From: Ming Liu <liu.ming50@...> Introduce IMA_FORCE to allow the IMA policy be applied forcely even 'no_ima' boot parameter is available. This ensures the end users have a way to disable 'no_ima

From: Ming Liu <liu.ming50@...> IMA_POLICY is being referred as policy recipe name in some places and it is also being referred as policy file in other places, they are conflicting with each oth

From: Ming Liu <liu.ming50@...> This ensures when a end user change the IMA_EVM_X509 key file, ima-evm-keys recipe will be rebuilt. Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by:

From: Ming Liu <ming.liu@...> Ming Liu (3): ima-evm-keys: add file-checksums to IMA_EVM_X509 meta: drop IMA_POLICY from policy recipes initramfs-framework-ima: introduce IMA_FORCE .../initrdsc

From: Ming Liu <liu.ming50@...> Introduce IMA_FORCE to allow the IMA policy be applied forcely even 'no_ima' boot parameter is available. This ensures the end users have a way to disable 'no_ima

From: Ming Liu <liu.ming50@...> IMA_POLICY is being referred as policy recipe name in some places and it is also being referred as policy file in other places, they are conflicting with each oth

From: Ming Liu <liu.ming50@...> This ensures when a end user change the IMA_EVM_X509 key file, ima-evm-keys recipe will be rebuilt. Signed-off-by: Ming Liu <liu.ming50@...> --- meta-integr

Hi, akuster808: I saw this patch set has been merged to gatesgarth, may I ask, any plan for dunfell? I am asking because dunfell is a LTS branch and many users are building their products based on it.

From: Ming Liu <liu.ming50@...> Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by: Armin Kuster <akuster808@...> --- .../recipes-core/initrdscripts/initramfs-framework-ima.bb |

From: Ming Liu <ming.liu@...> Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these=20 patches applied, I could run a ima enabled image with sysvinit/systemd on qemuarm/qemuarm64 an

From: Ming Liu <liu.ming50@...> /etc/ima-policy > /etc/ima/ima-policy. Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by: Armin Kuster <akuster808@...> --- .../recipes-core/init

From: Ming Liu <liu.ming50@...> Create a recipe to package IMA/EMV public keys. Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by: Armin Kuster <akuster808@...> --- .../ima-evm-

From: Ming Liu <liu.ming50@...> Or else wic will fail without "--no-fstab-update" option. Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by: Armin Kuster <akuster808@...> --- me

From: Ming Liu <liu.ming50@...> 'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid sanity check for ima-evm-utils-native. Signed-off-by: Ming Liu <liu.ming50@...> Signe

From: Ming Liu <liu.ming50@...> The current logic in ima-evm-rootfs.bbclass does not guarantee ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND by appending to it, for instan

From: Ming Liu <liu.ming50@...> Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by: Armin Kuster <akuster808@...> --- meta-integrity/README.md | 4 +++- 1 file changed, 3 insertio

From: Ming Liu <liu.ming50@...> Otherwise, ima script would not run as intended. Signed-off-by: Ming Liu <liu.ming50@...> Signed-off-by: Armin Kuster <akuster808@...> --- .../recipes

From: Ming Liu <liu.ming50@...> This fixes following systemd boot issues: [ 7.455580] systemd[1]: Failed to create /init.scope control group: Pe= rmission denied [ 7.457677] systemd[1]: Failed t

From: Ming Liu <liu.ming50@...> This fixes following systemd boot issues: [ 7.455580] systemd[1]: Failed to create /init.scope control group: Pe= rmission denied [ 7.457677] systemd[1]: Failed t

From: Ming Liu <liu.ming50@...> Or else wic will fail without "--no-fstab-update" option. Signed-off-by: Ming Liu <liu.ming50@...> --- meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++