Initial commit

meta-security/recipes-core/images/dm-verity-image-initramfs.bb

@@ -0,0 +1,34 @@
+DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
+
+inherit core-image
+
+PACKAGE_INSTALL = " \
+    base-files \
+    base-passwd \
+    busybox \
+    cryptsetup \
+    initramfs-module-dmverity \
+    initramfs-module-udev \
+    lvm2-udevrules \
+    udev \
+    util-linux-mount \
+"
+
+# We want a clean, minimal image.
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""
+
+# Can we somehow inspect reverse dependencies to avoid these variables?
+do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+
+# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
+do_image[nostamp] = "1"
+
+IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
+
+deploy_verity_hash() {
+    install -D -m 0644 \
+        ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
+        ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
+}
+IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"

meta-security/recipes-core/images/security-build-image.bb

@@ -0,0 +1,20 @@
+DESCRIPTION = "A small image for building meta-security packages"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \
+    packagegroup-base \
+    packagegroup-core-boot \
+    packagegroup-core-security \
+    os-release" 
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-build-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"

meta-security/recipes-core/images/security-client-image.bb

@@ -0,0 +1,16 @@
+DESCRIPTION = "A Client side Security example"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    os-release \
+    samhain-client \
+    ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-client-image"

meta-security/recipes-core/images/security-server-image.bb

@@ -0,0 +1,19 @@
+DESCRIPTION = "A Serve side image for Security example "
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    samhain-server \
+    os-release "
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-server-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"

meta-security/recipes-core/images/security-test-image.bb

@@ -0,0 +1,27 @@
+DESCRIPTION = "A small image for testing meta-security packages"
+
+require security-build-image.bb
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL:append = "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"
+
+INSTALL_CLAMAV_CVD = "1"
+
+IMAGE_OVERHEAD_FACTOR = "1.0"
+IMAGE_ROOTFS_EXTRA_SPACE = "1124288"
+
+# ptests need more memory than standard to avoid the OOM killer
+# also lttng-tools needs /tmp that has at least 1G
+QB_MEM = "-m 2048"
+
+PTEST_EXPECT_FAILURE = "1"