Initial commit

meta-security/recipes-core/images/dm-verity-image-initramfs.bb

@@ -0,0 +1,34 @@
+DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
+
+inherit core-image
+
+PACKAGE_INSTALL = " \
+    base-files \
+    base-passwd \
+    busybox \
+    cryptsetup \
+    initramfs-module-dmverity \
+    initramfs-module-udev \
+    lvm2-udevrules \
+    udev \
+    util-linux-mount \
+"
+
+# We want a clean, minimal image.
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""
+
+# Can we somehow inspect reverse dependencies to avoid these variables?
+do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+
+# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
+do_image[nostamp] = "1"
+
+IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
+
+deploy_verity_hash() {
+    install -D -m 0644 \
+        ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
+        ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
+}
+IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"

meta-security/recipes-core/images/security-build-image.bb

@@ -0,0 +1,20 @@
+DESCRIPTION = "A small image for building meta-security packages"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \
+    packagegroup-base \
+    packagegroup-core-boot \
+    packagegroup-core-security \
+    os-release" 
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-build-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"

meta-security/recipes-core/images/security-client-image.bb

@@ -0,0 +1,16 @@
+DESCRIPTION = "A Client side Security example"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    os-release \
+    samhain-client \
+    ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-client-image"

meta-security/recipes-core/images/security-server-image.bb

@@ -0,0 +1,19 @@
+DESCRIPTION = "A Serve side image for Security example "
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    samhain-server \
+    os-release "
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-server-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"

meta-security/recipes-core/images/security-test-image.bb

@@ -0,0 +1,27 @@
+DESCRIPTION = "A small image for testing meta-security packages"
+
+require security-build-image.bb
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL:append = "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"
+
+INSTALL_CLAMAV_CVD = "1"
+
+IMAGE_OVERHEAD_FACTOR = "1.0"
+IMAGE_ROOTFS_EXTRA_SPACE = "1124288"
+
+# ptests need more memory than standard to avoid the OOM killer
+# also lttng-tools needs /tmp that has at least 1G
+QB_MEM = "-m 2048"
+
+PTEST_EXPECT_FAILURE = "1"

meta-security/recipes-core/initrdscripts/initramfs-framework-dm/dmverity

@@ -0,0 +1,93 @@
+#!/bin/sh
+
+dmverity_enabled() {
+    return 0
+}
+
+dmverity_run() {
+    DATA_SIZE="__not_set__"
+    DATA_BLOCK_SIZE="__not_set__"
+    ROOT_HASH="__not_set__"
+    SEPARATE_HASH="__not_set__"
+
+    . /usr/share/misc/dm-verity.env
+
+    C=0
+    delay=${bootparam_rootdelay:-1}
+    timeout=${bootparam_roottimeout:-5}
+
+    # we know exactly what we are looking for; don't need the wide hunt below
+    if [ "${SEPARATE_HASH}" -eq "1" ]; then
+        while [ ! -b "/dev/disk/by-partuuid/${ROOT_UUID}" ]; do
+            if [ $(( $C * $delay )) -gt $timeout ]; then
+                fatal "Root device (data) resolution failed"
+                exit 1
+            fi
+            debug "Sleeping for $delay second(s) to wait for root data to settle..."
+            sleep $delay
+            C=$(( $C + 1 ))
+        done
+
+        veritysetup \
+            --data-block-size=${DATA_BLOCK_SIZE} \
+            create rootfs \
+            /dev/disk/by-partuuid/${ROOT_UUID} \
+            /dev/disk/by-partuuid/${RHASH_UUID} \
+            ${ROOT_HASH}
+
+            mount \
+                 -o ro \
+                /dev/mapper/rootfs \
+                ${ROOTFS_DIR} || exit 2
+
+	    return
+    fi
+
+    RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
+    while [ ! -b "${RDEV}" ]; do
+        if [ $(( $C * $delay )) -gt $timeout ]; then
+            fatal "Root device resolution failed"
+            exit 1
+        fi
+
+        case "${bootparam_root}" in
+            ID=*)
+                RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=} 2>/dev/null)"
+                ;;
+            LABEL=*)
+                RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=} 2>/dev/null)"
+                ;;
+            PARTLABEL=*)
+                RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=} 2>/dev/null)"
+                ;;
+            PARTUUID=*)
+                RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=} 2>/dev/null)"
+                ;;
+            PATH=*)
+                RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=} 2>/dev/null)"
+                ;;
+            UUID=*)
+                RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=} 2>/dev/null)"
+                ;;
+            *)
+                RDEV="${bootparam_root}"
+        esac
+        debug "Sleeping for $delay second(s) to wait root to settle..."
+        sleep $delay
+        C=$(( $C + 1 ))
+
+    done
+
+    veritysetup \
+        --data-block-size=${DATA_BLOCK_SIZE} \
+        --hash-offset=${DATA_SIZE} \
+        create rootfs \
+        ${RDEV} \
+        ${RDEV} \
+        ${ROOT_HASH}
+
+    mount \
+        -o ro \
+        /dev/mapper/rootfs \
+        ${ROOTFS_DIR} || exit 2
+}

meta-security/recipes-core/initrdscripts/initramfs-framework.inc

@@ -0,0 +1,16 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/initramfs-framework-dm:"
+
+SRC_URI:append = "\
+    file://dmverity \
+"
+
+do_install:append() {
+    # dm-verity
+    install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+
+PACKAGES:append = " initramfs-module-dmverity"
+
+SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS:initramfs-module-dmverity = "${PN}-base"
+FILES:initramfs-module-dmverity = "/init.d/80-dmverity"

meta-security/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend

@@ -0,0 +1 @@
+require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)}

meta-security/recipes-core/packagegroup/packagegroup-core-security.bb

@@ -0,0 +1,117 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "\
+    packagegroup-core-security \
+    packagegroup-security-utils \
+    packagegroup-security-scanners \
+    packagegroup-security-audit \
+    packagegroup-security-ids  \
+    packagegroup-security-mac  \
+    packagegroup-security-compliance  \
+    ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
+    "
+
+RDEPENDS:packagegroup-core-security = "\
+    packagegroup-security-utils \
+    packagegroup-security-scanners \
+    packagegroup-security-audit \
+    packagegroup-security-ids  \
+    packagegroup-security-mac  \
+    packagegroup-security-compliance  \
+    ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
+    "
+
+SUMMARY:packagegroup-security-utils = "Security utilities"
+RDEPENDS:packagegroup-security-utils = "\
+    bubblewrap \
+    checksec \
+    cryptmount \
+    ding-libs \
+    ecryptfs-utils \
+    fscryptctl \
+    glome \
+    keyutils \
+    nmap \
+    pinentry \
+    softhsm \
+    sshguard \
+    firejail \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
+    "
+
+have_krill =  "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}"
+RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:x86-64 = " chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:aarch64 = " ${have_krill}"
+RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail"
+RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill"
+
+SUMMARY:packagegroup-security-scanners = "Security scanners"
+RDEPENDS:packagegroup-security-scanners = "\
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \
+    chkrootkit \
+    isic \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \
+    "
+RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam"
+RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "arpwatch"
+
+SUMMARY:packagegroup-security-audit = "Security Audit tools "
+RDEPENDS:packagegroup-security-audit = " \
+    buck-security \
+    redhat-security \
+    "
+
+SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems"
+RDEPENDS:packagegroup-security-ids = " \
+    samhain-standalone \
+    suricata \
+    ossec-hids \
+    aide \
+    "
+
+RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids"
+
+SUMMARY:packagegroup-security-mac = "Security Mandatory Access Control systems"
+RDEPENDS:packagegroup-security-mac = " \
+    ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
+    "
+
+RDEPENDS:packagegroup-security-mac:remove:mipsarch = "apparmor"
+
+SUMMARY:packagegroup-security-compliance = "Security Compliance applications"
+RDEPENDS:packagegroup-security-compliance = " \
+    lynis \
+    openscap \
+    scap-security-guide \
+    os-release \
+    "
+
+RDEPENDS:packagegroup-security-compliance:remove:libc-musl = "openscap scap-security-guide"
+
+RDEPENDS:packagegroup-meta-security-ptest-packages = "\
+    ptest-runner \
+    samhain-standalone-ptest \
+    ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
+"
+
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64le = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:powerpc64 = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:riscv32 = "suricata-ptest"
+RDEPENDS:packagegroup-security-ptest-packages:remove:riscv64 = "suricata-ptest"