This reverts commit f4f7624d2e50e19249e7a2a3798c1120e5183424. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc

This reverts commit 292b49342cb47da59525a44227598cf136311e1b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc

This reverts commit 76f1f539a678725211283294c8b6735186055694. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc

This reverts commit b9abf0e09bfea8f08cc7f2d68998f014abba5b3b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc

This reverts commit 319522e00dfd23c78cbe28ab26b87e08a8f46993. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc

Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue wi

Drop the kernel config option CONFIG_SQUASHFS_XATTR=y from ima.cfg. Instead, require projects that use squashfs to set this option. Signed-off-by: Stefan Berger <stefanb@...> --- meta-integrity/recipe

Revert the patch resolving a file change notitfication issue (for IMA appraisal) since this patch fails in 'many downstream kernels'. - https://lists.yoctoproject.org/g/yocto/message/59928 - https://l

From: Peter Hoyes <Peter.Hoyes@...> Runtime validation is currently failing on qemu-cortex-a9 for undiagnosed reasons. Disable testimage on this machine for now until it has been fixed. Signed-off-by:

From: Peter Hoyes <Peter.Hoyes@...> Signed-off-by: Peter Hoyes <Peter.Hoyes@...> --- ci/base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/base.yml b/ci/base.yml index 70ada

Current Dev Position: YP 4.3 M1 Next Deadline: 5th June 2023 YP 4.3 M1 build date Next Team Meetings: Bug Triage meeting Thursday May 11th 7:30 am PDT (https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0

Fix the IMA kernel feature. Remove outdated patches and add ima.cfg holding kernel configuration options for IMA and EVM. Signed-off-by: Stefan Berger <stefanb@...> --- meta-integrity/classes/ima-evm-

Fix the ima_policy_appraise_all policy to appraise all executables and libraries. Also update the list of files that are not appraised to not appraise cgroup related files. Signed-off-by: Stefan Berge

Signed-off-by: Stefan Berger <stefanb@...> --- meta-integrity/classes/ima-evm-rootfs.bbclass | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/meta-integrity/class

Add a temporary patch that resolves a file change notification issue with overlayfs where IMA did not become aware of the file changes since the 'lower' inode's i_version had not changed. The issue wi

Signed-off-by: Stefan Berger <stefanb@...> --- ...ation-using-ioctl-when-evm_portable-.patch | 35 +++++++++++++++++++ ...-evm-utils_1.4.bb => ima-evm-utils_1.5.bb} | 9 +++-- 2 files changed, 42 insert

The IMA policy will be specified using the IMA_EVM_POLICY variable since systemd will not be involved in loading the policy but the init script will load it. Signed-off-by: Stefan Berger <stefanb@...>

Update the README describing how IMA support can be used. Signed-off-by: Stefan Berger <stefanb@...> --- meta-integrity/README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletion

This series of patches fixes the current support for IMA and EVM by removing outdated patches for example and adding kernel config options. I have tried out these patches with OpenBMC where the apprai

For shorted file signatures use EC keys rather than RSA keys. Document the debug keys and their purpose. Adapt the scripts for creating these types of keys to now create EC keys. Signed-off-by: Stefan