yocto@lists.yoctoproject.org | [meta-security][dunfell][PATCH 0/9] Some IMA/EVM fixes to dunfell branch

Ming Liu <liu.ming50@...>

From: Ming Liu <ming.liu@...>

Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these=20
patches applied, I could run a ima enabled image with sysvinit/systemd
on qemuarm/qemuarm64 and some NXP machines.

Ming Liu (9):
  ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
  initramfs-framework-ima: fix a wrong path
  ima-evm-keys: add recipe
  initramfs-framework-ima: RDEPENDS on ima-evm-keys
  meta: refactor IMA/EVM sign rootfs
  README.md: update according to the refactoring in
    ima-evm-rootfs.bbclass
  initramfs-framework-ima: let ima_enabled return 0
  ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
  ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic

 meta-integrity/README.md                      |  4 ++-
 meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
 .../initrdscripts/initramfs-framework-ima.bb  |  2 +-
 .../initrdscripts/initramfs-framework-ima/ima |  3 +-
 .../ima-evm-keys/ima-evm-keys_1.0.bb          | 16 +++++++++
 .../ima-evm-utils/ima-evm-utils_git.bb        |  1 +
 .../ima_policy_hashed/files/ima_policy_hashed |  3 ++
 7 files changed, 41 insertions(+), 21 deletions(-)
 create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-=
keys_1.0.bb

--=20
2.29.0

Armin Kuster

#52585

series in build testing

-armin

Show quoted text

On 3/2/21 6:57 AM, liu.ming50@... wrote:
From: Ming Liu <ming.liu@...>

Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these 
patches applied, I could run a ima enabled image with sysvinit/systemd
on qemuarm/qemuarm64 and some NXP machines.

Ming Liu (9):
  ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
  initramfs-framework-ima: fix a wrong path
  ima-evm-keys: add recipe
  initramfs-framework-ima: RDEPENDS on ima-evm-keys
  meta: refactor IMA/EVM sign rootfs
  README.md: update according to the refactoring in
    ima-evm-rootfs.bbclass
  initramfs-framework-ima: let ima_enabled return 0
  ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
  ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic

 meta-integrity/README.md                      |  4 ++-
 meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
 .../initrdscripts/initramfs-framework-ima.bb  |  2 +-
 .../initrdscripts/initramfs-framework-ima/ima |  3 +-
 .../ima-evm-keys/ima-evm-keys_1.0.bb          | 16 +++++++++
 .../ima-evm-utils/ima-evm-utils_git.bb        |  1 +
 .../ima_policy_hashed/files/ima_policy_hashed |  3 ++
 7 files changed, 41 insertions(+), 21 deletions(-)
 create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb

Ming Liu <liu.ming50@...>

#52643

Hi, akuster808:

I saw this patch set has been merged to gatesgarth, may I ask, any plan for dunfell? I am asking because dunfell is a LTS branch and many users are building their products based on it. Thanks!

the best,

thank you

Show quoted text

series in build testing

-armin

On 3/2/21 6:57 AM, liu.ming50@... wrote:
> From: Ming Liu <ming.liu@...>
>
> Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
> patches applied, I could run a ima enabled image with sysvinit/systemd
> on qemuarm/qemuarm64 and some NXP machines.
>
> Ming Liu (9):
> ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
> initramfs-framework-ima: fix a wrong path
> ima-evm-keys: add recipe
> initramfs-framework-ima: RDEPENDS on ima-evm-keys
> meta: refactor IMA/EVM sign rootfs
> README.md: update according to the refactoring in
> ima-evm-rootfs.bbclass
> initramfs-framework-ima: let ima_enabled return 0
> ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
> ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
>
> meta-integrity/README.md | 4 ++-
> meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
> .../initrdscripts/initramfs-framework-ima.bb | 2 +-
> .../initrdscripts/initramfs-framework-ima/ima | 3 +-
> .../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
> .../ima-evm-utils/ima-evm-utils_git.bb | 1 +
> .../ima_policy_hashed/files/ima_policy_hashed | 3 ++
> 7 files changed, 41 insertions(+), 21 deletions(-)
> create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
>

Armin Kuster

#52648

On 3/10/21 2:31 AM, Ming Liu wrote:
Hi, akuster808:

I saw this patch set has been merged to gatesgarth, may I ask, any
plan for dunfell? I am asking because dunfell is a LTS branch and many
users are building their products based on it. Thanks!that are being built current. I can on build on branch at a time and it
takes time to do each.  Things are looking good so I suspect they
changes will land in the next day or so.

-armin

the best,
thank you

    series in build testing

    -armin

    On 3/2/21 6:57 AM, liu.ming50@...
    <mailto:liu.ming50@...> wrote:
    > From: Ming Liu <ming.liu@... <mailto:ming.liu@...>>
    >
    > Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
    > patches applied, I could run a ima enabled image with
    sysvinit/systemd
    > on qemuarm/qemuarm64 and some NXP machines.
    >
    > Ming Liu (9):
    >   ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
    >   initramfs-framework-ima: fix a wrong path
    >   ima-evm-keys: add recipe
    >   initramfs-framework-ima: RDEPENDS on ima-evm-keys
    >   meta: refactor IMA/EVM sign rootfs
    >   README.md: update according to the refactoring in
    >     ima-evm-rootfs.bbclass
    >   initramfs-framework-ima: let ima_enabled return 0
    >   ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
    >   ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
    >
    >  meta-integrity/README.md                      |  4 ++-
    >  meta-integrity/classes/ima-evm-rootfs.bbclass | 33
    +++++++++----------
    >  .../initrdscripts/initramfs-framework-ima.bb
    <http://initramfs-framework-ima.bb>  |  2 +-
    >  .../initrdscripts/initramfs-framework-ima/ima |  3 +-
    >  .../ima-evm-keys/ima-evm-keys_1.0.bb
    <http://ima-evm-keys_1.0.bb>          | 16 +++++++++
    >  .../ima-evm-utils/ima-evm-utils_git.bb
    <http://ima-evm-utils_git.bb>        |  1 +
    >  .../ima_policy_hashed/files/ima_policy_hashed |  3 ++
    >  7 files changed, 41 insertions(+), 21 deletions(-)
    >  create mode 100644
    meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
    <http://ima-evm-keys_1.0.bb>
    >

Armin Kuster

#52671

merged.

thanks.

Show quoted text

On 3/10/21 2:31 AM, Ming Liu wrote:
Hi, akuster808:

I saw this patch set has been merged to gatesgarth, may I ask, any
plan for dunfell? I am asking because dunfell is a LTS branch and many
users are building their products based on it. Thanks!

the best,
thank you

    series in build testing

    -armin

    On 3/2/21 6:57 AM, liu.ming50@...
    <mailto:liu.ming50@...> wrote:
    > From: Ming Liu <ming.liu@... <mailto:ming.liu@...>>
    >
    > Cherry pick some IMA/EVM fixes to LTS dunfell branch, with these
    > patches applied, I could run a ima enabled image with
    sysvinit/systemd
    > on qemuarm/qemuarm64 and some NXP machines.
    >
    > Ming Liu (9):
    >   ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
    >   initramfs-framework-ima: fix a wrong path
    >   ima-evm-keys: add recipe
    >   initramfs-framework-ima: RDEPENDS on ima-evm-keys
    >   meta: refactor IMA/EVM sign rootfs
    >   README.md: update according to the refactoring in
    >     ima-evm-rootfs.bbclass
    >   initramfs-framework-ima: let ima_enabled return 0
    >   ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic
    >   ima-policy-hashed: add CGROUP2_SUPER_MAGIC fsmagic
    >
    >  meta-integrity/README.md                      |  4 ++-
    >  meta-integrity/classes/ima-evm-rootfs.bbclass | 33
    +++++++++----------
    >  .../initrdscripts/initramfs-framework-ima.bb
    <http://initramfs-framework-ima.bb>  |  2 +-
    >  .../initrdscripts/initramfs-framework-ima/ima |  3 +-
    >  .../ima-evm-keys/ima-evm-keys_1.0.bb
    <http://ima-evm-keys_1.0.bb>          | 16 +++++++++
    >  .../ima-evm-utils/ima-evm-utils_git.bb
    <http://ima-evm-utils_git.bb>        |  1 +
    >  .../ima_policy_hashed/files/ima_policy_hashed |  3 ++
    >  7 files changed, 41 insertions(+), 21 deletions(-)
    >  create mode 100644
    meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
    <http://ima-evm-keys_1.0.bb>
    >