26a3 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
@@ -6,6 +6,7 @@ ima_enabled() {
if [ "$bootparam_no_ima" = "true" ]; then
return 1
fi
+ return 0
}
ima_run() {
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 8/9] ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (6 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 7/9] initramfs-framework-ima: let ima_enabled return 0 Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 9/9] ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic Ming Liu
2021-03-05 4:54 ` [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch akuster
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
Or else wic will fail without "--no-fstab-update" option.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 4359af0..0acd6e7 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -28,6 +28,9 @@ IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false"
# the iversion flags (needed by IMA when allowing writing).
IMA_EVM_ROOTFS_IVERSION ?= ""
+# Avoid re-generating fstab when ima is enabled.
+WIC_CREATE_EXTRA_ARGS_append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
+
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [meta-security][dunfell][PATCH 9/9] ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (7 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 8/9] ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic Ming Liu
@ 2021-03-02 14:57 ` Ming Liu
2021-03-05 4:54 ` [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch akuster
9 siblings, 0 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-02 14:57 UTC (permalink / raw)
To: yocto; +Cc: sergio.prado, akuster808, Ming Liu
From: Ming Liu <liu.ming50@gmail.com>
This fixes following systemd boot issues:
[ 7.455580] systemd[1]: Failed to create /init.scope control group: Permission denied
[ 7.457677] systemd[1]: Failed to allocate manager object: Permission denied
[!!!!!!] Failed to allocate manager object.
[ 7.459270] systemd[1]: Freezing execution.
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../recipes-security/ima_policy_hashed/files/ima_policy_hashed | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
index 7f89c8d..4d9e4ca 100644
--- a/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
+++ b/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
@@ -53,6 +53,9 @@ dont_measure fsmagic=0x43415d53
# CGROUP_SUPER_MAGIC
dont_appraise fsmagic=0x27e0eb
dont_measure fsmagic=0x27e0eb
+# CGROUP2_SUPER_MAGIC
+dont_appraise fsmagic=0x63677270
+dont_measure fsmagic=0x63677270
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
dont_measure fsmagic=0xde5e81e4
--
2.29.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
` (8 preceding siblings ...)
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 9/9] ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic Ming Liu
@ 2021-03-05 4:54 ` akuster
2021-03-10 10:31 ` Ming Liu
9 siblings, 1 reply; 14+ messages in thread
From: akuster @ 2021-03-05 4:54 UTC (permalink / raw)
To: liu.ming50, yocto; +Cc: sergio.prado, Ming Liu
series in build testing
-armin
On 3/2/21 6:57 AM, liu.ming50@gmail.com wrote:
> From: Ming Liu <ming.liu@toradex.com>
>
> Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
> patches applied, I could run a ima enabled image with sysvinit/systemd
> on qemuarm/qemuarm64 and some NXP machines.
>
> Ming Liu (9):
> ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
> initramfs-framework-ima: fix a wrong path
> ima-evm-keys: add recipe
> initramfs-framework-ima: RDEPENDS on ima-evm-keys
> meta: refactor IMA/EVM sign rootfs
> README.md: update according to the refactoring in
> ima-evm-rootfs.bbclass
> initramfs-framework-ima: let ima_enabled return 0
> ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
> ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
>
> meta-integrity/README.md | 4 ++-
> meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
> .../initrdscripts/initramfs-framework-ima.bb | 2 +-
> .../initrdscripts/initramfs-framework-ima/ima | 3 +-
> .../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
> .../ima-evm-utils/ima-evm-utils_git.bb | 1 +
> .../ima_policy_hashed/files/ima_policy_hashed | 3 ++
> 7 files changed, 41 insertions(+), 21 deletions(-)
> create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch
2021-03-05 4:54 ` [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch akuster
@ 2021-03-10 10:31 ` Ming Liu
2021-03-10 15:41 ` akuster
2021-03-12 4:49 ` akuster
0 siblings, 2 replies; 14+ messages in thread
From: Ming Liu @ 2021-03-10 10:31 UTC (permalink / raw)
To: akuster808; +Cc: yocto, Sergio Prado, Ming Liu
[-- Attachment #1: Type: text/plain, Size: 1728 bytes --]
Hi, akuster808:
I saw this patch set has been merged to gatesgarth, may I ask, any plan for
dunfell? I am asking because dunfell is a LTS branch and many users are
building their products based on it. Thanks!
the best,
thank you
series in build testing
>
> -armin
>
> On 3/2/21 6:57 AM, liu.ming50@gmail.com wrote:
> > From: Ming Liu <ming.liu@toradex.com>
> >
> > Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
> > patches applied, I could run a ima enabled image with sysvinit/systemd
> > on qemuarm/qemuarm64 and some NXP machines.
> >
> > Ming Liu (9):
> > ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
> > initramfs-framework-ima: fix a wrong path
> > ima-evm-keys: add recipe
> > initramfs-framework-ima: RDEPENDS on ima-evm-keys
> > meta: refactor IMA/EVM sign rootfs
> > README.md: update according to the refactoring in
> > ima-evm-rootfs.bbclass
> > initramfs-framework-ima: let ima_enabled return 0
> > ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
> > ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
> >
> > meta-integrity/README.md | 4 ++-
> > meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
> > .../initrdscripts/initramfs-framework-ima.bb | 2 +-
> > .../initrdscripts/initramfs-framework-ima/ima | 3 +-
> > .../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
> > .../ima-evm-utils/ima-evm-utils_git.bb | 1 +
> > .../ima_policy_hashed/files/ima_policy_hashed | 3 ++
> > 7 files changed, 41 insertions(+), 21 deletions(-)
> > create mode 100644 meta-integrity/recipes-security/ima-evm-keys/
> ima-evm-keys_1.0.bb
> >
>
>
[-- Attachment #2: Type: text/html, Size: 2687 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch
2021-03-10 10:31 ` Ming Liu
@ 2021-03-10 15:41 ` akuster
2021-03-12 4:49 ` akuster
1 sibling, 0 replies; 14+ messages in thread
From: akuster @ 2021-03-10 15:41 UTC (permalink / raw)
To: Ming Liu; +Cc: yocto, Sergio Prado, Ming Liu
On 3/10/21 2:31 AM, Ming Liu wrote:
> Hi, akuster808:
>
> I saw this patch set has been merged to gatesgarth, may I ask, any
> plan for dunfell? I am asking because dunfell is a LTS branch and many
> users are building their products based on it. Thanks!
that are being built current. I can on build on branch at a time and it
takes time to do each. Things are looking good so I suspect they
changes will land in the next day or so.
-armin
>
> the best,
> thank you
>
> series in build testing
>
> -armin
>
> On 3/2/21 6:57 AM, liu.ming50@gmail.com
> <mailto:liu.ming50@gmail.com> wrote:
> > From: Ming Liu <ming.liu@toradex.com <mailto:ming.liu@toradex.com>>
> >
> > Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
> > patches applied, I could run a ima enabled image with
> sysvinit/systemd
> > on qemuarm/qemuarm64 and some NXP machines.
> >
> > Ming Liu (9):
> > ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
> > initramfs-framework-ima: fix a wrong path
> > ima-evm-keys: add recipe
> > initramfs-framework-ima: RDEPENDS on ima-evm-keys
> > meta: refactor IMA/EVM sign rootfs
> > README.md: update according to the refactoring in
> > ima-evm-rootfs.bbclass
> > initramfs-framework-ima: let ima_enabled return 0
> > ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
> > ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
> >
> > meta-integrity/README.md | 4 ++-
> > meta-integrity/classes/ima-evm-rootfs.bbclass | 33
> +++++++++----------
> > .../initrdscripts/initramfs-framework-ima.bb
> <http://initramfs-framework-ima.bb> | 2 +-
> > .../initrdscripts/initramfs-framework-ima/ima | 3 +-
> > .../ima-evm-keys/ima-evm-keys_1.0.bb
> <http://ima-evm-keys_1.0.bb> | 16 +++++++++
> > .../ima-evm-utils/ima-evm-utils_git.bb
> <http://ima-evm-utils_git.bb> | 1 +
> > .../ima_policy_hashed/files/ima_policy_hashed | 3 ++
> > 7 files changed, 41 insertions(+), 21 deletions(-)
> > create mode 100644
> meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
> <http://ima-evm-keys_1.0.bb>
> >
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch
2021-03-10 10:31 ` Ming Liu
2021-03-10 15:41 ` akuster
@ 2021-03-12 4:49 ` akuster
1 sibling, 0 replies; 14+ messages in thread
From: akuster @ 2021-03-12 4:49 UTC (permalink / raw)
To: Ming Liu; +Cc: yocto, Sergio Prado, Ming Liu
merged.
thanks.
On 3/10/21 2:31 AM, Ming Liu wrote:
> Hi, akuster808:
>
> I saw this patch set has been merged to gatesgarth, may I ask, any
> plan for dunfell? I am asking because dunfell is a LTS branch and many
> users are building their products based on it. Thanks!
>
> the best,
> thank you
>
> series in build testing
>
> -armin
>
> On 3/2/21 6:57 AM, liu.ming50@gmail.com
> <mailto:liu.ming50@gmail.com> wrote:
> > From: Ming Liu <ming.liu@toradex.com <mailto:ming.liu@toradex.com>>
> >
> > Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
> > patches applied, I could run a ima enabled image with
> sysvinit/systemd
> > on qemuarm/qemuarm64 and some NXP machines.
> >
> > Ming Liu (9):
> > ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
> > initramfs-framework-ima: fix a wrong path
> > ima-evm-keys: add recipe
> > initramfs-framework-ima: RDEPENDS on ima-evm-keys
> > meta: refactor IMA/EVM sign rootfs
> > README.md: update according to the refactoring in
> > ima-evm-rootfs.bbclass
> > initramfs-framework-ima: let ima_enabled return 0
> > ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
> > ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
> >
> > meta-integrity/README.md | 4 ++-
> > meta-integrity/classes/ima-evm-rootfs.bbclass | 33
> +++++++++----------
> > .../initrdscripts/initramfs-framework-ima.bb
> <http://initramfs-framework-ima.bb> | 2 +-
> > .../initrdscripts/initramfs-framework-ima/ima | 3 +-
> > .../ima-evm-keys/ima-evm-keys_1.0.bb
> <http://ima-evm-keys_1.0.bb> | 16 +++++++++
> > .../ima-evm-utils/ima-evm-utils_git.bb
> <http://ima-evm-utils_git.bb> | 1 +
> > .../ima_policy_hashed/files/ima_policy_hashed | 3 ++
> > 7 files changed, 41 insertions(+), 21 deletions(-)
> > create mode 100644
> meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
> <http://ima-evm-keys_1.0.bb>
> >
>
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2021-03-12 4:50 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-02 14:57 [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 1/9] ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 2/9] initramfs-framework-ima: fix a wrong path Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 3/9] ima-evm-keys: add recipe Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 4/9] initramfs-framework-ima: RDEPENDS on ima-evm-keys Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 5/9] meta: refactor IMA/EVM sign rootfs Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 6/9] README.md: update according to the refactoring in ima-evm-rootfs.bbclass Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 7/9] initramfs-framework-ima: let ima_enabled return 0 Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 8/9] ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic Ming Liu
2021-03-02 14:57 ` [meta-security][dunfell][PATCH 9/9] ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic Ming Liu
2021-03-05 4:54 ` [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch akuster
2021-03-10 10:31 ` Ming Liu
2021-03-10 15:41 ` akuster
2021-03-12 4:49 ` akuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.