[meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Jose Quaresma]

This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
 ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} |  9 ++---
 2 files changed, 2 insertions(+), 42 deletions(-)
 delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
 rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
deleted file mode 100644
index 3624576..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.ibm.com>
-Date: Tue, 18 Apr 2023 11:43:55 -0400
-Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
-
-If a signatures is detected as being portable do not attempt to read the
-generation with the ioctl since in some cases this may not be supported
-by the filesystem and is also not needed for computing a portable
-signature.
-
-This avoids the current work-around of passing --generation 0 when the
-ioctl is not supported by the filesystem.
-
-Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
----
- src/evmctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 6d2bb67..c35a28c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
- 	if (mode_str)
- 		st.st_mode = strtoul(mode_str, NULL, 10);
- 
--	if (!evm_immutable) {
-+	if (!evm_immutable && !evm_portable) {
- 		if (S_ISREG(st.st_mode) && !generation_str) {
- 			int fd = open(file, 0);
- 
----
-2.39.2
-
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
similarity index 71%
rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
index 8ac080c..873aeeb 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
 
 DEPENDS:class-native += "openssl-native keyutils-native"
 
-FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
-
-SRC_URI = " \
-    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
-    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
-"
-SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
+SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
+SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
 
 inherit pkgconfig autotools features_check
 
-- 
2.34.1

[meta-security][PATCH 2/8] Revert "linux: overlayfs: Add kernel patch resolving a file change notification issue"

[Jose Quaresma]

This reverts commit 319522e00dfd23c78cbe28ab26b87e08a8f46993.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 ...Increment-iversion-upon-file-changes.patch | 42 -------------------
 .../recipes-kernel/linux/linux_ima.inc        |  1 -
 2 files changed, 43 deletions(-)
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch

diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
deleted file mode 100644
index d2b5c28..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001
-From: Stefan Berger <stefanb@linux.ibm.com>
-Date: Thu, 6 Apr 2023 11:27:29 -0400
-Subject: [PATCH] ovl: Increment iversion upon file changes
-
-This is a temporary patch for kernels that do not implement
-STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one:
-
-https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459
-
-Increment the lower inode's iversion for IMA to be able to recognize
-changes to the file.
-
-Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
----
- fs/overlayfs/file.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
-index 6011f955436b..1dfe5e7bfe1c 100644
---- a/fs/overlayfs/file.c
-+++ b/fs/overlayfs/file.c
-@@ -13,6 +13,7 @@
- #include <linux/security.h>
- #include <linux/mm.h>
- #include <linux/fs.h>
-+#include <linux/iversion.h>
- #include "overlayfs.h"
- 
- struct ovl_aio_req {
-@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
- 		if (ret != -EIOCBQUEUED)
- 			ovl_aio_cleanup_handler(aio_req);
- 	}
-+	if (ret > 0)
-+		inode_maybe_inc_iversion(inode, false);
- out:
- 	revert_creds(old_cred);
- out_fdput:
--- 
-2.34.1
-
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 9d48e5c..0b6f530 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -2,7 +2,6 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:"
 
 SRC_URI += " \
     ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
-    file://0001-ovl-Increment-iversion-upon-file-changes.patch \
 "
 
 do_configure() {
-- 
2.34.1

[meta-security][PATCH 3/8] Revert "integrity: Update the README for IMA support"

[Jose Quaresma]

This reverts commit b9abf0e09bfea8f08cc7f2d68998f014abba5b3b.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 meta-integrity/README.md | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 1a37280..816b40d 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -76,7 +76,7 @@ other layers needed. e.g.:
 
 It has some dependencies on a suitable BSP; in particular the kernel
 must have a recent enough IMA/EVM subsystem. The layer was tested with
-Linux 6.1 and uses some features (like loading X509 certificates
+Linux 3.19 and uses some features (like loading X509 certificates
 directly from the kernel) which were added in that release. Your
 mileage may vary with older kernels.
 
@@ -89,17 +89,10 @@ Adding the layer only enables IMA (see below regarding EVM) during
 compilation of the Linux kernel. To also activate it when building
 the image, enable image signing in the local.conf like this:
 
-    DISTRO_FEATURES:append = " integrity ima"
-
     IMAGE_CLASSES += "ima-evm-rootfs"
-
     IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
-    IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
-
-    # The following policy enforces IMA & EVM signatures
-    IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all"
 
 This uses the default keys provided in the "data" directory of the layer.
 Because everyone has access to these private keys, such an image
@@ -120,7 +113,10 @@ for that are included in the layer. This is also how the
     cd $IMA_EVM_KEY_DIR
     # In that shell, create the keys. Several options exist:
 
-    # 1. Keys signed by a new CA.
+    # 1. Self-signed keys.
+    $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh
+
+    # 2. Keys signed by a new CA.
     # When asked for a PEM passphrase, that will be for the root CA.
     # Signing images then will not require entering that passphrase,
     # only creating new certificates does. Most likely the default
@@ -129,11 +125,13 @@ for that are included in the layer. This is also how the
     # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh
     # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh
 
-    # 2. Keys signed by an existing CA.
+    # 3. Keys signed by an existing CA.
     # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh <CA.pem> <CA.priv>
     exit
 
-The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
+When using ``ima-self-signed.sh`` as described above, self-signed keys
+are created. Alternatively, one can also use keys signed by a CA.  The
+``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA
 and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then
 supports adding tha CA's public key to the kernel's system keyring by
 compiling it directly into the kernel. Because it is unknown whether
-- 
2.34.1

[meta-security][PATCH 4/8] Revert "ima: Sign all executables and the ima-policy in the root filesystem"

[Jose Quaresma]

This reverts commit 76f1f539a678725211283294c8b6735186055694.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 meta-integrity/classes/ima-evm-rootfs.bbclass | 25 ++++---------------
 1 file changed, 5 insertions(+), 20 deletions(-)

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 98c4bc1..6902d69 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -62,32 +62,17 @@ ima_evm_sign_rootfs () {
        perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab
     fi
 
-    # Detect 32bit target to pass --m32 to evmctl by looking at libc
-    tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')"
-    if [ "${tmp}" = "ELF 32-bit" ]; then
-        evmctl_param="--m32"
-    elif [ "${tmp}" = "ELF 64-bit" ]; then
-        evmctl_param=""
-    else
-        bberror "Unknown target architecture bitness: '${tmp}'" >&2
-        exit 1
-    fi
-
-    bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
-    evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
-
-    # check signing key and signature verification key
-    evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
-    evmctl verify     ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
+    # Sign file with private IMA key. EVM not supported at the moment.
+    bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'"
+    find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY}
+    bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'"
+    find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
 
     # Optionally install custom policy for loading by systemd.
     if [ "${IMA_EVM_POLICY}" ]; then
         install -d ./${sysconfdir}/ima
         rm -f ./${sysconfdir}/ima/ima-policy
         install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
-
-        bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
-        evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
     fi
 }
 
-- 
2.34.1

[meta-security][PATCH 5/8] Revert "ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY"

[Jose Quaresma]

This reverts commit 292b49342cb47da59525a44227598cf136311e1b.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 meta-integrity/README.md                      | 2 +-
 meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 816b40d..eae1c57 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd
 changes. To activate policy loading via systemd, place a policy file
 in `/etc/ima/ima-policy`, for example with:
 
-    IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
+    IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
 
 To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
 
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 6902d69..3cb0d07 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -69,10 +69,10 @@ ima_evm_sign_rootfs () {
     find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
 
     # Optionally install custom policy for loading by systemd.
-    if [ "${IMA_EVM_POLICY}" ]; then
+    if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
         install -d ./${sysconfdir}/ima
         rm -f ./${sysconfdir}/ima/ima-policy
-        install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+        install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
     fi
 }
 
-- 
2.34.1

[meta-security][PATCH 6/8] Revert "ima: Fix the IMA kernel feature"

[Jose Quaresma]

This reverts commit f4f7624d2e50e19249e7a2a3798c1120e5183424.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 meta-integrity/classes/ima-evm-rootfs.bbclass |   5 +-
 .../0001-ima-fix-ima_inode_post_setattr.patch |  51 +++++++
 ...for-creating-files-using-the-mknodat.patch | 138 ++++++++++++++++++
 ...-file-hash-setting-by-user-to-fix-an.patch |  60 ++++++++
 .../recipes-kernel/linux/linux/ima.cfg        |  46 ------
 .../recipes-kernel/linux/linux/ima.scc        |   4 -
 .../recipes-kernel/linux/linux_ima.inc        |  10 +-
 7 files changed, 251 insertions(+), 63 deletions(-)
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
 create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg
 delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 3cb0d07..57de2f6 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
 # with a .x509 suffix. See linux-%.bbappend for details.
 #
 # ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
-IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
+IMA_EVM_ROOT_CA ?= ""
 
 # Sign all regular files by default.
 IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
@@ -31,9 +31,6 @@ IMA_EVM_ROOTFS_IVERSION ?= ""
 # Avoid re-generating fstab when ima is enabled.
 WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}"
 
-# Add necessary tools (e.g., keyctl) to image
-IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}"
-
 ima_evm_sign_rootfs () {
     cd ${IMAGE_ROOTFS}
 
diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
new file mode 100644
index 0000000..64016dd
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch
@@ -0,0 +1,51 @@
+From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Tue, 8 Mar 2016 16:43:55 -0500
+Subject: [PATCH] ima: fix ima_inode_post_setattr
+
+Changing file metadata (eg. uid, guid) could result in having to
+re-appraise a file's integrity, but does not change the "new file"
+status nor the security.ima xattr.  The IMA_PERMIT_DIRECTIO and
+IMA_DIGSIG_REQUIRED flags are policy rule specific.  This patch
+only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags.
+
+With this patch, changing the file timestamp will not remove the
+file signature on new files.
+
+Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b]
+
+Reported-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+---
+ security/integrity/ima/ima_appraise.c | 2 +-
+ security/integrity/integrity.h        | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 4df493e..a384ba1 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry)
+ 	if (iint) {
+ 		iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED |
+ 				 IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK |
+-				 IMA_ACTION_FLAGS);
++				 IMA_ACTION_RULE_FLAGS);
+ 		if (must_appraise)
+ 			iint->flags |= IMA_APPRAISE;
+ 	}
+diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
+index 0fc9519..f9decae 100644
+--- a/security/integrity/integrity.h
++++ b/security/integrity/integrity.h
+@@ -28,6 +28,7 @@
+ 
+ /* iint cache flags */
+ #define IMA_ACTION_FLAGS	0xff000000
++#define IMA_ACTION_RULE_FLAGS	0x06000000
+ #define IMA_DIGSIG		0x01000000
+ #define IMA_DIGSIG_REQUIRED	0x02000000
+ #define IMA_PERMIT_DIRECTIO	0x04000000
+-- 
+2.5.0
+
diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
new file mode 100644
index 0000000..6ab7ce2
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch
@@ -0,0 +1,138 @@
+From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Thu, 10 Mar 2016 18:19:20 +0200
+Subject: [PATCH] ima: add support for creating files using the mknodat
+ syscall
+
+Commit 3034a14 "ima: pass 'opened' flag to identify newly created files"
+stopped identifying empty files as new files.  However new empty files
+can be created using the mknodat syscall.  On systems with IMA-appraisal
+enabled, these empty files are not labeled with security.ima extended
+attributes properly, preventing them from subsequently being opened in
+order to write the file data contents.  This patch marks these empty
+files, created using mknodat, as new in order to allow the file data
+contents to be written.
+
+Files with security.ima xattrs containing a file signature are considered
+"immutable" and can not be modified.  The file contents need to be
+written, before signing the file.  This patch relaxes this requirement
+for new files, allowing the file signature to be written before the file
+contents.
+
+Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356]
+
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+---
+ fs/namei.c                            |  2 ++
+ include/linux/ima.h                   |  7 ++++++-
+ security/integrity/ima/ima_appraise.c |  3 +++
+ security/integrity/ima/ima_main.c     | 32 +++++++++++++++++++++++++++++++-
+ 4 files changed, 42 insertions(+), 2 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index ccd7f98..19502da 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -3526,6 +3526,8 @@ retry:
+ 	switch (mode & S_IFMT) {
+ 		case 0: case S_IFREG:
+ 			error = vfs_create(path.dentry->d_inode,dentry,mode,true);
++			if (!error)
++				ima_post_path_mknod(dentry);
+ 			break;
+ 		case S_IFCHR: case S_IFBLK:
+ 			error = vfs_mknod(path.dentry->d_inode,dentry,mode,
+diff --git a/include/linux/ima.h b/include/linux/ima.h
+index 120ccc5..7f51971 100644
+--- a/include/linux/ima.h
++++ b/include/linux/ima.h
+@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file);
+ extern int ima_file_mmap(struct file *file, unsigned long prot);
+ extern int ima_module_check(struct file *file);
+ extern int ima_fw_from_file(struct file *file, char *buf, size_t size);
+-
++extern void ima_post_path_mknod(struct dentry *dentry);
+ #else
+ static inline int ima_bprm_check(struct linux_binprm *bprm)
+ {
+@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size)
+ 	return 0;
+ }
+ 
++static inline void ima_post_path_mknod(struct dentry *dentry)
++{
++	return;
++}
++
+ #endif /* CONFIG_IMA */
+ 
+ #ifdef CONFIG_IMA_APPRAISE
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 4df493e..20806ea 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -274,6 +274,11 @@ out:
+ 		     xattr_value->type != EVM_IMA_XATTR_DIGSIG)) {
+ 			if (!ima_fix_xattr(dentry, iint))
+ 				status = INTEGRITY_PASS;
++		} else if ((inode->i_size == 0) &&
++			   (iint->flags & IMA_NEW_FILE) &&
++			   (xattr_value &&
++			    xattr_value->type == EVM_IMA_XATTR_DIGSIG)) {
++			status = INTEGRITY_PASS;
+ 		}
+ 		integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
+ 				    op, cause, rc, 0);
+diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
+index eeee00dc..705bf78 100644
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function,
+ 		ima_audit_measurement(iint, pathname);
+ 
+ out_digsig:
+-	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG))
++	if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) &&
++	     !(iint->flags & IMA_NEW_FILE))
+ 		rc = -EACCES;
+ 	kfree(xattr_value);
+ out_free:
+@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened)
+ EXPORT_SYMBOL_GPL(ima_file_check);
+ 
+ /**
++ * ima_post_path_mknod - mark as a new inode
++ * @dentry: newly created dentry
++ *
++ * Mark files created via the mknodat syscall as new, so that the
++ * file data can be written later.
++ */
++void ima_post_path_mknod(struct dentry *dentry)
++{
++	struct integrity_iint_cache *iint;
++	struct inode *inode;
++	int must_appraise;
++
++	if (!dentry || !dentry->d_inode)
++		return;
++
++	inode = dentry->d_inode;
++	if (inode->i_size != 0)
++		return;
++
++	must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK);
++	if (!must_appraise)
++		return;
++
++	iint = integrity_inode_get(inode);
++	if (iint)
++		iint->flags |= IMA_NEW_FILE;
++}
++
++/**
+  * ima_module_check - based on policy, collect/store/appraise measurement.
+  * @file: pointer to the file to be measured/appraised
+  *
+-- 
+2.5.0
+
diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
new file mode 100644
index 0000000..157c007
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch
@@ -0,0 +1,60 @@
+From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Tue, 15 Nov 2016 10:10:23 +0100
+Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log
+ modes"
+
+This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533.
+
+The original motivation was security hardening ("File hashes are
+automatically set and updated and should not be manually set.")
+
+However, that hardening ignores and breaks some valid use cases:
+- File hashes might not be set because the file is currently
+  outside of the policy and therefore have to be set by the
+  creator. Examples:
+  - Booting into an initramfs with an IMA-enabled kernel but
+    without setting an IMA policy, then installing
+    the OS onto the target partition by unpacking a rootfs archive
+    which has the file hashes pre-computed.
+  - Unpacking a file into a staging area with meta data (like owner)
+    that leaves the file outside of the current policy, then changing
+    the meta data such that it becomes part of the current policy.
+- "should not be set manually" implies that the creator is aware
+  of IMA semantic, the current system's configuration, and then
+  skips setting file hashes in security.ima if (and only if) the
+  kernel would prevent it. That's not the case for standard, unmodified
+  tools. Example: unpacking an archive with security.ima xattrs with
+  bsdtar or GNU tar.
+
+Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ security/integrity/ima/ima_appraise.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 4b9b4a4..b8b2dd9 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+ 	result = ima_protect_xattr(dentry, xattr_name, xattr_value,
+ 				   xattr_value_len);
+ 	if (result == 1) {
+-		bool digsig;
+-
+ 		if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
+ 			return -EINVAL;
+-		digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+-		if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE))
+-			return -EPERM;
+-		ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
++		ima_reset_appraise_flags(d_backing_inode(dentry),
++			 (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0);
+ 		result = 0;
+ 	}
+ 	return result;
+-- 
+2.1.4
+
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
deleted file mode 100644
index 86fb3aa..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg
+++ /dev/null
@@ -1,46 +0,0 @@
-CONFIG_SQUASHFS_XATTR=y
-CONFIG_KEYS=y
-CONFIG_ASYMMETRIC_KEY_TYPE=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
-CONFIG_SECONDARY_TRUSTED_KEYRING=y
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
-CONFIG_X509_CERTIFICATE_PARSER=y
-CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
-CONFIG_CRYPTO_ECDSA=y
-CONFIG_SECURITY=y
-CONFIG_SECURITYFS=y
-CONFIG_INTEGRITY=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
-CONFIG_IMA=y
-CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_LSM_RULES=y
-# CONFIG_IMA_TEMPLATE is not set
-# CONFIG_IMA_NG_TEMPLATE is not set
-CONFIG_IMA_SIG_TEMPLATE=y
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
-# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-CONFIG_IMA_DEFAULT_HASH_SHA256=y
-# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
-CONFIG_IMA_DEFAULT_HASH="sha256"
-CONFIG_IMA_WRITE_POLICY=y
-CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_IMA_ARCH_POLICY=y
-CONFIG_IMA_APPRAISE_BUILD_POLICY=y
-CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
-CONFIG_IMA_TRUSTED_KEYRING=y
-CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
-# CONFIG_IMA_BLACKLIST_KEYRING is not set
-# CONFIG_IMA_LOAD_X509 is not set
-CONFIG_IMA_APPRAISE_SIGNED_INIT=y
-CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
-CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
-# CONFIG_IMA_DISABLE_HTABLE is not set
-CONFIG_EVM=y
-# CONFIG_EVM_LOAD_X509 is not set
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc
deleted file mode 100644
index 6eb84b0..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/ima.scc
+++ /dev/null
@@ -1,4 +0,0 @@
-define KFEATURE_DESCRIPTION "Enable IMA"
-
-kconf non-hardware ima.cfg
-
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 0b6f530..3ab53e5 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,12 +1,4 @@
-FILESEXTRAPATHS:append := "${THISDIR}/linux:"
-
-SRC_URI += " \
-    ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
-"
-
-do_configure() {
-    sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
-}
+KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
 
 KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
 
-- 
2.34.1

[meta-security][PATCH 7/8] Revert "ima: Fix the ima_policy_appraise_all to appraise executables & libraries"

[Jose Quaresma]

This reverts commit cb8f26d82a35ba56f3bd40cd6ba105de03602a4b.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 .../files/ima_policy_appraise_all                        | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
index 3498025..36e71a7 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
@@ -25,12 +25,5 @@ dont_appraise fsmagic=0xf97cff8c
 dont_appraise fsmagic=0x6e736673
 # EFIVARFS_MAGIC
 dont_appraise fsmagic=0xde5e81e4
-# Cgroup
-dont_appraise fsmagic=0x27e0eb
-# Cgroup2
-dont_appraise fsmagic=0x63677270
 
-# Appraise libraries
-appraise func=MMAP_CHECK mask=MAY_EXEC
-# Appraise executables
-appraise func=BPRM_CHECK
+appraise
-- 
2.34.1

[meta-security][PATCH 8/8] Revert "ima: Document and replace keys and adapt scripts for EC keys"

[Jose Quaresma]

This reverts commit 0652c9fd7496d021f91759cc7489b6faad3e04bd.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 meta-integrity/data/debug-keys/README.md      |  17 --------
 .../data/debug-keys/ima-local-ca.pem          |  15 -------
 .../data/debug-keys/ima-local-ca.priv         |   7 ---
 .../data/debug-keys/privkey_ima.pem           |  17 ++++++--
 meta-integrity/data/debug-keys/x509_ima.der   | Bin 620 -> 707 bytes
 meta-integrity/scripts/ima-gen-CA-signed.sh   |   9 ++--
 meta-integrity/scripts/ima-gen-local-ca.sh    |   6 +--
 meta-integrity/scripts/ima-gen-self-signed.sh |  41 ++++++++++++++++++
 8 files changed, 62 insertions(+), 50 deletions(-)
 delete mode 100644 meta-integrity/data/debug-keys/README.md
 delete mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem
 delete mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv
 create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh

diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md
deleted file mode 100644
index e613968..0000000
--- a/meta-integrity/data/debug-keys/README.md
+++ /dev/null
@@ -1,17 +0,0 @@
-# EVM & IMA keys
-
-The following IMA & EVM debug/test keys are in this directory
-
-- ima-local-ca.priv: The CA's private key (password: 1234)
-- ima-local-ca.pem: The CA's self-signed certificate
-- privkey_ima.pem: IMA & EVM private key used for signing files
-- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures
-
-The CA's (self-signed) certificate can be used to verify the validity of
-the x509_ima.der certificate. Since the CA certificate will be built into
-the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must
-pass this test:
-
-```
-  openssl verify -CAfile ima-local-ca.pem x509_ima.der
-````
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem
deleted file mode 100644
index 4b48be4..0000000
--- a/meta-integrity/data/debug-keys/ima-local-ca.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9
-MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt
-c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG
-SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP
-MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD
-DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp
-Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ
-MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU
-rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG
-A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud
-IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO
-PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu
-clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw==
------END CERTIFICATE-----
diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv
deleted file mode 100644
index e13de23..0000000
--- a/meta-integrity/data/debug-keys/ima-local-ca.priv
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw
-DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK
-x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems
-lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY
-LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw=
------END ENCRYPTED PRIVATE KEY-----
diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem
index 8362cfe..502a0b6 100644
--- a/meta-integrity/data/debug-keys/privkey_ima.pem
+++ b/meta-integrity/data/debug-keys/privkey_ima.pem
@@ -1,5 +1,16 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm
-SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj
-cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU
+Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6
+IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p
+OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1
+lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW
+HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV
+aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA
+TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue
+WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb
+SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1
+xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+
+CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q
+1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ
+3vVaxg2EfqB1
 -----END PRIVATE KEY-----
diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der
index 3f6f24e61373912cf39598a427fba09c75e74592..087ca6bea53c172e7eb9a269183a32b3ecbd3aaa 100644
GIT binary patch
delta 490
zcmaFEa+p=!powWe5Nj-8W@2Pw;$&Ev_Kw}@@5(*{UN%mxHjlRNyo`*jtPB$`lqe{O
z^BS5N7#bNGn44Odm_$kN8yOm!8X6f{Km;b9FRgE!kF1fAm4Ugjm%*U1lc}+hVUC$}
zc}dOLUu%zuu-zB^tF}`0t?JRFI?n#~f-^NtqBFjhSiNAqvqD->PE|cYtyQwn<Nj1H
z3B9?0vaJ*|-5Yv!3vD)^p1yAS12307`|o^Cp0IYYip$g7*8!(ru)Jc`ZEi`kt&eli
z$<)!_r)jl8UaM^3f)jggT=nRXSbHcXX;!u=6Eh<N<KkF@XagQL=1^H-M#ldvOa=@F
z+#nu53kx$7dxL>2h{MMs#v)Q%T$8e2$NAsBg}3FLd+H7cC8Z`C$b+PnStJa^8n7s+
z2dY2~IA);7CE4|y8dgPru-Va-?r`+w*M{B4Qk8-~RJ~DstJG$5*M+C#eBA$qBA?IQ
zi#XD!^?xaMa-hvFpF;7>h^4<)8&z1mFsnIzMy+W^{27zLSGM&o2WzB{WS3ukm~v04
seSbc0i;m3fSIP33d0S_T-F&dflIgem)LYJa+g7k1Pdm)DaOK<z0Cl&yl>h($

delta 420
zcmX@i`i8~Opou91h<O(<GchtTiD=rcII<&lhOg5x2csv6GWV}f4iz@wV&l+i^EhYA
z!pvk)J8_>lmxF;F8*?ZNGmrVi`wCpisYNB3X_?81B@_P|D=3Kb8W|gy7?~NG8JU?_
zL`m=)8G-~1j35FNcbC>j8VIwogN<ZjgqqFF$j<D<z+!$iFVb;(%pvuJ<(fISns=_%
zX4i{aT(C@vCwBhc$GlJWe_&@+`rJMHyzM?CXWP|VqAV45_<UoZCz_vl@SoSg{KcgP
z#Rfb;$H@vaGX7^_GGH*^2J!e=fR1NxFc1TA>QzB<JRpB*voW%=vNJOq$buyJSj1RF
zZWqVLdDo{rj0+P#;Q6gwKHcEmUjuoNv@(l?fmnmc{_`Dy$$c?bxA=q`?p+u2{6ym;
z7UVEu_GB<{V^U-|P`Rr*Zt2H)ZYL%h?fkphW$TAIuj+!<Jp8V8P$_X&W#na`nl+6t
jyo(z`O1=2)rOw6#XzVCl=Wr*re40+_o3v9q-v<EzPIQdl

diff --git a/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-integrity/scripts/ima-gen-CA-signed.sh
index b10b1ba..5f3a728 100755
--- a/meta-integrity/scripts/ima-gen-CA-signed.sh
+++ b/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -20,6 +20,7 @@ CAKEY=${2:-ima-local-ca.priv}
 
 cat << __EOF__ >$GENKEY
 [ req ]
+default_bits = 1024
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@@ -35,15 +36,13 @@ basicConstraints=critical,CA:FALSE
 #basicConstraints=CA:FALSE
 keyUsage=digitalSignature
 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage=critical,codeSigning
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer
 __EOF__
 
-openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \
-        -out csr_ima.pem -keyout privkey_ima.pem \
-        -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
-openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \
+openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+        -out csr_ima.pem -keyout privkey_ima.pem
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
         -CA $CA -CAkey $CAKEY -CAcreateserial \
         -outform DER -out x509_ima.der
diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh
index 339d3e3..b600761 100755
--- a/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,6 +18,7 @@ GENKEY=ima-local-ca.genkey
 
 cat << __EOF__ >$GENKEY
 [ req ]
+default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@@ -32,11 +33,10 @@ emailAddress = john.doe@example.com
 basicConstraints=CA:TRUE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
-keyUsage = cRLSign, keyCertSign
+# keyUsage = cRLSign, keyCertSign
 __EOF__
 
-openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
-        -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
+openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
         -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
 
 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh
new file mode 100755
index 0000000..5ee876c
--- /dev/null
+++ b/meta-integrity/scripts/ima-gen-self-signed.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# Copied from ima-evm-utils.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = example.com
+CN = meta-intel-iot-security example signing key
+emailAddress = john.doe@example.com
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+        -x509 -config $GENKEY \
+	-outform DER -out x509_ima.der -keyout privkey_ima.pem
-- 
2.34.1

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[akuster808]

On 5/9/23 2:56 PM, Jose Quaresma wrote:
> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>
> The full patchset are overriding the do_configure task and also added a kernel patch
> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> So the patch fails in some recipes and also do_configure task doesn't make sense.
> This breaks many recipes like linux-firmware and maybe others.

I fail to see how  this package update is part of the issue above. I am 
still trying to sort out the store here to figure out how we move forward.

- armin
>
> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
> ---
>   ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
>   ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} |  9 ++---
>   2 files changed, 2 insertions(+), 42 deletions(-)
>   delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)
>
> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> deleted file mode 100644
> index 3624576..0000000
> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> +++ /dev/null
> @@ -1,35 +0,0 @@
> -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
> -From: Stefan Berger <stefanb@linux.ibm.com>
> -Date: Tue, 18 Apr 2023 11:43:55 -0400
> -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
> -
> -If a signatures is detected as being portable do not attempt to read the
> -generation with the ioctl since in some cases this may not be supported
> -by the filesystem and is also not needed for computing a portable
> -signature.
> -
> -This avoids the current work-around of passing --generation 0 when the
> -ioctl is not supported by the filesystem.
> -
> -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ----
> - src/evmctl.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/evmctl.c b/src/evmctl.c
> -index 6d2bb67..c35a28c 100644
> ---- a/src/evmctl.c
> -+++ b/src/evmctl.c
> -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> - 	if (mode_str)
> - 		st.st_mode = strtoul(mode_str, NULL, 10);
> -
> --	if (!evm_immutable) {
> -+	if (!evm_immutable && !evm_portable) {
> - 		if (S_ISREG(st.st_mode) && !generation_str) {
> - 			int fd = open(file, 0);
> -
> ----
> -2.39.2
> -
> -
> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> similarity index 71%
> rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
> rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> index 8ac080c..873aeeb 100644
> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
> +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
>   
>   DEPENDS:class-native += "openssl-native keyutils-native"
>   
> -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
> -
> -SRC_URI = " \
> -    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
> -    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
> -"
> -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
> +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
> +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
>   
>   inherit pkgconfig autotools features_check
>   
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59946): https://lists.yoctoproject.org/g/yocto/message/59946
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/3616698
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Stefan Berger]

On 5/10/23 07:44, Armin Kuster wrote:
> 
> 
> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>
>> The full patchset are overriding the do_configure task and also added a kernel patch
>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>> This breaks many recipes like linux-firmware and maybe others.
> 
> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.

My suggestion would be that I post a v2 of my fix patches containing:

1) removal of the Linux kernel patch
2) removal of the squashfs option (less important)
3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
    but modified to look like this with '&& [ -f .config ]' appended:

  do_configure:append() {
      if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
          sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
      fi
  }

I don't want to hold things up but maybe it's worth discussing the suggested changes.

 From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
matches the pattern linux-firmware as well and therefore its contents get included when building
linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
these included for linux-firmware.

   Stefan

> 
> - armin
>>
>> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
>> ---
>>   ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
>>   ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} |  9 ++---
>>   2 files changed, 2 insertions(+), 42 deletions(-)
>>   delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>>   rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)
>>
>> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>> deleted file mode 100644
>> index 3624576..0000000
>> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
>> +++ /dev/null
>> @@ -1,35 +0,0 @@
>> -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
>> -From: Stefan Berger <stefanb@linux.ibm.com>
>> -Date: Tue, 18 Apr 2023 11:43:55 -0400
>> -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
>> -
>> -If a signatures is detected as being portable do not attempt to read the
>> -generation with the ioctl since in some cases this may not be supported
>> -by the filesystem and is also not needed for computing a portable
>> -signature.
>> -
>> -This avoids the current work-around of passing --generation 0 when the
>> -ioctl is not supported by the filesystem.
>> -
>> -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
>> ----
>> - src/evmctl.c | 2 +-
>> - 1 file changed, 1 insertion(+), 1 deletion(-)
>> -
>> -diff --git a/src/evmctl.c b/src/evmctl.c
>> -index 6d2bb67..c35a28c 100644
>> ---- a/src/evmctl.c
>> -+++ b/src/evmctl.c
>> -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
>> -     if (mode_str)
>> -         st.st_mode = strtoul(mode_str, NULL, 10);
>> -
>> --    if (!evm_immutable) {
>> -+    if (!evm_immutable && !evm_portable) {
>> -         if (S_ISREG(st.st_mode) && !generation_str) {
>> -             int fd = open(file, 0);
>> -
>> ----
>> -2.39.2
>> -
>> -
>> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
>> similarity index 71%
>> rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
>> rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
>> index 8ac080c..873aeeb 100644
>> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
>> +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
>> @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
>>   DEPENDS:class-native += "openssl-native keyutils-native"
>> -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
>> -
>> -SRC_URI = " \
>> -    https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
>> -    file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
>> -"
>> -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
>> +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
>> +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
>>   inherit pkgconfig autotools features_check
>>
>>
>>
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59959): https://lists.yoctoproject.org/g/yocto/message/59959
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/1792208
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [stefanb@linux.ibm.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Mikko Rapeli]

Hi,

On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> 
> 
> On 5/10/23 07:44, Armin Kuster wrote:
> > 
> > 
> > On 5/9/23 2:56 PM, Jose Quaresma wrote:
> > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> > > 
> > > The full patchset are overriding the do_configure task and also added a kernel patch
> > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> > > So the patch fails in some recipes and also do_configure task doesn't make sense.
> > > This breaks many recipes like linux-firmware and maybe others.
> > 
> > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
> 
> My suggestion would be that I post a v2 of my fix patches containing:
> 
> 1) removal of the Linux kernel patch
> 2) removal of the squashfs option (less important)
> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>    but modified to look like this with '&& [ -f .config ]' appended:
> 
>  do_configure:append() {
>      if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>          sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>      fi
>  }
> 
> I don't want to hold things up but maybe it's worth discussing the suggested changes.
> 
> From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> matches the pattern linux-firmware as well and therefore its contents get included when building
> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
> these included for linux-firmware.

Why is the bbappend applying changes to all recipes where name starts with
"linux-"?

It is aiming at Linux kernel recipes which by default in yocto are
called "linux-yocto", so the bbappend could simply be
"linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
and other variants too).

I think it's a bad idea to try to apply this change automatically to all
possible BSP layer kernels which may or may not have names starting with
"linux-" and it's well known that there are a lot of recipe names which
start with "linux-" which are not Linux kernels (linux-firmware,
linux-libc-headers, linux-dummy etc).

Cheers,

-Mikko

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Stefan Berger]

On 5/10/23 09:15, Mikko Rapeli wrote:
> Hi,
> 
> On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>>
>>
>> On 5/10/23 07:44, Armin Kuster wrote:
>>>
>>>
>>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>>>
>>>> The full patchset are overriding the do_configure task and also added a kernel patch
>>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>>>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>>>> This breaks many recipes like linux-firmware and maybe others.
>>>
>>> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
>>
>> My suggestion would be that I post a v2 of my fix patches containing:
>>
>> 1) removal of the Linux kernel patch
>> 2) removal of the squashfs option (less important)
>> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>>     but modified to look like this with '&& [ -f .config ]' appended:
>>
>>   do_configure:append() {
>>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>>           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>>       fi
>>   }
>>
>> I don't want to hold things up but maybe it's worth discussing the suggested changes.
>>
>>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
>> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
>> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> matches the pattern linux-firmware as well and therefore its contents get included when building
>> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
>> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
>> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
>> these included for linux-firmware.
> 
> Why is the bbappend applying changes to all recipes where name starts with
> "linux-"?
> 
> It is aiming at Linux kernel recipes which by default in yocto are
> called "linux-yocto", so the bbappend could simply be
> "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> and other variants too).

Thanks.

I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend
then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to
linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in
meta-security.

So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but
then require that OpenBMC include the linux_ima.inc using a statement like this

require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)}

in its own linux-aspeed_%.bbappend.

Does this sound correct?

     Stefan

> 
> I think it's a bad idea to try to apply this change automatically to all
> possible BSP layer kernels which may or may not have names starting with
> "linux-" and it's well known that there are a lot of recipe names which
> start with "linux-" which are not Linux kernels (linux-firmware,
> linux-libc-headers, linux-dummy etc).


> 
> Cheers,
> 
> -Mikko

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[akuster808]

On 5/10/23 9:15 AM, Mikko Rapeli wrote:
> Hi,
>
> On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>>
>> On 5/10/23 07:44, Armin Kuster wrote:
>>>
>>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>>>>
>>>> The full patchset are overriding the do_configure task and also added a kernel patch
>>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
>>>> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
>>>> So the patch fails in some recipes and also do_configure task doesn't make sense.
>>>> This breaks many recipes like linux-firmware and maybe others.
>>> I fail to see how  this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
>> My suggestion would be that I post a v2 of my fix patches containing:
>>
>> 1) removal of the Linux kernel patch
>> 2) removal of the squashfs option (less important)
>> 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
>>     but modified to look like this with '&& [ -f .config ]' appended:
>>
>>   do_configure:append() {
>>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
>>           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
>>       fi
>>   }
>>
>> I don't want to hold things up but maybe it's worth discussing the suggested changes.
>>
>>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
>> and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
>> The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> matches the pattern linux-firmware as well and therefore its contents get included when building
>> linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
>> ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
>> I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
>> these included for linux-firmware.
> Why is the bbappend applying changes to all recipes where name starts with
> "linux-"?
>
> It is aiming at Linux kernel recipes which by default in yocto are
> called "linux-yocto", so the bbappend could simply be
> "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> and other variants too).

Well that one is on me. That change came in when I ported over the 
meta-intel-iot-security layer.

6680225 meta-integrity: port over from meta-intel-iot-security

I will send a patch correcting that.

Thanks for the reminder and pointing this out.

BR,
Armin

>
> I think it's a bad idea to try to apply this change automatically to all
> possible BSP layer kernels which may or may not have names starting with
> "linux-" and it's well known that there are a lot of recipe names which
> start with "linux-" which are not Linux kernels (linux-firmware,
> linux-libc-headers, linux-dummy etc).
>
> Cheers,
>
> -Mikko

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 4154 bytes --]

akuster808 <akuster808@gmail.com> escreveu no dia quarta, 10/05/2023 à(s)
15:25:

>
>
> On 5/10/23 9:15 AM, Mikko Rapeli wrote:
> > Hi,
> >
> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> >>
> >> On 5/10/23 07:44, Armin Kuster wrote:
> >>>
> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
> >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> >>>>
> >>>> The full patchset are overriding the do_configure task and also added
> a kernel patch
> >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is
> included
> >>>> in every recipe that follows the pattern pattern starting by linux-
> (recipes-kernel/linux/linux-%.bbappend).
> >>>> So the patch fails in some recipes and also do_configure task doesn't
> make sense.
> >>>> This breaks many recipes like linux-firmware and maybe others.
> >>> I fail to see how  this package update is part of the issue above. I
> am still trying to sort out the store here to figure out how we move
> forward.
> >> My suggestion would be that I post a v2 of my fix patches containing:
> >>
> >> 1) removal of the Linux kernel patch
> >> 2) removal of the squashfs option (less important)
> >> 3) the suggestion outlined here:
> https://lists.yoctoproject.org/g/yocto/message/59955
> >>     but modified to look like this with '&& [ -f .config ]' appended:
> >>
> >>   do_configure:append() {
> >>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '',
> d)}" = "yes" ] && [ -f .config ] ; then
> >>           sed -i
> "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|"
> .config
> >>       fi
> >>   }
> >>
> >> I don't want to hold things up but maybe it's worth discussing the
> suggested changes.
> >>
> >>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now
> with these suggested changes
> >> and it did NOT build before. My suggestion would be to discuss the
> proposal under that thread there.
> >> The problems seem to be that the file
> meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> >> matches the pattern linux-firmware as well and therefore its contents
> get included when building
> >> linux-firmware. When building linux-firmware while having also
> DISTRO_FEATURES ima set in local.conf then the
> >> ima.scc is added to SRC_URI and the do_configure is also appended. The
> latter will not have side-effects but
> >> I don't know about the former nor how to create a better filter (other
> than DISTRO_FEATURES) for not having
> >> these included for linux-firmware.
> > Why is the bbappend applying changes to all recipes where name starts
> with
> > "linux-"?
> >
> > It is aiming at Linux kernel recipes which by default in yocto are
> > called "linux-yocto", so the bbappend could simply be
> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> > and other variants too).
>
> Well that one is on me. That change came in when I ported over the
> meta-intel-iot-security layer.
>

Renaming the bbappend to linux-yocto%.bbappend will break all other linux
kernels around
that follow the pattern linux-%.bbappend.

A better solution is needed here like the one pointed by Bruce
https://lists.yoctoproject.org/g/yocto/message/59954

I send the revert because currently the master is broken and the cause is
IMA patchset.
Maybe this patch can be dropped because it only bumps a version but the
others should be dropped.

Jose


>
> 6680225 meta-integrity: port over from meta-intel-iot-security
>
> I will send a patch correcting that.
>
> Thanks for the reminder and pointing this out.
>
> BR,
> Armin
>
> >
> > I think it's a bad idea to try to apply this change automatically to all
> > possible BSP layer kernels which may or may not have names starting with
> > "linux-" and it's well known that there are a lot of recipe names which
> > start with "linux-" which are not Linux kernels (linux-firmware,
> > linux-libc-headers, linux-dummy etc).
> >
> > Cheers,
> >
> > -Mikko
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 5655 bytes --]

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Mikko Rapeli]

Hi,

On Wed, May 10, 2023 at 10:20:22AM -0400, Stefan Berger wrote:
> 
> 
> On 5/10/23 09:15, Mikko Rapeli wrote:
> > Hi,
> > 
> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
> > > 
> > > 
> > > On 5/10/23 07:44, Armin Kuster wrote:
> > > > 
> > > > 
> > > > On 5/9/23 2:56 PM, Jose Quaresma wrote:
> > > > > This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
> > > > > 
> > > > > The full patchset are overriding the do_configure task and also added a kernel patch
> > > > > on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> > > > > in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> > > > > So the patch fails in some recipes and also do_configure task doesn't make sense.
> > > > > This breaks many recipes like linux-firmware and maybe others.
> > > > 
> > > > I fail to see how� this package update is part of the issue above. I am still trying to sort out the store here to figure out how we move forward.
> > > 
> > > My suggestion would be that I post a v2 of my fix patches containing:
> > > 
> > > 1) removal of the Linux kernel patch
> > > 2) removal of the squashfs option (less important)
> > > 3) the suggestion outlined here: https://lists.yoctoproject.org/g/yocto/message/59955
> > >     but modified to look like this with '&& [ -f .config ]' appended:
> > > 
> > >   do_configure:append() {
> > >       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
> > >           sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config
> > >       fi
> > >   }
> > > 
> > > I don't want to hold things up but maybe it's worth discussing the suggested changes.
> > > 
> > >  From what I can see 'bitbake linux-firmware' builds under OpenBMC now with these suggested changes
> > > and it did NOT build before. My suggestion would be to discuss the proposal under that thread there.
> > > The problems seem to be that the file meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
> > > matches the pattern linux-firmware as well and therefore its contents get included when building
> > > linux-firmware. When building linux-firmware while having also DISTRO_FEATURES ima set in local.conf then the
> > > ima.scc is added to SRC_URI and the do_configure is also appended. The latter will not have side-effects but
> > > I don't know about the former nor how to create a better filter (other than DISTRO_FEATURES) for not having
> > > these included for linux-firmware.
> > 
> > Why is the bbappend applying changes to all recipes where name starts with
> > "linux-"?
> > 
> > It is aiming at Linux kernel recipes which by default in yocto are
> > called "linux-yocto", so the bbappend could simply be
> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
> > and other variants too).
> 
> Thanks.
> 
> I am trying to enable IMA & EVM under OpenBMC. When I rename linux-%.bbappend to linux-yocto_%.bbappend
> then none of the IMA support becomes active under OpenBMC, so it doesn't help much for OpenBMC. If I rename it to
> linux-aspeed_%.bbappend then it works for OpenBMC but that's probably not the filename you would want to have in
> meta-security.
> 
> So I guess the solution is to rename the file to linux-yocto%.bbappend anyway (I won't test it in this env) but
> then require that OpenBMC include the linux_ima.inc using a statement like this
> 
> require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', '../../../../meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc', '', d)}
> 
> in its own linux-aspeed_%.bbappend.
> 
> Does this sound correct?

Yes, this sounds better. You can also document this in the layer for
users with different BSP layers and Linux kernel recipe names. Linking
to the OpenBMC example is a good idea too.

Cheers,

-Mikko

Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"

[Jose Quaresma]

[-- Attachment #1: Type: text/plain, Size: 4976 bytes --]

Jose Quaresma via lists.yoctoproject.org <quaresma.jose=
gmail.com@lists.yoctoproject.org> escreveu no dia quarta, 10/05/2023 à(s)
15:33:

>
>
> akuster808 <akuster808@gmail.com> escreveu no dia quarta, 10/05/2023 à(s)
> 15:25:
>
>>
>>
>> On 5/10/23 9:15 AM, Mikko Rapeli wrote:
>> > Hi,
>> >
>> > On Wed, May 10, 2023 at 08:23:18AM -0400, Stefan Berger wrote:
>> >>
>> >> On 5/10/23 07:44, Armin Kuster wrote:
>> >>>
>> >>> On 5/9/23 2:56 PM, Jose Quaresma wrote:
>> >>>> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>> >>>>
>> >>>> The full patchset are overriding the do_configure task and also
>> added a kernel patch
>> >>>> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file
>> is included
>> >>>> in every recipe that follows the pattern pattern starting by linux-
>> (recipes-kernel/linux/linux-%.bbappend).
>> >>>> So the patch fails in some recipes and also do_configure task
>> doesn't make sense.
>> >>>> This breaks many recipes like linux-firmware and maybe others.
>> >>> I fail to see how  this package update is part of the issue above. I
>> am still trying to sort out the store here to figure out how we move
>> forward.
>> >> My suggestion would be that I post a v2 of my fix patches containing:
>> >>
>> >> 1) removal of the Linux kernel patch
>> >> 2) removal of the squashfs option (less important)
>> >> 3) the suggestion outlined here:
>> https://lists.yoctoproject.org/g/yocto/message/59955
>> >>     but modified to look like this with '&& [ -f .config ]' appended:
>> >>
>> >>   do_configure:append() {
>> >>       if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '',
>> d)}" = "yes" ] && [ -f .config ] ; then
>> >>           sed -i
>> "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|"
>> .config
>> >>       fi
>> >>   }
>> >>
>> >> I don't want to hold things up but maybe it's worth discussing the
>> suggested changes.
>> >>
>> >>  From what I can see 'bitbake linux-firmware' builds under OpenBMC now
>> with these suggested changes
>> >> and it did NOT build before. My suggestion would be to discuss the
>> proposal under that thread there.
>> >> The problems seem to be that the file
>> meta-security/meta-integrity/recipes-kernel/linux/linux-%.bbappend
>> >> matches the pattern linux-firmware as well and therefore its contents
>> get included when building
>> >> linux-firmware. When building linux-firmware while having also
>> DISTRO_FEATURES ima set in local.conf then the
>> >> ima.scc is added to SRC_URI and the do_configure is also appended. The
>> latter will not have side-effects but
>> >> I don't know about the former nor how to create a better filter (other
>> than DISTRO_FEATURES) for not having
>> >> these included for linux-firmware.
>> > Why is the bbappend applying changes to all recipes where name starts
>> with
>> > "linux-"?
>> >
>> > It is aiming at Linux kernel recipes which by default in yocto are
>> > called "linux-yocto", so the bbappend could simply be
>> > "linux-yocto_%.bbappend" (or "linux-yocto%.bbappend to catch the rt
>> > and other variants too).
>>
>> Well that one is on me. That change came in when I ported over the
>> meta-intel-iot-security layer.
>>
>
> Renaming the bbappend to linux-yocto%.bbappend will break all other linux
> kernels around
> that follow the pattern linux-%.bbappend.
>
> A better solution is needed here like the one pointed by Bruce
> https://lists.yoctoproject.org/g/yocto/message/59954
>
> I send the revert because currently the master is broken and the cause is
> IMA patchset.
> Maybe this patch can be dropped because it only bumps a version but the
> others should be dropped.
>

typo: this patch can be dropped but the others should be merged.

Jose


>
> Jose
>
>
>>
>> 6680225 meta-integrity: port over from meta-intel-iot-security
>>
>> I will send a patch correcting that.
>>
>> Thanks for the reminder and pointing this out.
>>
>> BR,
>> Armin
>>
>> >
>> > I think it's a bad idea to try to apply this change automatically to all
>> > possible BSP layer kernels which may or may not have names starting with
>> > "linux-" and it's well known that there are a lot of recipe names which
>> > start with "linux-" which are not Linux kernels (linux-firmware,
>> > linux-libc-headers, linux-dummy etc).
>> >
>> > Cheers,
>> >
>> > -Mikko
>>
>>
>
> --
> Best regards,
>
> José Quaresma
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59964):
> https://lists.yoctoproject.org/g/yocto/message/59964
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/5052612
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 7537 bytes --]