jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/meta-integrity/recipes-core/base-files/base-files-ima.inc
+5
View File
@@ -0,0 +1,5 @@
# Append iversion option for auto types
do_install:append() {
sed -i 's/\s*auto\s*defaults/&,iversion/' "${D}${sysconfdir}/fstab"
echo 'securityfs /sys/kernel/security securityfs defaults 0 0' >> "${D}${sysconfdir}/fstab"
}
meta-security/meta-integrity/recipes-core/base-files/base-files_%.bbappend
+1
View File
@@ -0,0 +1 @@
require ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'base-files-ima.inc', '', d)}
meta-security/meta-integrity/recipes-core/images/integrity-image-minimal.bb
+21
View File
@@ -0,0 +1,21 @@
DESCRIPTION = "An image as an exmaple for Ima support"
IMAGE_FEATURES += "ssh-server-openssh"
IMAGE_INSTALL = "\
packagegroup-base \
packagegroup-core-boot \
packagegroup-ima-evm-utils \
os-release"
LICENSE = "MIT"
inherit core-image
export IMAGE_BASENAME = "integrity-image-minimal"
INHERIT += "ima-evm-rootfs"
QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix"
meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+36
View File
@@ -0,0 +1,36 @@
# This recipe creates a module for the initramfs-framework in OE-core
# which initializes IMA by loading a policy before transferring
# control to the init process in the rootfs. The advantage over having
# that init process doing the policy loading (which systemd could do)
# is that already the integrity of the init binary itself will be
# checked by the kernel.
SUMMARY = "IMA module for the modular initramfs system"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
# This policy file will get installed as /etc/ima/ima-policy.
# It is located via the normal file search path, so a .bbappend
# to this recipe can just point towards one of its own files.
IMA_POLICY ?= "ima-policy-hashed"
# Force proceed IMA procedure even 'no_ima' boot parameter is available.
IMA_FORCE ?= "false"
SRC_URI = " file://ima"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
install -d ${D}/init.d
install ${WORKDIR}/ima ${D}/init.d/20-ima
sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
}
FILES:${PN} = "/init.d ${sysconfdir}"
RDEPENDS:${PN} = "keyutils ima-evm-keys ${IMA_POLICY}"
RDEPENDS:${PN} += "initramfs-framework-base"
meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/ima
+58
View File
@@ -0,0 +1,58 @@
#!/bin/sh
#
# Loads IMA policy into the kernel.
force_ima=@@FORCE_IMA@@
ima_enabled() {
if [ "$force_ima" = "true" ]; then
return 0
elif [ "$bootparam_no_ima" = "true" ]; then
return 1
else
return 0
fi
}
ima_run() {
info "Initializing IMA (can be skipped with no_ima boot parameter)."
if ! grep -w securityfs /proc/mounts >/dev/null; then
if ! mount -t securityfs securityfs /sys/kernel/security; then
fatal "Could not mount securityfs."
fi
fi
if [ ! -d /sys/kernel/security/ima ]; then
fatal "No /sys/kernel/security/ima. Cannot proceed without IMA enabled in the kernel."
fi
# Instead of depending on the kernel to load the IMA X.509 certificate,
# use keyctl. This avoids a bug in certain kernels (https://lkml.org/lkml/2015/9/10/492)
# where the loaded key was not checked sufficiently. We use keyctl here because it is
# slightly smaller than evmctl and is needed anyway.
# (see http://sourceforge.net/p/linux-ima/ima-evm-utils/ci/v0.9/tree/README#l349).
for kind in ima evm; do
key=/etc/keys/x509_$kind.der
if [ -s $key ]; then
id=$(grep -w -e "\.$kind" /proc/keys | cut -d ' ' -f1 | head -n 1)
if [ "$id" ]; then
id=$(printf "%d" 0x$id)
fi
if [ -z "$id" ]; then
id=`keyctl search @u keyring _$kind 2>/dev/null`
if [ -z "$id" ]; then
id=`keyctl newring _$kind @u`
fi
fi
info "Loading $key into $kind keyring $id"
keyctl padd asymmetric "" $id <$key
fi
done
# In theory, a simple "cat" should be enough. In practice, loading sometimes fails randomly
# ("[Linux-ima-user] IMA policy loading via cat") and we get better error reporting when
# checking the write of each line. To minimize the risk of policy loading going wrong we
# also remove comments and blank lines ourselves.
if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ *$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Invalid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >/sys/kernel/security/ima/policy; then
fatal "Could not load IMA policy."
fi
}
meta-security/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
+11
View File
@@ -0,0 +1,11 @@
SUMMARY = "IMA/EVM userspace tools"
LICENSE = "MIT"
inherit packagegroup features_check
REQUIRED_DISTRO_FEATURES = "ima"
# Only one at the moment, but perhaps more will come in the future.
RDEPENDS:${PN} = " \
ima-evm-utils \
"
meta-security/meta-integrity/recipes-core/systemd/files/machine-id-commit-sync.conf
+2
View File
@@ -0,0 +1,2 @@
[Service]
ExecStartPost=/bin/sync
meta-security/meta-integrity/recipes-core/systemd/files/random-seed-sync.conf
+3
View File
@@ -0,0 +1,3 @@
[Service]
ExecStopPost=/bin/sync
ExecStartPost=/bin/sync
meta-security/meta-integrity/recipes-core/systemd/systemd_%.bbappend
+13
View File
@@ -0,0 +1,13 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += " \
file://machine-id-commit-sync.conf \
file://random-seed-sync.conf \
"
do_install:append () {
for i in machine-id-commit random-seed; do
install -d ${D}/${systemd_system_unitdir}/systemd-$i.service.d
install -m 0644 ${WORKDIR}/$i-sync.conf ${D}/${systemd_system_unitdir}/systemd-$i.service.d
done
}