jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
+17
View File
@@ -0,0 +1,17 @@
SUMMARY = "IMA/EMV public keys"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
ALLOW_EMPTY:${PN} = "1"
do_install () {
if [ -e "${IMA_EVM_X509}" ]; then
install -d ${D}/${sysconfdir}/keys
install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der
ln -rs ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x509_ima.der
fi
}
do_install[file-checksums] += "${@'${IMA_EVM_X509}:%s' % os.path.exists('${IMA_EVM_X509}')}"
meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
+39
View File
@@ -0,0 +1,39 @@
From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue, 18 Apr 2023 11:43:55 -0400
Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
If a signatures is detected as being portable do not attempt to read the
generation with the ioctl since in some cases this may not be supported
by the filesystem and is also not needed for computing a portable
signature.
This avoids the current work-around of passing --generation 0 when the
ioctl is not supported by the filesystem.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
Upstream-Status: Pending
src/evmctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 6d2bb67..c35a28c 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (mode_str)
st.st_mode = strtoul(mode_str, NULL, 10);
- if (!evm_immutable) {
+ if (!evm_immutable && !evm_portable) {
if (S_ISREG(st.st_mode) && !generation_str) {
int fd = open(file, 0);
---
Upstream-Status: Pending
2.39.2
meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
+30
View File
@@ -0,0 +1,30 @@
DESCRIPTION = "IMA/EVM control utility"
LICENSE = "GPL-2.0-with-OpenSSL-exception"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
DEPENDS += "openssl attr keyutils"
DEPENDS:class-native += "openssl-native keyutils-native"
FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
SRC_URI = " \
https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
"
SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
inherit pkgconfig autotools features_check
REQUIRED_DISTRO_FEATURES = "ima"
REQUIRED_DISTRO_FEATURES:class-native = ""
EXTRA_OECONF += "MANPAGE_DOCBOOK_XSL=0"
EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
# blkid is called by evmctl when creating evm checksums.
# This is less useful when signing files on the build host,
# so disable it when compiling on the host.
RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils"
BBCLASSEXTEND = "native nativesdk"
meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all
+36
View File
@@ -0,0 +1,36 @@
#
# Integrity measure policy (http://sourceforge.net/p/linux-ima/wiki/Home/#measure-nothing-appraise-everything)
#
# Do not measure anything, but appraise everything
#
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
# SYSFS_MAGIC
dont_appraise fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_appraise fsmagic=0x64626720
# TMPFS_MAGIC
dont_appraise fsmagic=0x01021994
# RAMFS_MAGIC
dont_appraise fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC
dont_appraise fsmagic=0x1cd1
# BIFMT
dont_appraise fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_appraise fsmagic=0x73636673
# SELINUXFS_MAGIC
dont_appraise fsmagic=0xf97cff8c
# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
dont_appraise fsmagic=0x6e736673
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
# Cgroup
dont_appraise fsmagic=0x27e0eb
# Cgroup2
dont_appraise fsmagic=0x63677270
# Appraise libraries
appraise func=MMAP_CHECK mask=MAY_EXEC
# Appraise executables
appraise func=BPRM_CHECK
meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
+16
View File
@@ -0,0 +1,16 @@
SUMMARY = "IMA sample simple appraise policy "
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
SRC_URI = " file://ima_policy_appraise_all"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy
}
FILES:${PN} = "${sysconfdir}/ima"
RDEPENDS:${PN} = "ima-evm-utils"
meta-security/meta-integrity/recipes-security/ima_policy_hashed/files/ima_policy_hashed
+80
View File
@@ -0,0 +1,80 @@
# With this policy, all files on regular partitions are
# appraised. Files with signed IMA hash and normal hash are
# accepted. Signed files cannot be modified while hashed files can be
# (which will also update the hash). However, signed files can
# be deleted, so in practice it is still possible to replace them
# with a modified version.
#
# Without EVM, this is obviously not very secure, so this policy is
# just an example and/or basis for further improvements. For that
# purpose, some comments show what could be added to make the policy
# more secure.
#
# With EVM the situation might be different because access
# to the EVM key can be restricted.
#
# Files which are appraised are also measured. This allows
# debugging whether a file is in policy by looking at
# /sys/kernel/security/ima/ascii_runtime_measurements
# PROC_SUPER_MAGIC
dont_appraise fsmagic=0x9fa0
dont_measure fsmagic=0x9fa0
# SYSFS_MAGIC
dont_appraise fsmagic=0x62656572
dont_measure fsmagic=0x62656572
# DEBUGFS_MAGIC
dont_appraise fsmagic=0x64626720
dont_measure fsmagic=0x64626720
# TMPFS_MAGIC
dont_appraise fsmagic=0x01021994
dont_measure fsmagic=0x01021994
# RAMFS_MAGIC
dont_appraise fsmagic=0x858458f6
dont_measure fsmagic=0x858458f6
# DEVPTS_SUPER_MAGIC
dont_appraise fsmagic=0x1cd1
dont_measure fsmagic=0x1cd1
# BIFMT
dont_appraise fsmagic=0x42494e4d
dont_measure fsmagic=0x42494e4d
# SECURITYFS_MAGIC
dont_appraise fsmagic=0x73636673
dont_measure fsmagic=0x73636673
# SELINUXFS_MAGIC
dont_appraise fsmagic=0xf97cff8c
dont_measure fsmagic=0xf97cff8c
# NSFS_MAGIC (introduced in 3.19, see cd025f7 and e149ed2 in the upstream Linux kernel)
dont_appraise fsmagic=0x6e736673
dont_measure fsmagic=0x6e736673
# SMACK_MAGIC
dont_appraise fsmagic=0x43415d53
dont_measure fsmagic=0x43415d53
# CGROUP_SUPER_MAGIC
dont_appraise fsmagic=0x27e0eb
dont_measure fsmagic=0x27e0eb
# CGROUP2_SUPER_MAGIC
dont_appraise fsmagic=0x63677270
dont_measure fsmagic=0x63677270
# EFIVARFS_MAGIC
dont_appraise fsmagic=0xde5e81e4
dont_measure fsmagic=0xde5e81e4
# Special partition, no checking done.
# dont_measure fsuuid=a11234...
# dont_appraise fsuuid=a11243...
# Special immutable group.
# appraise appraise_type=imasig func=FILE_CHECK mask=MAY_READ fgroup=200
# All executables must be signed - too strict, we need to
# allow installing executables on the device.
# appraise appraise_type=imasig func=FILE_MMAP mask=MAY_EXEC
# appraise appraise_type=imasig func=BPRM_CHECK mask=MAY_EXEC
# Default rule. Would be needed also when other rules were added that
# determine what to do in case of reading (mask=MAY_READ or
# mask=MAY_EXEC) because otherwise writing does not update the file
# hash.
appraise
measure
meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
+18
View File
@@ -0,0 +1,18 @@
SUMMARY = "IMA sample hash policy"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
SRC_URI = " \
file://ima_policy_hashed \
"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
}
FILES:${PN} = "${sysconfdir}/ima"
RDEPENDS:${PN} = "ima-evm-utils"
meta-security/meta-integrity/recipes-security/ima_policy_simple/files/ima_policy_simple
+4
View File
@@ -0,0 +1,4 @@
# Very simple policy demonstrating the systemd policy loading bug
# (policy with one line works, two lines don't).
dont_appraise fsmagic=0x9fa0
dont_appraise fsmagic=0x62656572
meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
+16
View File
@@ -0,0 +1,16 @@
SUMMARY = "IMA sample simple policy"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
SRC_URI = " file://ima_policy_simple"
inherit features_check
REQUIRED_DISTRO_FEATURES = "ima"
do_install () {
install -d ${D}/${sysconfdir}/ima
install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
}
FILES:${PN} = "${sysconfdir}/ima"
RDEPENDS:${PN} = "ima-evm-utils"