[meta-security][PATCH 0/8] Fix IMA and EVM support

[meta-security][PATCH 0/8] Fix IMA and EVM support

[Stefan Berger]

This series of patches fixes the current support for IMA and EVM
by removing outdated patches for example and adding kernel config
options. I have tried out these patches with OpenBMC where the
appraisal policy now enforces signed executables and libraries.

   Stefan

Stefan Berger (8):
  ima: Document and replace keys and adapt scripts for EC keys
  ima: Fix the ima_policy_appraise_all to appraise executables &
    libraries
  ima: Fix the IMA kernel feature
  ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
  ima: Sign all executables and the ima-policy in the root filesystem
  integrity: Update the README for IMA support
  linux: overlayfs: Add kernel patch resolving a file change
    notification issue
  ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch

 meta-integrity/README.md                      |  22 +--
 meta-integrity/classes/ima-evm-rootfs.bbclass |  34 ++++-
 meta-integrity/data/debug-keys/README.md      |  17 +++
 .../data/debug-keys/ima-local-ca.pem          |  15 ++
 .../data/debug-keys/ima-local-ca.priv         |   7 +
 .../data/debug-keys/privkey_ima.pem           |  17 +--
 meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
 ...Increment-iversion-upon-file-changes.patch |  42 ++++++
 ...for-creating-files-using-the-mknodat.patch | 138 ------------------
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
 .../recipes-kernel/linux/linux/ima.cfg        |  46 ++++++
 .../recipes-kernel/linux/linux/ima.scc        |   4 +
 .../recipes-kernel/linux/linux_ima.inc        |  11 +-
 ...ation-using-ioctl-when-evm_portable-.patch |  35 +++++
 ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |   9 +-
 .../files/ima_policy_appraise_all             |   9 +-
 meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 +-
 meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +-
 meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------
 20 files changed, 240 insertions(+), 333 deletions(-)
 create mode 100644 meta-integrity/data/debug-keys/README.md
 create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
 create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc
 create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
 rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%)
 delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh

-- 
2.34.1

[meta-security][PATCH 1/8] ima: Document and replace keys and adapt scripts for EC keys

[Stefan Berger]

For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 meta-integrity/data/debug-keys/README.md      |  17 ++++++++
 .../data/debug-keys/ima-local-ca.pem          |  15 +++++++
 .../data/debug-keys/ima-local-ca.priv         |   7 +++
 .../data/debug-keys/privkey_ima.pem           |  17 ++------
 meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
 meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 ++--
 meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +--
 meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------------------
 8 files changed, 50 insertions(+), 62 deletions(-)
 create mode 100644 meta-integrity/data/debug-keys/README.md
 create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
 create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
 delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh

diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md
new file mode 100644
index 0000000..e613968
--- /dev/null
+++ b/meta-integrity/data/debug-keys/README.md
@@ -0,0 +1,17 @@
+# EVM & IMA keys
+
+The following IMA & EVM debug/test keys are in this directory
+
+- ima-local-ca.priv: The CA's private key (password: 1234)
+- ima-local-ca.pem: The CA's self-signed certificate
+- privkey_ima.pem: IMA & EVM private key used for signing files
+- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
+
+The CA's (self-signed) certificate can be used to verify the validity of
+the x509_ima.der certificate. Since the CA certificate will be built into
+the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
+pass this test:
+
+```
+  openssl verify -CAfile ima-local-ca.pem x509_ima.der
+````
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem
new file mode 100644
index 0000000..4b48be4
--- /dev/null
+++ b/meta-integrity/data/debug-keys/ima-local-ca.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9
+MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt
+c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG
+SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP
+MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD
+DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ
+MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU
+rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG
+A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud
+IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO
+PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu
+clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw==
+-----END CERTIFICATE-----
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv
new file mode 100644
index 0000000..e13de23
--- /dev/null
+++ b/meta-integrity/data/debug-keys/ima-local-ca.priv
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw
+DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK
+x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems
+lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY
+LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem
index 502a0b6..8362cfe 100644
--- a/meta-integrity/data/debug-keys/privkey_ima.pem
+++ b/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -1,16 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
-Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
-IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
-OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
-lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
-HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
-aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
-TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
-WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
-SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
-xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
-CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
-1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
-3vVaxg2EfqB1
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm
+SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj
+cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv
 -----END PRIVATE KEY-----
diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der
index 087ca6bea53c172e7eb9a269183a32b3ecbd3aaa..3f6f24e61373912cf39598a427fba09c75e74592 100644
GIT binary patch
delta 420
zcmX@i`i8~Opou91h<O(<GchtTiD=rcII<&lhOg5x2csv6GWV}f4iz@wV&l+i^EhYA
z!pvk)J8_>lmxF;F8*?ZNGmrVi`wCpisYNB3X_?81B@_P|D=3Kb8W|gy7?~NG8JU?_
zL`m=)8G-~1j35FNcbC>j8VIwogN<ZjgqqFF$j<D<z+!$iFVb;(%pvuJ<(fISns=_%
zX4i{aT(C@vCwBhc$GlJWe_&@+`rJMHyzM?CXWP|VqAV45_<UoZCz_vl@SoSg{KcgP
z#Rfb;$H@vaGX7^_GGH*^2J!e=fR1NxFc1TA>QzB<JRpB*voW%=vNJOq$buyJSj1RF
zZWqVLdDo{rj0+P#;Q6gwKHcEmUjuoNv@(l?fmnmc{_`Dy$$c?bxA=q`?p+u2{6ym;
z7UVEu_GB<{V^U-|P`Rr*Zt2H)ZYL%h?fkphW$TAIuj+!<Jp8V8P$_X&W#na`nl+6t
jyo(z`O1=2)rOw6#XzVCl=Wr*re40+_o3v9q-v<EzPIQdl

delta 490
zcmaFEa+p=!powWe5Nj-8W@2Pw;$&Ev_Kw}@@5(*{UN%mxHjlRNyo`*jtPB$`lqe{O
z^BS5N7#bNGn44Odm_$kN8yOm!8X6f{Km;b9FRgE!kF1fAm4Ugjm%*U1lc}+hVUC$}
zc}dOLUu%zuu-zB^tF}`0t?JRFI?n#~f-^NtqBFjhSiNAqvqD->PE|cYtyQwn<Nj1H
z3B9?0vaJ*|-5Yv!3vD)^p1yAS12307`|o^Cp0IYYip$g7*8!(ru)Jc`ZEi`kt&eli
z$<)!_r)jl8UaM^3f)jggT=nRXSbHcXX;!u=6Eh<N<KkF@XagQL=1^H-M#ldvOa=@F
z+#nu53kx$7dxL>2h{MMs#v)Q%T$8e2$NAsBg}3FLd+H7cC8Z`C$b+PnStJa^8n7s+
z2dY2~IA);7CE4|y8dgPru-Va-?r`+w*M{B4Qk8-~RJ~DstJG$5*M+C#eBA$qBA?IQ
zi#XD!^?xaMa-hvFpF;7>h^4<)8&z1mFsnIzMy+W^{27zLSGM&o2WzB{WS3ukm~v04
seSbc0i;m3fSIP33d0S_T-F&dflIgem)LYJa+g7k1Pdm)DaOK<z0Cl&yl>h($

diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh
index 5f3a728..b10b1ba 100755
--- a/meta-integrity/scripts/ima-gen-CA-signed.sh
+++ b/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -20,7 +20,6 @@ CAKEY=${2:-ima-local-ca.priv}
 
 cat << __EOF__ >$GENKEY
 [ req ]
-default_bits = 1024
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@@ -36,13 +35,15 @@ basicConstraints=critical,CA:FALSE
 #basicConstraints=CA:FALSE
 keyUsage=digitalSignature
 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer
 __EOF__
 
-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
-        -out csr_ima.pem -keyout privkey_ima.pem
-openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+        -out csr_ima.pem -keyout privkey_ima.pem \
+        -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \
         -CA $CA -CAkey $CAKEY -CAcreateserial \
         -outform DER -out x509_ima.der
diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh
index b600761..339d3e3 100755
--- a/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,7 +18,6 @@ GENKEY=ima-local-ca.genkey
 
 cat << __EOF__ >$GENKEY
 [ req ]
-default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@@ -33,10 +32,11 @@ emailAddress = john.doe@example.com
 basicConstraints=CA:TRUE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 __EOF__
 
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+        -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
         -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
 
 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh
deleted file mode 100755
index 5ee876c..0000000
--- a/meta-integrity/scripts/ima-gen-self-signed.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# Copied from ima-evm-utils.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# version 2 as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-GENKEY=ima.genkey
-
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 1024
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = myexts
-
-[ req_distinguished_name ]
-O = example.com
-CN = meta-intel-iot-security example signing key
-emailAddress = john.doe@example.com
-
-[ myexts ]
-basicConstraints=critical,CA:FALSE
-keyUsage=digitalSignature
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-__EOF__
-
-openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
-        -x509 -config $GENKEY \
-	-outform DER -out x509_ima.der -keyout privkey_ima.pem
-- 
2.34.1

[meta-security][PATCH 2/8] ima: Fix the ima_policy_appraise_all to appraise executables & libraries

[Stefan Berger]

Fix the ima_policy_appraise_all policy to appraise all executables
and libraries. Also update the list of files that are not appraised to not
appraise cgroup related files.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 .../files/ima_policy_appraise_all                        | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
index 36e71a7..3498025 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -25,5 +25,12 @@ dont_appraise fsmagic=0xf97cff8c
 dont_appraise fsmagic=0x6e736673
 # EFIVARFS_MAGIC
 dont_appraise fsmagic=0xde5e81e4
+# Cgroup
+dont_appraise fsmagic=0x27e0eb
+# Cgroup2
+dont_appraise fsmagic=0x63677270
 
-appraise
+# Appraise libraries
+appraise func=MMAP_CHECK mask=MAY_EXEC
+# Appraise executables
+appraise func=BPRM_CHECK
-- 
2.34.1

[meta-security][PATCH 3/8] ima: Fix the IMA kernel feature

[Stefan Berger]

Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding
kernel configuration options for IMA and EVM.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 meta-integrity/classes/ima-evm-rootfs.bbclass |   5 +-
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
 ...for-creating-files-using-the-mknodat.patch | 138 ------------------
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
 .../recipes-kernel/linux/linux/ima.cfg        |  46 ++++++
 .../recipes-kernel/linux/linux/ima.scc        |   4 +
 .../recipes-kernel/linux/linux_ima.inc        |  10 +-
 7 files changed, 63 insertions(+), 251 deletions(-)
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 57de2f6..3cb0d07 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
 # with a .x509 suffix. See linux-%.bbappend for details.
 #
 # ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= ""
+IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 
 # Sign all regular files by default.
 IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,6 +31,9 @@ IMA_EVM_ROOTFS_IVERSION ?= ""
 # Avoid re-generating fstab when ima is enabled.
 WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
 
+# Add necessary tools (e.g., keyctl) to image
+IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
+
 ima_evm_sign_rootfs () {
     cd ${IMAGE_ROOTFS}
 
diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
deleted file mode 100644
index 64016dd..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Tue, 8 Mar 2016 16:43:55 -0500
-Subject: [PATCH] ima: fix ima_inode_post_setattr
-
-Changing file metadata (eg. uid, guid) could result in having to
-re-appraise a file's integrity, but does not change the "new file"
-status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
-IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
-only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
-
-With this patch, changing the file timestamp will not remove the
-file signature on new files.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
-
-Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- security/integrity/ima/ima_appraise.c | 2 +-
- security/integrity/integrity.h        | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..a384ba1 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
- 	if (iint) {
- 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
- 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
--				 IMA_ACTION_FLAGS);
-+				 IMA_ACTION_RULE_FLAGS);
- 		if (must_appraise)
- 			iint->flags |= IMA_APPRAISE;
- 	}
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index 0fc9519..f9decae 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -28,6 +28,7 @@
- 
- /* iint cache flags */
- #define IMA_ACTION_FLAGS	0xff000000
-+#define IMA_ACTION_RULE_FLAGS	0x06000000
- #define IMA_DIGSIG		0x01000000
- #define IMA_DIGSIG_REQUIRED	0x02000000
- #define IMA_PERMIT_DIRECTIO	0x04000000
--- 
-2.5.0
-
diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
deleted file mode 100644
index 6ab7ce2..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.vnet.ibm.com>
-Date: Thu, 10 Mar 2016 18:19:20 +0200
-Subject: [PATCH] ima: add support for creating files using the mknodat
- syscall
-
-Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
-stopped identifying empty files as new files.  However new empty files
-can be created using the mknodat syscall.  On systems with IMA-appraisal
-enabled, these empty files are not labeled with security.ima extended
-attributes properly, preventing them from subsequently being opened in
-order to write the file data contents.  This patch marks these empty
-files, created using mknodat, as new in order to allow the file data
-contents to be written.
-
-Files with security.ima xattrs containing a file signature are considered
-"immutable" and can not be modified.  The file contents need to be
-written, before signing the file.  This patch relaxes this requirement
-for new files, allowing the file signature to be written before the file
-contents.
-
-Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
-
-Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
----
- fs/namei.c                            |  2 ++
- include/linux/ima.h                   |  7 ++++++-
- security/integrity/ima/ima_appraise.c |  3 +++
- security/integrity/ima/ima_main.c     | 32 +++++++++++++++++++++++++++++++-
- 4 files changed, 42 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index ccd7f98..19502da 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -3526,6 +3526,8 @@ retry:
- 	switch (mode & S_IFMT) {
- 		case 0: case S_IFREG:
- 			error = vfs_create(path.dentry->d_inode,dentry,mode,true);
-+			if (!error)
-+				ima_post_path_mknod(dentry);
- 			break;
- 		case S_IFCHR: case S_IFBLK:
- 			error = vfs_mknod(path.dentry->d_inode,dentry,mode,
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 120ccc5..7f51971 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
- extern int ima_file_mmap(struct file *file, unsigned long prot);
- extern int ima_module_check(struct file *file);
- extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
--
-+extern void ima_post_path_mknod(struct dentry *dentry);
- #else
- static inline int ima_bprm_check(struct linux_binprm *bprm)
- {
-@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
- 	return 0;
- }
- 
-+static inline void ima_post_path_mknod(struct dentry *dentry)
-+{
-+	return;
-+}
-+
- #endif /* CONFIG_IMA */
- 
- #ifdef CONFIG_IMA_APPRAISE
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4df493e..20806ea 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -274,6 +274,11 @@ out:
- 		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
- 			if (!ima_fix_xattr(dentry, iint))
- 				status = INTEGRITY_PASS;
-+		} else if ((inode->i_size == 0) &&
-+			   (iint->flags & IMA_NEW_FILE) &&
-+			   (xattr_value &&
-+			    xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
-+			status = INTEGRITY_PASS;
- 		}
- 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
- 				    op, cause, rc, 0);
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index eeee00dc..705bf78 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
- 		ima_audit_measurement(iint, pathname);
- 
- out_digsig:
--	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
-+	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
-+	     !(iint->flags & IMA_NEW_FILE))
- 		rc = -EACCES;
- 	kfree(xattr_value);
- out_free:
-@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
- EXPORT_SYMBOL_GPL(ima_file_check);
- 
- /**
-+ * ima_post_path_mknod - mark as a new inode
-+ * @dentry: newly created dentry
-+ *
-+ * Mark files created via the mknodat syscall as new, so that the
-+ * file data can be written later.
-+ */
-+void ima_post_path_mknod(struct dentry *dentry)
-+{
-+	struct integrity_iint_cache *iint;
-+	struct inode *inode;
-+	int must_appraise;
-+
-+	if (!dentry || !dentry->d_inode)
-+		return;
-+
-+	inode = dentry->d_inode;
-+	if (inode->i_size != 0)
-+		return;
-+
-+	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
-+	if (!must_appraise)
-+		return;
-+
-+	iint = integrity_inode_get(inode);
-+	if (iint)
-+		iint->flags |= IMA_NEW_FILE;
-+}
-+
-+/**
-  * ima_module_check - based on policy, collect/store/appraise measurement.
-  * @file: pointer to the file to be measured/appraised
-  *
--- 
-2.5.0
-
diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
deleted file mode 100644
index 157c007..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Tue, 15 Nov 2016 10:10:23 +0100
-Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
- modes"
-
-This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
-
-The original motivation was security hardening ("File hashes are
-automatically set and updated and should not be manually set.")
-
-However, that hardening ignores and breaks some valid use cases:
-- File hashes might not be set because the file is currently
-  outside of the policy and therefore have to be set by the
-  creator. Examples:
-  - Booting into an initramfs with an IMA-enabled kernel but
-    without setting an IMA policy, then installing
-    the OS onto the target partition by unpacking a rootfs archive
-    which has the file hashes pre-computed.
-  - Unpacking a file into a staging area with meta data (like owner)
-    that leaves the file outside of the current policy, then changing
-    the meta data such that it becomes part of the current policy.
-- "should not be set manually" implies that the creator is aware
-  of IMA semantic, the current system's configuration, and then
-  skips setting file hashes in security.ima if (and only if) the
-  kernel would prevent it. That's not the case for standard, unmodified
-  tools. Example: unpacking an archive with security.ima xattrs with
-  bsdtar or GNU tar.
-
-Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- security/integrity/ima/ima_appraise.c | 8 ++------
- 1 file changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 4b9b4a4..b8b2dd9 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
- 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
- 				   xattr_value_len);
- 	if (result == 1) {
--		bool digsig;
--
- 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
- 			return -EINVAL;
--		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
--		if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
--			return -EPERM;
--		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
-+		ima_reset_appraise_flags(d_backing_inode(dentry),
-+			 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
- 		result = 0;
- 	}
- 	return result;
--- 
-2.1.4
-
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
new file mode 100644
index 0000000..86fb3aa
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -0,0 +1,46 @@
+CONFIG_SQUASHFS_XATTR=y
+CONFIG_KEYS=y
+CONFIG_ASYMMETRIC_KEY_TYPE=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
+CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
+CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
+CONFIG_CRYPTO_ECDSA=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
+# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
+# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_APPRAISE_SIGNED_INIT=y
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+# CONFIG_IMA_DISABLE_HTABLE is not set
+CONFIG_EVM=y
+# CONFIG_EVM_LOAD_X509 is not set
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc
new file mode 100644
index 0000000..6eb84b0
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/ima.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable IMA"
+
+kconf non-hardware ima.cfg
+
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 3ab53e5..0b6f530 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,4 +1,12 @@
-KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+FILESEXTRAPATHS:append := "${THISDIR}/linux:"
+
+SRC_URI += " \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
+"
+
+do_configure() {
+    sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
+}
 
 KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
 
-- 
2.34.1

[meta-security][PATCH 4/8] ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY

[Stefan Berger]

The IMA policy will be specified using the IMA_EVM_POLICY variable since
systemd will not be involved in loading the policy but the init script will
load it.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 meta-integrity/README.md                      | 2 +-
 meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index eae1c57..816b40d 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
 changes. To activate policy loading via systemd, place a policy file
 in `/etc/ima/ima-policy`, for example with:
 
-    IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
+    IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
 
 To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
 
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 3cb0d07..6902d69 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -69,10 +69,10 @@ ima_evm_sign_rootfs () {
     find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
 
     # Optionally install custom policy for loading by systemd.
-    if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
+    if [ "${IMA_EVM_POLICY}" ]; then
         install -d ./${sysconfdir}/ima
         rm -f ./${sysconfdir}/ima/ima-policy
-        install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
+        install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
     fi
 }
 
-- 
2.34.1

[meta-security][PATCH 5/8] ima: Sign all executables and the ima-policy in the root filesystem

[Stefan Berger]

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 meta-integrity/classes/ima-evm-rootfs.bbclass | 25 +++++++++++++++----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 6902d69..98c4bc1 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -62,17 +62,32 @@ ima_evm_sign_rootfs () {
        perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
     fi
 
-    # Sign file with private IMA key. EVM not supported at the moment.
-    bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
-    find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
-    bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
-    find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
+    # Detect 32bit target to pass --m32 to evmctl by looking at libc
+    tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')"
+    if [ "${tmp}" = "ELF 32-bit" ]; then
+        evmctl_param="--m32"
+    elif [ "${tmp}" = "ELF 64-bit" ]; then
+        evmctl_param=""
+    else
+        bberror "Unknown target architecture bitness: '${tmp}'" >&2
+        exit 1
+    fi
+
+    bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
+    evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+
+    # check signing key and signature verification key
+    evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    evmctl verify     ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
 
     # Optionally install custom policy for loading by systemd.
     if [ "${IMA_EVM_POLICY}" ]; then
         install -d ./${sysconfdir}/ima
         rm -f ./${sysconfdir}/ima/ima-policy
         install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+
+        bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
+        evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
     fi
 }
 
-- 
2.34.1

[meta-security][PATCH 6/8] integrity: Update the README for IMA support

[Stefan Berger]

Update the README describing how IMA support can be used.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 meta-integrity/README.md | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 816b40d..1a37280 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -76,7 +76,7 @@ other layers needed. e.g.:
 
 It has some dependencies on a suitable BSP; in particular the kernel
 must have a recent enough IMA/EVM subsystem. The layer was tested with
-Linux 3.19 and uses some features (like loading X509 certificates
+Linux 6.1 and uses some features (like loading X509 certificates
 directly from the kernel) which were added in that release. Your
 mileage may vary with older kernels.
 
@@ -89,10 +89,17 @@ Adding the layer only enables IMA (see below regarding EVM) during
 compilation of the Linux kernel. To also activate it when building
 the image, enable image signing in the local.conf like this:
 
+    DISTRO_FEATURES:append = " integrity ima"
+
     IMAGE_CLASSES += "ima-evm-rootfs"
+
     IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
+    IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+
+    # The following policy enforces IMA & EVM signatures
+    IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
 
 This uses the default keys provided in the "data" directory of the layer.
 Because everyone has access to these private keys, such an image
@@ -113,10 +120,7 @@ for that are included in the layer. This is also how the
     cd $IMA_EVM_KEY_DIR
     # In that shell, create the keys. Several options exist:
 
-    # 1. Self-signed keys.
-    $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
-
-    # 2. Keys signed by a new CA.
+    # 1. Keys signed by a new CA.
     # When asked for a PEM passphrase, that will be for the root CA.
     # Signing images then will not require entering that passphrase,
     # only creating new certificates does. Most likely the default
@@ -125,13 +129,11 @@ for that are included in the layer. This is also how the
     # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
     # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
 
-    # 3. Keys signed by an existing CA.
+    # 2. Keys signed by an existing CA.
     # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
     exit
 
-When using ``ima-self-signed.sh`` as described above, self-signed keys
-are created. Alternatively, one can also use keys signed by a CA.  The
-``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
 and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
 supports adding tha CA's public key to the kernel's system keyring by
 compiling it directly into the kernel. Because it is unknown whether
-- 
2.34.1

[meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Stefan Berger]

Add a temporary patch that resolves a file change notification issue
with overlayfs where IMA did not become aware of the file changes
since the 'lower' inode's i_version had not changed. The issue will be
resolved in later kernels with the following patch that builds on
newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:

https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
 .../recipes-kernel/linux/linux_ima.inc        |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch

diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
new file mode 100644
index 0000000..d2b5c28
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
@@ -0,0 +1,42 @@
+From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Thu, 6 Apr 2023 11:27:29 -0400
+Subject: [PATCH] ovl: Increment iversion upon file changes
+
+This is a temporary patch for kernels that do not implement
+STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
+
+https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
+
+Increment the lower inode's iversion for IMA to be able to recognize
+changes to the file.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ fs/overlayfs/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
+index 6011f955436b..1dfe5e7bfe1c 100644
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -13,6 +13,7 @@
+ #include <linux/security.h>
+ #include <linux/mm.h>
+ #include <linux/fs.h>
++#include <linux/iversion.h>
+ #include "overlayfs.h"
+ 
+ struct ovl_aio_req {
+@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
+ 		if (ret != -EIOCBQUEUED)
+ 			ovl_aio_cleanup_handler(aio_req);
+ 	}
++	if (ret > 0)
++		inode_maybe_inc_iversion(inode, false);
+ out:
+ 	revert_creds(old_cred);
+ out_fdput:
+-- 
+2.34.1
+
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 0b6f530..9d48e5c 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
 
 SRC_URI += " \
     ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
+    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
 "
 
 do_configure() {
-- 
2.34.1

[meta-security][PATCH 8/8] ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch

[Stefan Berger]

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++++++++++++++++
 ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |  9 +++--
 2 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
 rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%)

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
new file mode 100644
index 0000000..3624576
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
@@ -0,0 +1,35 @@
+From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Tue, 18 Apr 2023 11:43:55 -0400
+Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
+
+If a signatures is detected as being portable do not attempt to read the
+generation with the ioctl since in some cases this may not be supported
+by the filesystem and is also not needed for computing a portable
+signature.
+
+This avoids the current work-around of passing --generation 0 when the
+ioctl is not supported by the filesystem.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/evmctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 6d2bb67..c35a28c 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
+ 	if (mode_str)
+ 		st.st_mode = strtoul(mode_str, NULL, 10);
+ 
+-	if (!evm_immutable) {
++	if (!evm_immutable && !evm_portable) {
+ 		if (S_ISREG(st.st_mode) && !generation_str) {
+ 			int fd = open(file, 0);
+ 
+---
+2.39.2
+
+
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
similarity index 71%
rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
index 873aeeb..8ac080c 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
@@ -6,8 +6,13 @@ DEPENDS += "openssl attr keyutils"
 
 DEPENDS:class-native += "openssl-native keyutils-native"
 
-SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
-SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
+FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
+
+SRC_URI = " \
+    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
+    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
+"
+SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
 
 inherit pkgconfig autotools features_check
 
-- 
2.34.1

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Mikko Rapeli]

Hi,

On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
> Add a temporary patch that resolves a file change notification issue
> with overlayfs where IMA did not become aware of the file changes
> since the 'lower' inode's i_version had not changed. The issue will be
> resolved in later kernels with the following patch that builds on
> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
> 
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459

Would be nice to have Upstream-Status for each patch. I guess status
would be Backport here.

Cheers,

-Mikko

> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
>  ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>  .../recipes-kernel/linux/linux_ima.inc        |  1 +
>  2 files changed, 43 insertions(+)
>  create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> 
> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> new file mode 100644
> index 0000000..d2b5c28
> --- /dev/null
> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> @@ -0,0 +1,42 @@
> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
> +From: Stefan Berger <stefanb@linux.ibm.com>
> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> +Subject: [PATCH] ovl: Increment iversion upon file changes
> +
> +This is a temporary patch for kernels that do not implement
> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
> +
> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> +
> +Increment the lower inode's iversion for IMA to be able to recognize
> +changes to the file.
> +
> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> +---
> + fs/overlayfs/file.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> +index 6011f955436b..1dfe5e7bfe1c 100644
> +--- a/fs/overlayfs/file.c
> ++++ b/fs/overlayfs/file.c
> +@@ -13,6 +13,7 @@
> + #include <linux/security.h>
> + #include <linux/mm.h>
> + #include <linux/fs.h>
> ++#include <linux/iversion.h>
> + #include "overlayfs.h"
> + 
> + struct ovl_aio_req {
> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
> + 		if (ret != -EIOCBQUEUED)
> + 			ovl_aio_cleanup_handler(aio_req);
> + 	}
> ++	if (ret > 0)
> ++		inode_maybe_inc_iversion(inode, false);
> + out:
> + 	revert_creds(old_cred);
> + out_fdput:
> +-- 
> +2.34.1
> +
> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> index 0b6f530..9d48e5c 100644
> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>  
>  SRC_URI += " \
>      ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>  "
>  
>  do_configure() {
> -- 
> 2.34.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59800): https://lists.yoctoproject.org/g/yocto/message/59800
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/7159507
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Stefan Berger]

On 4/28/23 08:48, Mikko Rapeli wrote:
> Hi,
> 
> On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>> Add a temporary patch that resolves a file change notification issue
>> with overlayfs where IMA did not become aware of the file changes
>> since the 'lower' inode's i_version had not changed. The issue will be
>> resolved in later kernels with the following patch that builds on
>> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>>
>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> 
> Would be nice to have Upstream-Status for each patch. I guess status
> would be Backport here.

It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624
(alone?) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
and have that referenced patch applied which isn't upstreamed so far, either.

For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...

      Stefan

> 
> Cheers,
> 
> -Mikko
> 
>> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ---
>>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>>   2 files changed, 43 insertions(+)
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>
>> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> new file mode 100644
>> index 0000000..d2b5c28
>> --- /dev/null
>> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> @@ -0,0 +1,42 @@
>> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>> +From: Stefan Berger <stefanb@linux.ibm.com>
>> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>> +Subject: [PATCH] ovl: Increment iversion upon file changes
>> +
>> +This is a temporary patch for kernels that do not implement
>> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>> +
>> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>> +
>> +Increment the lower inode's iversion for IMA to be able to recognize
>> +changes to the file.
>> +
>> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> +---
>> + fs/overlayfs/file.c | 3 +++
>> + 1 file changed, 3 insertions(+)
>> +
>> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> +index 6011f955436b..1dfe5e7bfe1c 100644
>> +--- a/fs/overlayfs/file.c
>> ++++ b/fs/overlayfs/file.c
>> +@@ -13,6 +13,7 @@
>> + #include <linux/security.h>
>> + #include <linux/mm.h>
>> + #include <linux/fs.h>
>> ++#include <linux/iversion.h>
>> + #include "overlayfs.h"
>> +
>> + struct ovl_aio_req {
>> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>> + 		if (ret != -EIOCBQUEUED)
>> + 			ovl_aio_cleanup_handler(aio_req);
>> + 	}
>> ++	if (ret > 0)
>> ++		inode_maybe_inc_iversion(inode, false);
>> + out:
>> + 	revert_creds(old_cred);
>> + out_fdput:
>> +--
>> +2.34.1
>> +
>> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> index 0b6f530..9d48e5c 100644
>> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>>   
>>   SRC_URI += " \
>>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>>   "
>>   
>>   do_configure() {
>> -- 
>> 2.34.1
>>
> 
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#59800): https://lists.yoctoproject.org/g/yocto/message/59800
>> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/7159507
>> Group Owner: yocto+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [mikko.rapeli@linaro.org]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
> 

Re: [meta-security][PATCH 0/8] Fix IMA and EVM support

[akuster808]

Stefan,

On 4/28/23 8:23 AM, Stefan Berger wrote:
> This series of patches fixes the current support for IMA and EVM
> by removing outdated patches for example and adding kernel config
> options. I have tried out these patches with OpenBMC where the
> appraisal policy now enforces signed executables and libraries.
>
>     Stefan

Thanks for the patches. Its nice to have a Content expert contribute.

There is a test suite I am using to double check things and its not 
passing. I think it needs to be adapted to some of these changes.

see: meta-integrity/lib/oeqa/runtime/cases/ima.py


This is adding a delay on merging until I get the test sorted out on my end.

I do have a question regarding the Kernel config changes. Do we really 
need "CONFIG_SQUASHFS_XATTR=y" ?

BR,
Armin


>
> Stefan Berger (8):
>    ima: Document and replace keys and adapt scripts for EC keys
>    ima: Fix the ima_policy_appraise_all to appraise executables &
>      libraries
>    ima: Fix the IMA kernel feature
>    ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
>    ima: Sign all executables and the ima-policy in the root filesystem
>    integrity: Update the README for IMA support
>    linux: overlayfs: Add kernel patch resolving a file change
>      notification issue
>    ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
>
>   meta-integrity/README.md                      |  22 +--
>   meta-integrity/classes/ima-evm-rootfs.bbclass |  34 ++++-
>   meta-integrity/data/debug-keys/README.md      |  17 +++
>   .../data/debug-keys/ima-local-ca.pem          |  15 ++
>   .../data/debug-keys/ima-local-ca.priv         |   7 +
>   .../data/debug-keys/privkey_ima.pem           |  17 +--
>   meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
>   .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
>   ...Increment-iversion-upon-file-changes.patch |  42 ++++++
>   ...for-creating-files-using-the-mknodat.patch | 138 ------------------
>   ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
>   .../recipes-kernel/linux/linux/ima.cfg        |  46 ++++++
>   .../recipes-kernel/linux/linux/ima.scc        |   4 +
>   .../recipes-kernel/linux/linux_ima.inc        |  11 +-
>   ...ation-using-ioctl-when-evm_portable-.patch |  35 +++++
>   ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |   9 +-
>   .../files/ima_policy_appraise_all             |   9 +-
>   meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 +-
>   meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +-
>   meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------
>   20 files changed, 240 insertions(+), 333 deletions(-)
>   create mode 100644 meta-integrity/data/debug-keys/README.md
>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc
>   create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%)
>   delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh
>

Re: [yocto] [meta-security][PATCH 0/8] Fix IMA and EVM support

[Stefan Berger]

On 4/30/23 10:16, Armin Kuster wrote:
> 
> Stefan,
> 
> On 4/28/23 8:23 AM, Stefan Berger wrote:
>> This series of patches fixes the current support for IMA and EVM
>> by removing outdated patches for example and adding kernel config
>> options. I have tried out these patches with OpenBMC where the
>> appraisal policy now enforces signed executables and libraries.
>>
>>     Stefan
> 
> Thanks for the patches. Its nice to have a Content expert contribute.
> 
> There is a test suite I am using to double check things and its not passing. I think it needs to be adapted to some of these changes.
> 
> see: meta-integrity/lib/oeqa/runtime/cases/ima.py

How does one run the test suite? I have so far only used the changes with a build of OpenBMC.
I had seen the tests, though, and saw they assumed IMA was going to start before systemd.
In the OpenBMC log I see this here:

[    0.984195] ima: No TPM chip found, activating TPM-bypass!
[    0.985167] ima: Allocated hash algorithm: sha256
[    0.991810] ima: No architecture policies found

These are easy...

This one is due to me adding IMA policy load support into an init script:

Activated EVM: 2 [ activated with 0x80000002 ]
[    2.248222] ima: policy update completed

My patches for OpenBMC are here:

https://gerrit.openbmc.org/c/openbmc/openbmc/+/62933

This one has the init script changes: https://gerrit.openbmc.org/c/openbmc/openbmc/+/62929/1

> 
> 
> This is adding a delay on merging until I get the test sorted out on my end.
> 
> I do have a question regarding the Kernel config changes. Do we really need "CONFIG_SQUASHFS_XATTR=y" ?

I added this because of OpenBMC using squashfs and we need the xattr support for security.ima and .evm.



Regards,
    Stefan

> 
> BR,
> Armin
> 
> 
>>
>> Stefan Berger (8):
>>    ima: Document and replace keys and adapt scripts for EC keys
>>    ima: Fix the ima_policy_appraise_all to appraise executables &
>>      libraries
>>    ima: Fix the IMA kernel feature
>>    ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
>>    ima: Sign all executables and the ima-policy in the root filesystem
>>    integrity: Update the README for IMA support
>>    linux: overlayfs: Add kernel patch resolving a file change
>>      notification issue
>>    ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
>>
>>   meta-integrity/README.md                      |  22 +--
>>   meta-integrity/classes/ima-evm-rootfs.bbclass |  34 ++++-
>>   meta-integrity/data/debug-keys/README.md      |  17 +++
>>   .../data/debug-keys/ima-local-ca.pem          |  15 ++
>>   .../data/debug-keys/ima-local-ca.priv         |   7 +
>>   .../data/debug-keys/privkey_ima.pem           |  17 +--
>>   meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
>>   .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
>>   ...Increment-iversion-upon-file-changes.patch |  42 ++++++
>>   ...for-creating-files-using-the-mknodat.patch | 138 ------------------
>>   ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
>>   .../recipes-kernel/linux/linux/ima.cfg        |  46 ++++++
>>   .../recipes-kernel/linux/linux/ima.scc        |   4 +
>>   .../recipes-kernel/linux/linux_ima.inc        |  11 +-
>>   ...ation-using-ioctl-when-evm_portable-.patch |  35 +++++
>>   ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |   9 +-
>>   .../files/ima_policy_appraise_all             |   9 +-
>>   meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 +-
>>   meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +-
>>   meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------
>>   20 files changed, 240 insertions(+), 333 deletions(-)
>>   create mode 100644 meta-integrity/data/debug-keys/README.md
>>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
>>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
>>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
>>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc
>>   create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%)
>>   delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh
>>
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59823): https://lists.yoctoproject.org/g/yocto/message/59823
> Mute This Topic: https://lists.yoctoproject.org/mt/98557294/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] [meta-security][PATCH 0/8] Fix IMA and EVM support

[akuster808]

On 4/30/23 8:33 PM, Stefan Berger wrote:
>
>
> On 4/30/23 10:16, Armin Kuster wrote:
>>
>> Stefan,
>>
>> On 4/28/23 8:23 AM, Stefan Berger wrote:
>>> This series of patches fixes the current support for IMA and EVM
>>> by removing outdated patches for example and adding kernel config
>>> options. I have tried out these patches with OpenBMC where the
>>> appraisal policy now enforces signed executables and libraries.
>>>
>>>     Stefan
>>
>> Thanks for the patches. Its nice to have a Content expert contribute.
>>
>> There is a test suite I am using to double check things and its not 
>> passing. I think it needs to be adapted to some of these changes.
>>
>> see: meta-integrity/lib/oeqa/runtime/cases/ima.py
>
> How does one run the test suite? 

There is an image unique to most the  meta-security sub layers used to 
building & testing. In this IMA case its "integrity-image-minimal"

To run the test suite, add to your local.conf:

#####################

DISTRO_FEATURES:append = " systemd integrity ima "

TEST_SUITES = "ssh ping ima"

IMAGE_CLASSES += "testimage"
#####################

Then build and test:

bitbake integrity-image-minimal; bitbake integrity-image-minimal -c 
testimage


It will print the test results when completed, looking like this.

RESULTS:
RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
RESULTS - ssh.SSHTest.test_ssh: PASSED (2.85s)
RESULTS - ima.IMACheck.test_ima_before_systemd: PASSED (2.56s)
RESULTS - ima.IMACheck.test_ima_enabled: PASSED (1.38s)
RESULTS - ima.IMACheck.test_ima_hash: PASSED (5.65s)
RESULTS - ima.IMACheck.test_ima_overwrite: PASSED (267.05s)
RESULTS - ima.IMACheck.test_ima_signature: PASSED (145.66s)
SUMMARY:
integrity-image-minimal () - Ran 7 tests in 427.742s
integrity-image-minimal - OK - All required tests passed (successes=7, 
skipped=0, failures=0, errors=0)


I just posted the changes needed to get the tests passing again.


> I have so far only used the changes with a build of OpenBMC.
> I had seen the tests, though, and saw they assumed IMA was going to 
> start before systemd.
> In the OpenBMC log I see this here:
>
> [    0.984195] ima: No TPM chip found, activating TPM-bypass!
> [    0.985167] ima: Allocated hash algorithm: sha256
> [    0.991810] ima: No architecture policies found
>
> These are easy...
>
> This one is due to me adding IMA policy load support into an init script:
>
> Activated EVM: 2 [ activated with 0x80000002 ]
> [    2.248222] ima: policy update completed
>
> My patches for OpenBMC are here:
>
> https://gerrit.openbmc.org/c/openbmc/openbmc/+/62933
>
> This one has the init script changes: 
> https://gerrit.openbmc.org/c/openbmc/openbmc/+/62929/1

Thanks for the links, I will take a look.
>
>>
>>
>> This is adding a delay on merging until I get the test sorted out on 
>> my end.
>>
>> I do have a question regarding the Kernel config changes. Do we 
>> really need "CONFIG_SQUASHFS_XATTR=y" ?
>
> I added this because of OpenBMC using squashfs and we need the xattr 
> support for security.ima and .evm.

ok,

BR,
Armin
>
>
>
> Regards,
>    Stefan
>
>>
>> BR,
>> Armin
>>
>>
>>>
>>> Stefan Berger (8):
>>>    ima: Document and replace keys and adapt scripts for EC keys
>>>    ima: Fix the ima_policy_appraise_all to appraise executables &
>>>      libraries
>>>    ima: Fix the IMA kernel feature
>>>    ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
>>>    ima: Sign all executables and the ima-policy in the root filesystem
>>>    integrity: Update the README for IMA support
>>>    linux: overlayfs: Add kernel patch resolving a file change
>>>      notification issue
>>>    ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
>>>
>>>   meta-integrity/README.md                      |  22 +--
>>>   meta-integrity/classes/ima-evm-rootfs.bbclass |  34 ++++-
>>>   meta-integrity/data/debug-keys/README.md      |  17 +++
>>>   .../data/debug-keys/ima-local-ca.pem          |  15 ++
>>>   .../data/debug-keys/ima-local-ca.priv         |   7 +
>>>   .../data/debug-keys/privkey_ima.pem           |  17 +--
>>>   meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
>>>   .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
>>>   ...Increment-iversion-upon-file-changes.patch |  42 ++++++
>>>   ...for-creating-files-using-the-mknodat.patch | 138 
>>> ------------------
>>>   ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
>>>   .../recipes-kernel/linux/linux/ima.cfg        |  46 ++++++
>>>   .../recipes-kernel/linux/linux/ima.scc        |   4 +
>>>   .../recipes-kernel/linux/linux_ima.inc        |  11 +-
>>>   ...ation-using-ioctl-when-evm_portable-.patch |  35 +++++
>>>   ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |   9 +-
>>>   .../files/ima_policy_appraise_all             |   9 +-
>>>   meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 +-
>>>   meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +-
>>>   meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------
>>>   20 files changed, 240 insertions(+), 333 deletions(-)
>>>   create mode 100644 meta-integrity/data/debug-keys/README.md
>>>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
>>>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
>>>   delete mode 100644 
>>> meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
>>>   create mode 100644 
>>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>>   delete mode 100644 
>>> meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
>>>   delete mode 100644 
>>> meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
>>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
>>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc
>>>   create mode 100644 
>>> meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>>>   rename 
>>> meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb 
>>> => ima-evm-utils_1.5.bb} (71%)
>>>   delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh
>>>
>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#59823): 
>> https://lists.yoctoproject.org/g/yocto/message/59823
>> Mute This Topic: https://lists.yoctoproject.org/mt/98557294/1792208
>> Group Owner: yocto+owner@lists.yoctoproject.org
>> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
>> [stefanb@linux.ibm.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>

Re: [meta-security][PATCH 0/8] Fix IMA and EVM support

[Stefan Berger]

On 4/30/23 10:16, akuster808 wrote:

> 
> This is adding a delay on merging until I get the test sorted out on my end.
> 
> I do have a question regarding the Kernel config changes. Do we really need "CONFIG_SQUASHFS_XATTR=y" ?

I will remove this and make this an OpenBMC-specific option.

    Stefan


> 
> BR,
> Armin
> 
> 
>>
>> Stefan Berger (8):
>>    ima: Document and replace keys and adapt scripts for EC keys
>>    ima: Fix the ima_policy_appraise_all to appraise executables &
>>      libraries
>>    ima: Fix the IMA kernel feature
>>    ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY
>>    ima: Sign all executables and the ima-policy in the root filesystem
>>    integrity: Update the README for IMA support
>>    linux: overlayfs: Add kernel patch resolving a file change
>>      notification issue
>>    ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch
>>
>>   meta-integrity/README.md                      |  22 +--
>>   meta-integrity/classes/ima-evm-rootfs.bbclass |  34 ++++-
>>   meta-integrity/data/debug-keys/README.md      |  17 +++
>>   .../data/debug-keys/ima-local-ca.pem          |  15 ++
>>   .../data/debug-keys/ima-local-ca.priv         |   7 +
>>   .../data/debug-keys/privkey_ima.pem           |  17 +--
>>   meta-integrity/data/debug-keys/x509_ima.der   | Bin 707 -> 620 bytes
>>   .../0001-ima-fix-ima_inode_post_setattr.patch |  51 -------
>>   ...Increment-iversion-upon-file-changes.patch |  42 ++++++
>>   ...for-creating-files-using-the-mknodat.patch | 138 ------------------
>>   ...-file-hash-setting-by-user-to-fix-an.patch |  60 --------
>>   .../recipes-kernel/linux/linux/ima.cfg        |  46 ++++++
>>   .../recipes-kernel/linux/linux/ima.scc        |   4 +
>>   .../recipes-kernel/linux/linux_ima.inc        |  11 +-
>>   ...ation-using-ioctl-when-evm_portable-.patch |  35 +++++
>>   ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} |   9 +-
>>   .../files/ima_policy_appraise_all             |   9 +-
>>   meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 +-
>>   meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +-
>>   meta-integrity/scripts/ima-gen-self-signed.sh |  41 ------
>>   20 files changed, 240 insertions(+), 333 deletions(-)
>>   create mode 100644 meta-integrity/data/debug-keys/README.md
>>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
>>   create mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
>>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
>>   delete mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
>>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc
>>   create mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} (71%)
>>   delete mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh
>>
> 

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 5055 bytes --]

Hi Stefan,

Having this patch applied unconditionally to all kernels doesn't work and
the patch fails in many downstream kernels.
I suggest reverting this one if no other solutions come up.

Jose

Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023
à(s) 13:55:

>
>
> On 4/28/23 08:48, Mikko Rapeli wrote:
> > Hi,
> >
> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
> >> Add a temporary patch that resolves a file change notification issue
> >> with overlayfs where IMA did not become aware of the file changes
> >> since the 'lower' inode's i_version had not changed. The issue will be
> >> resolved in later kernels with the following patch that builds on
> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
> >>
> >>
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >
> > Would be nice to have Upstream-Status for each patch. I guess status
> > would be Backport here.
>
> It's quite possible that this series here
> https://lkml.org/lkml/2022/10/21/624
> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the
> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
> and have that referenced patch applied which isn't upstreamed so far,
> either.
>
> For now this two-liner seemed simpler and resolves the issue. I understand
> the concern, though...
>
>       Stefan
>
> >
> > Cheers,
> >
> > -Mikko
> >
> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >> ---
> >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
> >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
> >>   2 files changed, 43 insertions(+)
> >>   create mode 100644
> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >>
> >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >> new file mode 100644
> >> index 0000000..d2b5c28
> >> --- /dev/null
> >> +++
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >> @@ -0,0 +1,42 @@
> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
> >> +From: Stefan Berger <stefanb@linux.ibm.com>
> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> >> +Subject: [PATCH] ovl: Increment iversion upon file changes
> >> +
> >> +This is a temporary patch for kernels that do not implement
> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
> >> +
> >> +
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >> +
> >> +Increment the lower inode's iversion for IMA to be able to recognize
> >> +changes to the file.
> >> +
> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> >> +---
> >> + fs/overlayfs/file.c | 3 +++
> >> + 1 file changed, 3 insertions(+)
> >> +
> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> >> +index 6011f955436b..1dfe5e7bfe1c 100644
> >> +--- a/fs/overlayfs/file.c
> >> ++++ b/fs/overlayfs/file.c
> >> +@@ -13,6 +13,7 @@
> >> + #include <linux/security.h>
> >> + #include <linux/mm.h>
> >> + #include <linux/fs.h>
> >> ++#include <linux/iversion.h>
> >> + #include "overlayfs.h"
> >> +
> >> + struct ovl_aio_req {
> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb,
> struct iov_iter *iter)
> >> +            if (ret != -EIOCBQUEUED)
> >> +                    ovl_aio_cleanup_handler(aio_req);
> >> +    }
> >> ++   if (ret > 0)
> >> ++           inode_maybe_inc_iversion(inode, false);
> >> + out:
> >> +    revert_creds(old_cred);
> >> + out_fdput:
> >> +--
> >> +2.34.1
> >> +
> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >> index 0b6f530..9d48e5c 100644
> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
> >>
> >>   SRC_URI += " \
> >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc',
> '', d)} \
> >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
> >>   "
> >>
> >>   do_configure() {
> >> --
> >> 2.34.1
> >>
> >
> >>
> >>
> >>
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59807):
> https://lists.yoctoproject.org/g/yocto/message/59807
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 7481 bytes --]

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 5628 bytes --]

And it fails in other recipes like linux-firmware.
Because bitbake also tries to apply the patch to linux-firmware because it
uses the recipes-kernel/linux/linux-%.bbappend to check when the
integrity is enabled.

Jose

Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s)
15:53:

> Hi Stefan,
>
> Having this patch applied unconditionally to all kernels doesn't work and
> the patch fails in many downstream kernels.
> I suggest reverting this one if no other solutions come up.
>
> Jose
>
> Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023
> à(s) 13:55:
>
>>
>>
>> On 4/28/23 08:48, Mikko Rapeli wrote:
>> > Hi,
>> >
>> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>> >> Add a temporary patch that resolves a file change notification issue
>> >> with overlayfs where IMA did not become aware of the file changes
>> >> since the 'lower' inode's i_version had not changed. The issue will be
>> >> resolved in later kernels with the following patch that builds on
>> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>> >>
>> >>
>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>> >
>> > Would be nice to have Upstream-Status for each patch. I guess status
>> > would be Backport here.
>>
>> It's quite possible that this series here
>> https://lkml.org/lkml/2022/10/21/624
>> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the
>> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>> and have that referenced patch applied which isn't upstreamed so far,
>> either.
>>
>> For now this two-liner seemed simpler and resolves the issue. I
>> understand the concern, though...
>>
>>       Stefan
>>
>> >
>> > Cheers,
>> >
>> > -Mikko
>> >
>> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> >> ---
>> >>   ...Increment-iversion-upon-file-changes.patch | 42
>> +++++++++++++++++++
>> >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>> >>   2 files changed, 43 insertions(+)
>> >>   create mode 100644
>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> >>
>> >> diff --git
>> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> >> new file mode 100644
>> >> index 0000000..d2b5c28
>> >> --- /dev/null
>> >> +++
>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>> >> @@ -0,0 +1,42 @@
>> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>> >> +From: Stefan Berger <stefanb@linux.ibm.com>
>> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>> >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>> >> +
>> >> +This is a temporary patch for kernels that do not implement
>> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>> >> +
>> >> +
>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>> >> +
>> >> +Increment the lower inode's iversion for IMA to be able to recognize
>> >> +changes to the file.
>> >> +
>> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> >> +---
>> >> + fs/overlayfs/file.c | 3 +++
>> >> + 1 file changed, 3 insertions(+)
>> >> +
>> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>> >> +index 6011f955436b..1dfe5e7bfe1c 100644
>> >> +--- a/fs/overlayfs/file.c
>> >> ++++ b/fs/overlayfs/file.c
>> >> +@@ -13,6 +13,7 @@
>> >> + #include <linux/security.h>
>> >> + #include <linux/mm.h>
>> >> + #include <linux/fs.h>
>> >> ++#include <linux/iversion.h>
>> >> + #include "overlayfs.h"
>> >> +
>> >> + struct ovl_aio_req {
>> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb,
>> struct iov_iter *iter)
>> >> +            if (ret != -EIOCBQUEUED)
>> >> +                    ovl_aio_cleanup_handler(aio_req);
>> >> +    }
>> >> ++   if (ret > 0)
>> >> ++           inode_maybe_inc_iversion(inode, false);
>> >> + out:
>> >> +    revert_creds(old_cred);
>> >> + out_fdput:
>> >> +--
>> >> +2.34.1
>> >> +
>> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> >> index 0b6f530..9d48e5c 100644
>> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>> >>
>> >>   SRC_URI += " \
>> >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc',
>> '', d)} \
>> >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>> >>   "
>> >>
>> >>   do_configure() {
>> >> --
>> >> 2.34.1
>> >>
>> >
>> >>
>> >>
>> >>
>> >
>>
>>
>>
>>
>
> --
> Best regards,
>
> José Quaresma
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59928):
> https://lists.yoctoproject.org/g/yocto/message/59928
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 8391 bytes --]

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Stefan Berger]

On 5/9/23 10:53, Jose Quaresma wrote:
> Hi Stefan, 
> 
> Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels.
> I suggest reverting this one if no other solutions come up.

Then let me drop this one. I just posted v2 of this series and can repost in v3 with this patch dropped and possibly
only have it applied in the OpenBMC project. I suppose my conclusion from OpenBMC, which currently works with a 6.1.15
kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was wrong?

     Stefan

> 
> Jose
> 
> Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> 
> 
> 
>     On 4/28/23 08:48, Mikko Rapeli wrote:
>      > Hi,
>      >
>      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>      >> Add a temporary patch that resolves a file change notification issue
>      >> with overlayfs where IMA did not become aware of the file changes
>      >> since the 'lower' inode's i_version had not changed. The issue will be
>      >> resolved in later kernels with the following patch that builds on
>      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>      >>
>      >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >
>      > Would be nice to have Upstream-Status for each patch. I guess status
>      > would be Backport here.
> 
>     It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624
>     (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>     and have that referenced patch applied which isn't upstreamed so far, either.
> 
>     For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...
> 
>            Stefan
> 
>      >
>      > Cheers,
>      >
>      > -Mikko
>      >
>      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> ---
>      >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>      >>   2 files changed, 43 insertions(+)
>      >>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >>
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> new file mode 100644
>      >> index 0000000..d2b5c28
>      >> --- /dev/null
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> @@ -0,0 +1,42 @@
>      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>      >> +
>      >> +This is a temporary patch for kernels that do not implement
>      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>      >> +
>      >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >> +
>      >> +Increment the lower inode's iversion for IMA to be able to recognize
>      >> +changes to the file.
>      >> +
>      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +---
>      >> + fs/overlayfs/file.c | 3 +++
>      >> + 1 file changed, 3 insertions(+)
>      >> +
>      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>      >> +index 6011f955436b..1dfe5e7bfe1c 100644
>      >> +--- a/fs/overlayfs/file.c
>      >> ++++ b/fs/overlayfs/file.c
>      >> +@@ -13,6 +13,7 @@
>      >> + #include <linux/security.h>
>      >> + #include <linux/mm.h>
>      >> + #include <linux/fs.h>
>      >> ++#include <linux/iversion.h>
>      >> + #include "overlayfs.h"
>      >> +
>      >> + struct ovl_aio_req {
>      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>      >> +            if (ret != -EIOCBQUEUED)
>      >> +                    ovl_aio_cleanup_handler(aio_req);
>      >> +    }
>      >> ++   if (ret > 0)
>      >> ++           inode_maybe_inc_iversion(inode, false);
>      >> + out:
>      >> +    revert_creds(old_cred);
>      >> + out_fdput:
>      >> +--
>      >> +2.34.1
>      >> +
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> index 0b6f530..9d48e5c 100644
>      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>      >>
>      >>   SRC_URI += " \
>      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>      >>   "
>      >>
>      >>   do_configure() {
>      >> --
>      >> 2.34.1
>      >>
>      >
>      >>
>      >>
>      >>
>      >
> 
>     -=-=-=-=-=-=-=-=-=-=-=-
>     Links: You receive all messages sent to this group.
>     View/Reply Online (#59807): https://lists.yoctoproject.org/g/yocto/message/59807 <https://lists.yoctoproject.org/g/yocto/message/59807>
>     Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612 <https://lists.yoctoproject.org/mt/98557297/5052612>
>     Group Owner: yocto+owner@lists.yoctoproject.org <mailto:yocto%2Bowner@lists.yoctoproject.org>
>     Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub <https://lists.yoctoproject.org/g/yocto/unsub> [quaresma.jose@gmail.com <mailto:quaresma.jose@gmail.com>]
>     -=-=-=-=-=-=-=-=-=-=-=-
> 
> 
> 
> -- 
> Best regards,
> 
> José Quaresma

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 6135 bytes --]

Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s)
16:06:

> And it fails in other recipes like linux-firmware.
> Because bitbake also tries to apply the patch to linux-firmware because it
> uses the recipes-kernel/linux/linux-%.bbappend to check when the
> integrity is enabled.
>

I believe that the full patchset needs to be reverted because it also
breaks linux-firmware even reverting this patch.

Jose


>
> Jose
>
> Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
> gmail.com@lists.yoctoproject.org> escreveu no dia terça, 9/05/2023 à(s)
> 15:53:
>
>> Hi Stefan,
>>
>> Having this patch applied unconditionally to all kernels doesn't work and
>> the patch fails in many downstream kernels.
>> I suggest reverting this one if no other solutions come up.
>>
>> Jose
>>
>> Stefan Berger <stefanb@linux.ibm.com> escreveu no dia sexta, 28/04/2023
>> à(s) 13:55:
>>
>>>
>>>
>>> On 4/28/23 08:48, Mikko Rapeli wrote:
>>> > Hi,
>>> >
>>> > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>>> >> Add a temporary patch that resolves a file change notification issue
>>> >> with overlayfs where IMA did not become aware of the file changes
>>> >> since the 'lower' inode's i_version had not changed. The issue will be
>>> >> resolved in later kernels with the following patch that builds on
>>> >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>>> >>
>>> >>
>>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>>> >
>>> > Would be nice to have Upstream-Status for each patch. I guess status
>>> > would be Backport here.
>>>
>>> It's quite possible that this series here
>>> https://lkml.org/lkml/2022/10/21/624
>>> (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide
>>> the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>>> and have that referenced patch applied which isn't upstreamed so far,
>>> either.
>>>
>>> For now this two-liner seemed simpler and resolves the issue. I
>>> understand the concern, though...
>>>
>>>       Stefan
>>>
>>> >
>>> > Cheers,
>>> >
>>> > -Mikko
>>> >
>>> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>> >> ---
>>> >>   ...Increment-iversion-upon-file-changes.patch | 42
>>> +++++++++++++++++++
>>> >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>>> >>   2 files changed, 43 insertions(+)
>>> >>   create mode 100644
>>> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> >>
>>> >> diff --git
>>> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> >> new file mode 100644
>>> >> index 0000000..d2b5c28
>>> >> --- /dev/null
>>> >> +++
>>> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>>> >> @@ -0,0 +1,42 @@
>>> >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00
>>> 2001
>>> >> +From: Stefan Berger <stefanb@linux.ibm.com>
>>> >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>>> >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>>> >> +
>>> >> +This is a temporary patch for kernels that do not implement
>>> >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>>> >> +
>>> >> +
>>> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
>>> >> +
>>> >> +Increment the lower inode's iversion for IMA to be able to recognize
>>> >> +changes to the file.
>>> >> +
>>> >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>>> >> +---
>>> >> + fs/overlayfs/file.c | 3 +++
>>> >> + 1 file changed, 3 insertions(+)
>>> >> +
>>> >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>>> >> +index 6011f955436b..1dfe5e7bfe1c 100644
>>> >> +--- a/fs/overlayfs/file.c
>>> >> ++++ b/fs/overlayfs/file.c
>>> >> +@@ -13,6 +13,7 @@
>>> >> + #include <linux/security.h>
>>> >> + #include <linux/mm.h>
>>> >> + #include <linux/fs.h>
>>> >> ++#include <linux/iversion.h>
>>> >> + #include "overlayfs.h"
>>> >> +
>>> >> + struct ovl_aio_req {
>>> >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb
>>> *iocb, struct iov_iter *iter)
>>> >> +            if (ret != -EIOCBQUEUED)
>>> >> +                    ovl_aio_cleanup_handler(aio_req);
>>> >> +    }
>>> >> ++   if (ret > 0)
>>> >> ++           inode_maybe_inc_iversion(inode, false);
>>> >> + out:
>>> >> +    revert_creds(old_cred);
>>> >> + out_fdput:
>>> >> +--
>>> >> +2.34.1
>>> >> +
>>> >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> >> index 0b6f530..9d48e5c 100644
>>> >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>>> >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>>> >>
>>> >>   SRC_URI += " \
>>> >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima',
>>> 'file://ima.scc', '', d)} \
>>> >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>>> >>   "
>>> >>
>>> >>   do_configure() {
>>> >> --
>>> >> 2.34.1
>>> >>
>>> >
>>> >>
>>> >>
>>> >>
>>> >
>>>
>>>
>>>
>>>
>>
>> --
>> Best regards,
>>
>> José Quaresma
>>
>>
>>
>>
>
> --
> Best regards,
>
> José Quaresma
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59929):
> https://lists.yoctoproject.org/g/yocto/message/59929
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 9431 bytes --]

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Stefan Berger]

On 5/9/23 10:53, Jose Quaresma wrote:

> Hi Stefan,
> 
> Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels.
> I suggest reverting this one if no other solutions come up.

Oh, I just saw the patches were applied to meta-security already. Alright, I will send a separate patch to
drop this patch.

    Stefan
> 
> Jose
> 
> Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> 
> 
> 
>     On 4/28/23 08:48, Mikko Rapeli wrote:
>      > Hi,
>      >
>      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>      >> Add a temporary patch that resolves a file change notification issue
>      >> with overlayfs where IMA did not become aware of the file changes
>      >> since the 'lower' inode's i_version had not changed. The issue will be
>      >> resolved in later kernels with the following patch that builds on
>      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>      >>
>      >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >
>      > Would be nice to have Upstream-Status for each patch. I guess status
>      > would be Backport here.
> 
>     It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624
>     (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>     and have that referenced patch applied which isn't upstreamed so far, either.
> 
>     For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...
> 
>            Stefan
> 
>      >
>      > Cheers,
>      >
>      > -Mikko
>      >
>      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> ---
>      >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>      >>   2 files changed, 43 insertions(+)
>      >>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >>
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> new file mode 100644
>      >> index 0000000..d2b5c28
>      >> --- /dev/null
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >> @@ -0,0 +1,42 @@
>      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>      >> +
>      >> +This is a temporary patch for kernels that do not implement
>      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>      >> +
>      >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
>      >> +
>      >> +Increment the lower inode's iversion for IMA to be able to recognize
>      >> +changes to the file.
>      >> +
>      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
>      >> +---
>      >> + fs/overlayfs/file.c | 3 +++
>      >> + 1 file changed, 3 insertions(+)
>      >> +
>      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>      >> +index 6011f955436b..1dfe5e7bfe1c 100644
>      >> +--- a/fs/overlayfs/file.c
>      >> ++++ b/fs/overlayfs/file.c
>      >> +@@ -13,6 +13,7 @@
>      >> + #include <linux/security.h>
>      >> + #include <linux/mm.h>
>      >> + #include <linux/fs.h>
>      >> ++#include <linux/iversion.h>
>      >> + #include "overlayfs.h"
>      >> +
>      >> + struct ovl_aio_req {
>      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>      >> +            if (ret != -EIOCBQUEUED)
>      >> +                    ovl_aio_cleanup_handler(aio_req);
>      >> +    }
>      >> ++   if (ret > 0)
>      >> ++           inode_maybe_inc_iversion(inode, false);
>      >> + out:
>      >> +    revert_creds(old_cred);
>      >> + out_fdput:
>      >> +--
>      >> +2.34.1
>      >> +
>      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> index 0b6f530..9d48e5c 100644
>      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>      >>
>      >>   SRC_URI += " \
>      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>      >>   "
>      >>
>      >>   do_configure() {
>      >> --
>      >> 2.34.1
>      >>
>      >
>      >>
>      >>
>      >>
>      >
> 
> 
> 
> 
> 
> -- 
> Best regards,
> 
> José Quaresma
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59928): https://lists.yoctoproject.org/g/yocto/message/59928
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 7283 bytes --]

Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s)
17:21:

>
>
> On 5/9/23 10:53, Jose Quaresma wrote:
> > Hi Stefan,
> >
> > Having this patch applied unconditionally to all kernels doesn't work
> and the patch fails in many downstream kernels.
> > I suggest reverting this one if no other solutions come up.
>
> Then let me drop this one. I just posted v2 of this series and can repost
> in v3 with this patch dropped and possibly
> only have it applied in the OpenBMC project. I suppose my conclusion from
> OpenBMC, which currently works with a 6.1.15
> kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was
> wrong?
>

yup! is also my opinion.
but after reverting this patch some other new issues comes up because the
ima side effects changes
so linux-firmware dont build any more.

Jose


>      Stefan
>
> >
> > Jose
> >
> > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> >
> >
> >
> >     On 4/28/23 08:48, Mikko Rapeli wrote:
> >      > Hi,
> >      >
> >      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
> >      >> Add a temporary patch that resolves a file change notification
> issue
> >      >> with overlayfs where IMA did not become aware of the file changes
> >      >> since the 'lower' inode's i_version had not changed. The issue
> will be
> >      >> resolved in later kernels with the following patch that builds on
> >      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
> >      >>
> >      >>
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >
> >      >
> >      > Would be nice to have Upstream-Status for each patch. I guess
> status
> >      > would be Backport here.
> >
> >     It's quite possible that this series here
> https://lkml.org/lkml/2022/10/21/624
> >     (alone? <https://lkml.org/lkml/2022/10/21/624(alone?>) would
> provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
> >     and have that referenced patch applied which isn't upstreamed so
> far, either.
> >
> >     For now this two-liner seemed simpler and resolves the issue. I
> understand the concern, though...
> >
> >            Stefan
> >
> >      >
> >      > Cheers,
> >      >
> >      > -Mikko
> >      >
> >      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>
> >      >> ---
> >      >>   ...Increment-iversion-upon-file-changes.patch | 42
> +++++++++++++++++++
> >      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
> >      >>   2 files changed, 43 insertions(+)
> >      >>   create mode 100644
> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >>
> >      >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >> new file mode 100644
> >      >> index 0000000..d2b5c28
> >      >> --- /dev/null
> >      >> +++
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >> @@ -0,0 +1,42 @@
> >      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17
> 00:00:00 2001
> >      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>
> >      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> >      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
> >      >> +
> >      >> +This is a temporary patch for kernels that do not implement
> >      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this
> one:
> >      >> +
> >      >> +
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >
> >      >> +
> >      >> +Increment the lower inode's iversion for IMA to be able to
> recognize
> >      >> +changes to the file.
> >      >> +
> >      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>
> >      >> +---
> >      >> + fs/overlayfs/file.c | 3 +++
> >      >> + 1 file changed, 3 insertions(+)
> >      >> +
> >      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> >      >> +index 6011f955436b..1dfe5e7bfe1c 100644
> >      >> +--- a/fs/overlayfs/file.c
> >      >> ++++ b/fs/overlayfs/file.c
> >      >> +@@ -13,6 +13,7 @@
> >      >> + #include <linux/security.h>
> >      >> + #include <linux/mm.h>
> >      >> + #include <linux/fs.h>
> >      >> ++#include <linux/iversion.h>
> >      >> + #include "overlayfs.h"
> >      >> +
> >      >> + struct ovl_aio_req {
> >      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb
> *iocb, struct iov_iter *iter)
> >      >> +            if (ret != -EIOCBQUEUED)
> >      >> +                    ovl_aio_cleanup_handler(aio_req);
> >      >> +    }
> >      >> ++   if (ret > 0)
> >      >> ++           inode_maybe_inc_iversion(inode, false);
> >      >> + out:
> >      >> +    revert_creds(old_cred);
> >      >> + out_fdput:
> >      >> +--
> >      >> +2.34.1
> >      >> +
> >      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >> index 0b6f530..9d48e5c 100644
> >      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
> >      >>
> >      >>   SRC_URI += " \
> >      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima',
> 'file://ima.scc', '', d)} \
> >      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
> >      >>   "
> >      >>
> >      >>   do_configure() {
> >      >> --
> >      >> 2.34.1
> >      >>
> >      >
> >      >>
> >      >>
> >      >>
> >      >
> >
> >     -=-=-=-=-=-=-=-=-=-=-=-
> >     Links: You receive all messages sent to this group.
> >     View/Reply Online (#59807):
> https://lists.yoctoproject.org/g/yocto/message/59807 <
> https://lists.yoctoproject.org/g/yocto/message/59807>
> >     Mute This Topic: https://lists.yoctoproject.org/mt/98557297/5052612
> <https://lists.yoctoproject.org/mt/98557297/5052612>
> >     Group Owner: yocto+owner@lists.yoctoproject.org <mailto:
> yocto%2Bowner@lists.yoctoproject.org>
> >     Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub <
> https://lists.yoctoproject.org/g/yocto/unsub> [quaresma.jose@gmail.com
> <mailto:quaresma.jose@gmail.com>]
> >     -=-=-=-=-=-=-=-=-=-=-=-
> >
> >
> >
> > --
> > Best regards,
> >
> > José Quaresma
>


-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 11823 bytes --]

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Stefan Berger]

On 5/9/23 13:05, Jose Quaresma wrote:
> Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça, 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan, > > Having this patch applied unconditionally to all kernels doesn't work and the patch
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
> 
> 
> Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>> escreveu no dia terça, 9/05/2023 à(s) 17:21:
> 
> 
> 
>     On 5/9/23 10:53, Jose Quaresma wrote:
>      > Hi Stefan,
>      >
>      > Having this patch applied unconditionally to all kernels doesn't work and the patch fails in many downstream kernels.
>      > I suggest reverting this one if no other solutions come up.
> 
>     Then let me drop this one. I just posted v2 of this series and can repost in v3 with this patch dropped and possibly
>     only have it applied in the OpenBMC project. I suppose my conclusion from OpenBMC, which currently works with a 6.1.15
>     kernel, that all other Yocto projects also now use a >= 6.1.15 kernel, was wrong?
> 
> 
> yup! is also my opinion.
> but after reverting this patch some other new issues comes up because the ima side effects changes
> so linux-firmware dont build any more.

Can you either point me to the changes or tell me how you build linux-firmware so that I can recreate the issue locally?

    Stefan

> 
> Jose
> 
> 
>           Stefan
> 
>      >
>      > Jose
>      >
>      > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
>      >
>      >
>      >
>      >     On 4/28/23 08:48, Mikko Rapeli wrote:
>      >      > Hi,
>      >      >
>      >      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger wrote:
>      >      >> Add a temporary patch that resolves a file change notification issue
>      >      >> with overlayfs where IMA did not become aware of the file changes
>      >      >> since the 'lower' inode's i_version had not changed. The issue will be
>      >      >> resolved in later kernels with the following patch that builds on
>      >      >> newly addd feature (support for STATX_CHANGE_COOKIE) in v6.3-rc1:
>      >      >>
>      >      >> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>>
>      >      >
>      >      > Would be nice to have Upstream-Status for each patch. I guess status
>      >      > would be Backport here.
>      >
>      >     It's quite possible that this series here https://lkml.org/lkml/2022/10/21/624 <https://lkml.org/lkml/2022/10/21/624>
>      >     (alone? <https://lkml.org/lkml/2022/10/21/624(alone <https://lkml.org/lkml/2022/10/21/624(alone>?>) would provide the infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
>      >     and have that referenced patch applied which isn't upstreamed so far, either.
>      >
>      >     For now this two-liner seemed simpler and resolves the issue. I understand the concern, though...
>      >
>      >            Stefan
>      >
>      >      >
>      >      > Cheers,
>      >      >
>      >      > -Mikko
>      >      >
>      >      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>>
>      >      >> ---
>      >      >>   ...Increment-iversion-upon-file-changes.patch | 42 +++++++++++++++++++
>      >      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
>      >      >>   2 files changed, 43 insertions(+)
>      >      >>   create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >      >>
>      >      >> diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >      >> new file mode 100644
>      >      >> index 0000000..d2b5c28
>      >      >> --- /dev/null
>      >      >> +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
>      >      >> @@ -0,0 +1,42 @@
>      >      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
>      >      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>>
>      >      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
>      >      >> +Subject: [PATCH] ovl: Increment iversion upon file changes
>      >      >> +
>      >      >> +This is a temporary patch for kernels that do not implement
>      >      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
>      >      >> +
>      >      >> +https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459> <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 <https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>>
>      >      >> +
>      >      >> +Increment the lower inode's iversion for IMA to be able to recognize
>      >      >> +changes to the file.
>      >      >> +
>      >      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>>
>      >      >> +---
>      >      >> + fs/overlayfs/file.c | 3 +++
>      >      >> + 1 file changed, 3 insertions(+)
>      >      >> +
>      >      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
>      >      >> +index 6011f955436b..1dfe5e7bfe1c 100644
>      >      >> +--- a/fs/overlayfs/file.c
>      >      >> ++++ b/fs/overlayfs/file.c
>      >      >> +@@ -13,6 +13,7 @@
>      >      >> + #include <linux/security.h>
>      >      >> + #include <linux/mm.h>
>      >      >> + #include <linux/fs.h>
>      >      >> ++#include <linux/iversion.h>
>      >      >> + #include "overlayfs.h"
>      >      >> +
>      >      >> + struct ovl_aio_req {
>      >      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
>      >      >> +            if (ret != -EIOCBQUEUED)
>      >      >> +                    ovl_aio_cleanup_handler(aio_req);
>      >      >> +    }
>      >      >> ++   if (ret > 0)
>      >      >> ++           inode_maybe_inc_iversion(inode, false);
>      >      >> + out:
>      >      >> +    revert_creds(old_cred);
>      >      >> + out_fdput:
>      >      >> +--
>      >      >> +2.34.1
>      >      >> +
>      >      >> diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >      >> index 0b6f530..9d48e5c 100644
>      >      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
>      >      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
>      >      >>
>      >      >>   SRC_URI += " \
>      >      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
>      >      >> +    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
>      >      >>   "
>      >      >>
>      >      >>   do_configure() {
>      >      >> --
>      >      >> 2.34.1
>      >      >>
>      >      >
>      >      >>
>      >      >>
>      >      >>
>      >      >
>      >
>      >
>      >
>      >
>      >
>      > --
>      > Best regards,
>      >
>      > José Quaresma
> 
> 
> 
> -- 
> Best regards,
> 
> José Quaresma
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59934): https://lists.yoctoproject.org/g/yocto/message/59934
> Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 9796 bytes --]

Stefan Berger <stefanb@linux.ibm.com> escreveu no dia terça, 9/05/2023 à(s)
19:05:

>
>
> On 5/9/23 13:05, Jose Quaresma wrote:
> > Stefan Berger <stefanb@ linux. ibm. com> escreveu no dia terça,
> 9/05/2023 à(s) 17: 21: On 5/9/23 10: 53, Jose Quaresma wrote: > Hi Stefan,
> > > Having this patch applied unconditionally to all kernels doesn't work
> and the patch
> > ZjQcmQRYFpfptBannerStart
> > This Message Is From an External Sender
> > This message came from outside your organization.
> > ZjQcmQRYFpfptBannerEnd
> >
> >
> > Stefan Berger <stefanb@linux.ibm.com <mailto:stefanb@linux.ibm.com>>
> escreveu no dia terça, 9/05/2023 à(s) 17:21:
> >
> >
> >
> >     On 5/9/23 10:53, Jose Quaresma wrote:
> >      > Hi Stefan,
> >      >
> >      > Having this patch applied unconditionally to all kernels doesn't
> work and the patch fails in many downstream kernels.
> >      > I suggest reverting this one if no other solutions come up.
> >
> >     Then let me drop this one. I just posted v2 of this series and can
> repost in v3 with this patch dropped and possibly
> >     only have it applied in the OpenBMC project. I suppose my conclusion
> from OpenBMC, which currently works with a 6.1.15
> >     kernel, that all other Yocto projects also now use a >= 6.1.15
> kernel, was wrong?
> >
> >
> > yup! is also my opinion.
> > but after reverting this patch some other new issues comes up because
> the ima side effects changes
> > so linux-firmware dont build any more.
>
> Can you either point me to the changes or tell me how you build
> linux-firmware so that I can recreate the issue locally?
>

it's easy, just call the following:

bitbake linux-firmware


>
>     Stefan
>
> >
> > Jose
> >
> >
> >           Stefan
> >
> >      >
> >      > Jose
> >      >
> >      > Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>> escreveu no dia sexta, 28/04/2023 à(s) 13:55:
> >      >
> >      >
> >      >
> >      >     On 4/28/23 08:48, Mikko Rapeli wrote:
> >      >      > Hi,
> >      >      >
> >      >      > On Fri, Apr 28, 2023 at 08:23:15AM -0400, Stefan Berger
> wrote:
> >      >      >> Add a temporary patch that resolves a file change
> notification issue
> >      >      >> with overlayfs where IMA did not become aware of the file
> changes
> >      >      >> since the 'lower' inode's i_version had not changed. The
> issue will be
> >      >      >> resolved in later kernels with the following patch that
> builds on
> >      >      >> newly addd feature (support for STATX_CHANGE_COOKIE) in
> v6.3-rc1:
> >      >      >>
> >      >      >>
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >>
> >      >      >
> >      >      > Would be nice to have Upstream-Status for each patch. I
> guess status
> >      >      > would be Backport here.
> >      >
> >      >     It's quite possible that this series here
> https://lkml.org/lkml/2022/10/21/624 <https://lkml.org/lkml/2022/10/21/624
> >
> >      >     (alone? <https://lkml.org/lkml/2022/10/21/624(alone <
> https://lkml.org/lkml/2022/10/21/624(alone>?>) would provide the
> infrastructure for STATX_CHANGE_COOKIE (introduced in 3/8)
> >      >     and have that referenced patch applied which isn't upstreamed
> so far, either.
> >      >
> >      >     For now this two-liner seemed simpler and resolves the issue.
> I understand the concern, though...
> >      >
> >      >            Stefan
> >      >
> >      >      >
> >      >      > Cheers,
> >      >      >
> >      >      > -Mikko
> >      >      >
> >      >      >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com
> <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>>
> >      >      >> ---
> >      >      >>   ...Increment-iversion-upon-file-changes.patch | 42
> +++++++++++++++++++
> >      >      >>   .../recipes-kernel/linux/linux_ima.inc        |  1 +
> >      >      >>   2 files changed, 43 insertions(+)
> >      >      >>   create mode 100644
> meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >      >>
> >      >      >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >      >> new file mode 100644
> >      >      >> index 0000000..d2b5c28
> >      >      >> --- /dev/null
> >      >      >> +++
> b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
> >      >      >> @@ -0,0 +1,42 @@
> >      >      >> +From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17
> 00:00:00 2001
> >      >      >> +From: Stefan Berger <stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>>
> >      >      >> +Date: Thu, 6 Apr 2023 11:27:29 -0400
> >      >      >> +Subject: [PATCH] ovl: Increment iversion upon file
> changes
> >      >      >> +
> >      >      >> +This is a temporary patch for kernels that do not
> implement
> >      >      >> +STATX_CHANGE_COOKIE (<= 6.2). The successor patch will
> be this one:
> >      >      >> +
> >      >      >> +
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459>
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> <
> https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
> >>
> >      >      >> +
> >      >      >> +Increment the lower inode's iversion for IMA to be able
> to recognize
> >      >      >> +changes to the file.
> >      >      >> +
> >      >      >> +Signed-off-by: Stefan Berger <stefanb@linux.ibm.com
> <mailto:stefanb@linux.ibm.com> <mailto:stefanb@linux.ibm.com <mailto:
> stefanb@linux.ibm.com>>>
> >      >      >> +---
> >      >      >> + fs/overlayfs/file.c | 3 +++
> >      >      >> + 1 file changed, 3 insertions(+)
> >      >      >> +
> >      >      >> +diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
> >      >      >> +index 6011f955436b..1dfe5e7bfe1c 100644
> >      >      >> +--- a/fs/overlayfs/file.c
> >      >      >> ++++ b/fs/overlayfs/file.c
> >      >      >> +@@ -13,6 +13,7 @@
> >      >      >> + #include <linux/security.h>
> >      >      >> + #include <linux/mm.h>
> >      >      >> + #include <linux/fs.h>
> >      >      >> ++#include <linux/iversion.h>
> >      >      >> + #include "overlayfs.h"
> >      >      >> +
> >      >      >> + struct ovl_aio_req {
> >      >      >> +@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct
> kiocb *iocb, struct iov_iter *iter)
> >      >      >> +            if (ret != -EIOCBQUEUED)
> >      >      >> +                    ovl_aio_cleanup_handler(aio_req);
> >      >      >> +    }
> >      >      >> ++   if (ret > 0)
> >      >      >> ++           inode_maybe_inc_iversion(inode, false);
> >      >      >> + out:
> >      >      >> +    revert_creds(old_cred);
> >      >      >> + out_fdput:
> >      >      >> +--
> >      >      >> +2.34.1
> >      >      >> +
> >      >      >> diff --git
> a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >      >> index 0b6f530..9d48e5c 100644
> >      >      >> --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >      >> +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
> >      >      >> @@ -2,6 +2,7 @@ FILESEXTRAPATHS:append :=
> "${THISDIR}/linux:"
> >      >      >>
> >      >      >>   SRC_URI += " \
> >      >      >>       ${@bb.utils.contains('DISTRO_FEATURES', 'ima',
> 'file://ima.scc', '', d)} \
> >      >      >> +
> file://0001-ovl-Increment-iversion-upon-file-changes.patch \
> >      >      >>   "
> >      >      >>
> >      >      >>   do_configure() {
> >      >      >> --
> >      >      >> 2.34.1
> >      >      >>
> >      >      >
> >      >      >>
> >      >      >>
> >      >      >>
> >      >      >
> >      >
> >      >
> >      >
> >      >
> >      >
> >      > --
> >      > Best regards,
> >      >
> >      > José Quaresma
> >
> >
> >
> > --
> > Best regards,
> >
> > José Quaresma
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#59934):
> https://lists.yoctoproject.org/g/yocto/message/59934
> > Mute This Topic: https://lists.yoctoproject.org/mt/98557297/1792208
> > Group Owner: yocto+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> stefanb@linux.ibm.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>


-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 16330 bytes --]

Re: [yocto] [meta-security][PATCH 7/8] linux: overlayfs: Add kernel patch resolving a file change notification issue

[Stefan Berger]

On 5/9/23 14:13, Jose Quaresma wrote:

> 
> it's easy, just call the following:
> 
> bitbake linux-firmware
> 
> 

How do you initialize this environment?


If I was to do this from meta-security I get this here:

$ bitbake linux-firmware
ERROR: The BBPATH variable is not set and bitbake did not find a conf/bblayers.conf file in the expected location.
Maybe you accidentally invoked bitbake from the wrong directory?


    Stefan