From patchwork Tue May 9 18:56:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23749 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B48ADC77B75 for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.web11.41725.1683658639066626278 for ; Tue, 09 May 2023 11:57:19 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=XAK9eDbc; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: quaresma.jose@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-3f42711865eso17458715e9.0 for ; Tue, 09 May 2023 11:57:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658637; x=1686250637; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=rr7qbPI4dzl/eZaV9WeQt1Ti+YFtczmHw9aoAPk4f7E=; b=XAK9eDbcmzb4cz4okfzkMt/y0o864/CePgcpy94j8YQjn8b/7pCeIojBU/GxTS0h16 97rV7ySDwgOoCXnzCMDQzLFzC5pJAD9YJt0fkT55LN4dD1aPR32jx8ReqcGZJsHDDE/Q 0hSRS4Uii1Ck4dIstBSKn3YbMSZv6iZzga6Kx4Iamq+jCmH1lw3xjhFjqwvNk6HaHQFp 321nnB127hqiJ4BKVu5bHaW2zSMDeJnKjmZuYQImtjN7WTeN2wYFpb6b2iujOYm9+4/b 8cBzsHTjlcOlbaWJnRunyMEO42iCFoSelXFXlfycB76rb6m5E5T64RQB6REHjYsAeJuO 5PDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658637; x=1686250637; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rr7qbPI4dzl/eZaV9WeQt1Ti+YFtczmHw9aoAPk4f7E=; b=R90bZbR9h2ao0KDAtF5Qac2+e+1LAQW+/Y+/NxzOmIeY9SSXT+WRgu80zZC/XePjfm AAnwP/l0qCBR2wvOU0MYraTK+IoAMCmTuGF81Ua4V5+W4j6ALbrv3y7AfyYJhhUsAPm/ EfEgkPa30xMUNR8MllygxnvVQc/oT/BNiDgYBpSxtaS2B+a1jA/b/A0PAJvNFenM4q73 K6jmUTqhu4jvt/Kqhzb1j1dEQjLdgRhy8WpozZG/NDYrzIzzd0Ig20f01HridBgzLpLm ldDux17u+t4c/pO3CFtIr8rt4mBTHKQKc4XLSWxQx22TJIP0JFZvCBmc6X1ZNZ+WJvzQ KbKg== X-Gm-Message-State: AC+VfDzQoVbOowNCwP3aLjEHCGfMjnk2ygX8zz8RBcKQBvXnNWRIHBc2 QnJUmKyds0zE+/m4K8j7KQBTuENZWf3Nmg== X-Google-Smtp-Source: ACHHUZ5aKoZ1k8RjmzIMOuBuvy7RovHR4UCCEe2ed2tnwiASqNvHo+FrOJVK5jpE6Kutiljf8OVWdg== X-Received: by 2002:a1c:7406:0:b0:3f4:2e01:83fe with SMTP id p6-20020a1c7406000000b003f42e0183femr835413wmc.40.1683658636930; Tue, 09 May 2023 11:57:16 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:16 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch" Date: Tue, 9 May 2023 18:56:24 +0000 Message-Id: <20230509185631.3182570-1-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59946 This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- ...ation-using-ioctl-when-evm_portable-.patch | 35 ------------------- ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} | 9 ++--- 2 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%) diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch deleted file mode 100644 index 3624576..0000000 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Tue, 18 Apr 2023 11:43:55 -0400 -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true - -If a signatures is detected as being portable do not attempt to read the -generation with the ioctl since in some cases this may not be supported -by the filesystem and is also not needed for computing a portable -signature. - -This avoids the current work-around of passing --generation 0 when the -ioctl is not supported by the filesystem. - -Signed-off-by: Stefan Berger ---- - src/evmctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/evmctl.c b/src/evmctl.c -index 6d2bb67..c35a28c 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - if (mode_str) - st.st_mode = strtoul(mode_str, NULL, 10); - -- if (!evm_immutable) { -+ if (!evm_immutable && !evm_portable) { - if (S_ISREG(st.st_mode) && !generation_str) { - int fd = open(file, 0); - ---- -2.39.2 - - diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb similarity index 71% rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb index 8ac080c..873aeeb 100644 --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils" DEPENDS:class-native += "openssl-native keyutils-native" -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:" - -SRC_URI = " \ - https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \ - file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \ -" -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d" +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz" +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1" inherit pkgconfig autotools features_check From patchwork Tue May 9 18:56:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23754 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D27F6C7EE2F for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.web11.41726.1683658639382105676 for ; Tue, 09 May 2023 11:57:19 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=E4khrCPS; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: quaresma.jose@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-3f420618d5bso23709595e9.1 for ; Tue, 09 May 2023 11:57:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658637; x=1686250637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6gcEO/kOXMOwuKmt4gB+shWDaLgA1L01CMugHbJ3bX8=; b=E4khrCPSqb5w7i1Q4DyzFpeyIz5a4iWPryEicZxRRP3QSs2vjHBBPjvCXIOkncWpgE TN+LoeW2a1hB1Lrug+MGvM3+oSwp6Tq06uk0AbpPA/IvBSi3DLs3ZdlYjTkG56qYyOLP IXMlMXTOXaIATvysk66YglqetSnSRM7GzeLsuOStyFaGj2eWFypZVI2TuTniphzZqqOQ vbgui7XxSzGriNM0HsmY4mGL61B3oYndybvuzusA6US+OjohDmRXRG2nivn+LooFM12M Rcj5Xvnw0nmqLNUjEx5NLU9P7jl60KIUJVOuZH2Cepoc2x4fBP4V1vqKJL+7TZlfaHgk hYRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658637; x=1686250637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6gcEO/kOXMOwuKmt4gB+shWDaLgA1L01CMugHbJ3bX8=; b=W8kkhzVW4RuiA0AMyF4fvLcsmZEER49KQfIfxecFclMQ/h6gnILRDp5fFDrMdY9+Qa 4vvMcOh8M1PafbxE6jk2f23x/sae5989pACYEd3NRLoq5U6hWH/rQyqv4bv2qB0RxMji IS8ER6SJkNFrVLvtUrxsdpwEmgC8vqPyPmSgoSCk7nRV/4Gaggdf5d49SPkwhXfqbw2M +EQMszgFmda3r2Y/zBM3jx8C94kLq70yrOvbP7+OCArHGWUBY2FOg+hdeduzSZI36NUq xefEn8IB9UnL/zofJSMBuJf+B59S7+Dx0otTYH9TrDTZ+QEFlrSoudQTdqjC4OuuiNR2 Ua6w== X-Gm-Message-State: AC+VfDwsU8JBnnwrS+1y6SRYV8ZzNpH5yzo85ek8Bk15Lh1WzHV5yesW vKfXYUhXAtVIrCo+8R3WSeOu9fEPVlMhVQJN X-Google-Smtp-Source: ACHHUZ6av8PO7OOee/Ud2e62sgWXowaI4ZzmTQUwawXEGCBmw5Xy7IxpPgnUclN+AUAdeSLMDCgLyw== X-Received: by 2002:a5d:5589:0:b0:307:8666:a50e with SMTP id i9-20020a5d5589000000b003078666a50emr8136474wrv.67.1683658637515; Tue, 09 May 2023 11:57:17 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:17 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 2/8] Revert "linux: overlayfs: Add kernel patch resolving a file change notification issue" Date: Tue, 9 May 2023 18:56:25 +0000 Message-Id: <20230509185631.3182570-2-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59947 This reverts commit 319522e00dfd23c78cbe28ab26b87e08a8f46993. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- ...Increment-iversion-upon-file-changes.patch | 42 ------------------- .../recipes-kernel/linux/linux_ima.inc | 1 - 2 files changed, 43 deletions(-) delete mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch deleted file mode 100644 index d2b5c28..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/0001-ovl-Increment-iversion-upon-file-changes.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e9ed62e8d1d3eee7ffe862d9812c5320d3b9bd88 Mon Sep 17 00:00:00 2001 -From: Stefan Berger -Date: Thu, 6 Apr 2023 11:27:29 -0400 -Subject: [PATCH] ovl: Increment iversion upon file changes - -This is a temporary patch for kernels that do not implement -STATX_CHANGE_COOKIE (<= 6.2). The successor patch will be this one: - -https://lore.kernel.org/linux-integrity/20230418-engste-gastwirtschaft-601fb389bba5@brauner/T/#m3bf84296fe9e6499abb6e3191693948add2ff459 - -Increment the lower inode's iversion for IMA to be able to recognize -changes to the file. - -Signed-off-by: Stefan Berger ---- - fs/overlayfs/file.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c -index 6011f955436b..1dfe5e7bfe1c 100644 ---- a/fs/overlayfs/file.c -+++ b/fs/overlayfs/file.c -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - #include "overlayfs.h" - - struct ovl_aio_req { -@@ -408,6 +409,8 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) - if (ret != -EIOCBQUEUED) - ovl_aio_cleanup_handler(aio_req); - } -+ if (ret > 0) -+ inode_maybe_inc_iversion(inode, false); - out: - revert_creds(old_cred); - out_fdput: --- -2.34.1 - diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 9d48e5c..0b6f530 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -2,7 +2,6 @@ FILESEXTRAPATHS:append := "${THISDIR}/linux:" SRC_URI += " \ ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ - file://0001-ovl-Increment-iversion-upon-file-changes.patch \ " do_configure() { From patchwork Tue May 9 18:56:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23747 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5E32C7EE23 for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.web11.41727.1683658639732073950 for ; Tue, 09 May 2023 11:57:20 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=T9JKZl2N; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: quaresma.jose@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-3f41dceb9d1so37432005e9.1 for ; Tue, 09 May 2023 11:57:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658638; x=1686250638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZPfuueeQjltOrGx5cz9ieHeqrfdTUxpxOPuvO86POjY=; b=T9JKZl2NPJLWAryoYNvSrqlOYiV4PgHMMitjpf2n2CZFOSrvCxK6n+hKl8RrdNuhlu 528YJfd8Syx/yGXi0vqn+oFlRSwXEEKAADu788DYlOD5p0ZKVNUIJTdxtQeyLSGOoNjk xmGJItBd7QRgURACaizEbD4MwMzD/Ithjmng8RHYlJ1isXAIRNi6ifPKoFQfSvzgeTLQ aIAqopjbDlWPHw5f1vNvLa5JuV0enHe0dTH8owkiWpghgLdJINYKkjwXkpOAiASLQQMe +JI9AAiiCdMhL2WcNcA6g/PLZVpUPTQ5petUqo9oedlszH+i09b8XOW5XHd8PzWe6SqL upmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658638; x=1686250638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZPfuueeQjltOrGx5cz9ieHeqrfdTUxpxOPuvO86POjY=; b=YqPngJLobv6pIBtep19h5Al1W7jilpDNRRTIRoJL8F1LE9bf+7QCcP2QGChILGXmCK f1ME4cb7jXo1kCERrTE0SP5iah69RcH5O/+dlqeB+1GCrtaqS//BJpetUk2EWFUqYKPw bdZEEogjn9dGa8NxxygHPhsWtTQVbxzQL2BC2nOIq7NPloPMrcTKbJ1tVVBXC5dzmZGI Cn3h6xNb5rSb41r5QIp3iD5/+MiK2AE8mTg+XfvT113FvWr5ICjoo4V183Mv/4JEqdBE ThLBa2SHc4YJFVXkNQlTwZGdP6jGbFqPAgQ6h8jZKLHmL9oZp+Fu8nAFYS74kNRQAhDb 7jzQ== X-Gm-Message-State: AC+VfDx/qfqiNynHuhUQ58FxZ34E1iGbRsEAbGs0tCMeWkHqdvywAgKi a8zxhttbudhPLPDFco296pOS2GISrWyQAuue X-Google-Smtp-Source: ACHHUZ4/7Gnx+vrTRGOem+axrDl8UUV+MXMaOUzpnZsGtCHSTKSLUEFwVD3K9kFHnLAUnPrMCG0plA== X-Received: by 2002:a5d:6e0c:0:b0:2fd:1a81:6b0e with SMTP id h12-20020a5d6e0c000000b002fd1a816b0emr10619267wrz.33.1683658638046; Tue, 09 May 2023 11:57:18 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:17 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 3/8] Revert "integrity: Update the README for IMA support" Date: Tue, 9 May 2023 18:56:26 +0000 Message-Id: <20230509185631.3182570-3-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59948 This reverts commit b9abf0e09bfea8f08cc7f2d68998f014abba5b3b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- meta-integrity/README.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 1a37280..816b40d 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -76,7 +76,7 @@ other layers needed. e.g.: It has some dependencies on a suitable BSP; in particular the kernel must have a recent enough IMA/EVM subsystem. The layer was tested with -Linux 6.1 and uses some features (like loading X509 certificates +Linux 3.19 and uses some features (like loading X509 certificates directly from the kernel) which were added in that release. Your mileage may vary with older kernels. @@ -89,17 +89,10 @@ Adding the layer only enables IMA (see below regarding EVM) during compilation of the Linux kernel. To also activate it when building the image, enable image signing in the local.conf like this: - DISTRO_FEATURES:append = " integrity ima" - IMAGE_CLASSES += "ima-evm-rootfs" - IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" - IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" - - # The following policy enforces IMA & EVM signatures - IMA_EVM_POLICY = "${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all" This uses the default keys provided in the "data" directory of the layer. Because everyone has access to these private keys, such an image @@ -120,7 +113,10 @@ for that are included in the layer. This is also how the cd $IMA_EVM_KEY_DIR # In that shell, create the keys. Several options exist: - # 1. Keys signed by a new CA. + # 1. Self-signed keys. + $INTEGRITY_BASE/scripts/ima-gen-self-signed.sh + + # 2. Keys signed by a new CA. # When asked for a PEM passphrase, that will be for the root CA. # Signing images then will not require entering that passphrase, # only creating new certificates does. Most likely the default @@ -129,11 +125,13 @@ for that are included in the layer. This is also how the # $INTEGRITY_BASE/scripts/ima-gen-local-ca.sh # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh - # 2. Keys signed by an existing CA. + # 3. Keys signed by an existing CA. # $INTEGRITY_BASE/scripts/ima-gen-CA-signed.sh exit -The ``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA +When using ``ima-self-signed.sh`` as described above, self-signed keys +are created. Alternatively, one can also use keys signed by a CA. The +``ima-gen-local-ca.sh`` and ``ima-gen.sh`` scripts create a root CA and sign the signing keys with it. The ``ima-evm-rootfs.bbclass`` then supports adding tha CA's public key to the kernel's system keyring by compiling it directly into the kernel. Because it is unknown whether From patchwork Tue May 9 18:56:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23748 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4582C77B7C for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.web10.41605.1683658640871461012 for ; Tue, 09 May 2023 11:57:21 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=bmitz81Q; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: quaresma.jose@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-2f27a9c7970so5939287f8f.2 for ; Tue, 09 May 2023 11:57:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658639; x=1686250639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cmmLZG0R2O8LQf5Osq9NKhaw3PTPlKteoYCoXZRCc58=; b=bmitz81QB0UmsGzZkTVOkSs4xtuVemmpOSofl4hOeiirCr9YF1/KRlopwA6Fb5jBb+ Y15R6dlxdd6kfK1reveqtk+V33zOeTwe2ZPxehJA1fj6YMSIbxvwkmlxPBaFV0O+rOWT /zxEnvMRndqR6R3XRw0eaj6pJTmcdWl1rS4L2eDALxaZj6Rqg3dVzipwxB6rTNEKz3RF hzf9gvR9DT5+iX41jOGA6BSgWxXlNtDnnzWXIwyujfJrv/46kDogSgjHuTzN4totZ1H6 XOOlzQVOEJHQqmvd7Ez+ayWMXVFrHRWY2+s/MpCDxsNXQjHLpp93U7LoLKYZItMpX7Gs fq5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658639; x=1686250639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cmmLZG0R2O8LQf5Osq9NKhaw3PTPlKteoYCoXZRCc58=; b=BFBiZ0pbLnHlKp0+VbzdSAZIJksTPAp8arKkEZE4p6qaEsHmhPdWop5UMcUzpJsIHu Y7ljdbypi1IeHASi6SdV4Kd1XhpeyQ761tiBgQQ5JTe1vl5MUqbyZTWcTwqLVW9OjLdt dHJVv1G1NetPJC03RNu1gmiHVHYGehS+AxW9/Brmne949tPSypWZVCEOUA2bhIAUWlS+ eokckKFl7dq6CyAjE3uePQJCyUMIpkTkY+FZKx23RW8u4W3+zmZRb/cKhQksRH4ry+4c 6dMRX8I1vzZclZuI4qNR7TZbz/mC6yynrKKlc0WnX4YJ2XmP4ZdRJC3HSX+lzWBLWZlP /+Xg== X-Gm-Message-State: AC+VfDyGGEOlWNluGEER/isRMdndFGq9YkuMcbL8MLhE18pcCIgwNCXY vYcBpFpyq1L9ewxzbnRTCi6sTnXhIb0WOzMp X-Google-Smtp-Source: ACHHUZ7QWR/Bx6LarN+h3HCxeOLXIiqt8bA75I2evTZAokrBJN8u8C6fCeUwGRp7rSk9I09lNArREQ== X-Received: by 2002:a5d:51c3:0:b0:2f9:4fe9:74bb with SMTP id n3-20020a5d51c3000000b002f94fe974bbmr9588380wrv.40.1683658638809; Tue, 09 May 2023 11:57:18 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:18 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 4/8] Revert "ima: Sign all executables and the ima-policy in the root filesystem" Date: Tue, 9 May 2023 18:56:27 +0000 Message-Id: <20230509185631.3182570-4-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59949 This reverts commit 76f1f539a678725211283294c8b6735186055694. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- meta-integrity/classes/ima-evm-rootfs.bbclass | 25 ++++--------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 98c4bc1..6902d69 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -62,32 +62,17 @@ ima_evm_sign_rootfs () { perl -pi -e 's;(\S+)(\s+)(${@"|".join((d.getVar("IMA_EVM_ROOTFS_IVERSION", True) or "no-such-mount-point").split())})(\s+)(\S+)(\s+)(\S+);\1\2\3\4\5\6\7,iversion;; s/(,iversion)+/,iversion/;' etc/fstab fi - # Detect 32bit target to pass --m32 to evmctl by looking at libc - tmp="$(file "${IMAGE_ROOTFS}/lib/libc.so.6" | grep -o 'ELF .*-bit')" - if [ "${tmp}" = "ELF 32-bit" ]; then - evmctl_param="--m32" - elif [ "${tmp}" = "ELF 64-bit" ]; then - evmctl_param="" - else - bberror "Unknown target architecture bitness: '${tmp}'" >&2 - exit 1 - fi - - bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" - evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" - - # check signing key and signature verification key - evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 - evmctl verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 + # Sign file with private IMA key. EVM not supported at the moment. + bbnote "IMA/EVM: signing files 'find ${IMA_EVM_ROOTFS_SIGNED}' with private key '${IMA_EVM_PRIVKEY}'" + find ${IMA_EVM_ROOTFS_SIGNED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_sign --key ${IMA_EVM_PRIVKEY} + bbnote "IMA/EVM: hashing files 'find ${IMA_EVM_ROOTFS_HASHED}'" + find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash # Optionally install custom policy for loading by systemd. if [ "${IMA_EVM_POLICY}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy - - bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" - evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi } From patchwork Tue May 9 18:56:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23750 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D2392C7EE25 for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.web10.41606.1683658641342586877 for ; Tue, 09 May 2023 11:57:21 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=a7RD7JY4; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: quaresma.jose@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-3f41dceb9d1so37432305e9.1 for ; Tue, 09 May 2023 11:57:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658639; x=1686250639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mhYCAm3DexfAA1RMQLBvyKiiCrW3ntGFDbxs1CepYaM=; b=a7RD7JY4fa5KhejU4xofIKMAkGvbzhusk6I5PIMq+ZPJhJg3Dk89GuwnRVn7WKbz+c ct1WG1w8fbqKXksheAnFTks3/05CVAu7U4/9KgBgY8xOK9sQVpXdxlkAyLB5kge14EKP OH0aVzdDAhFfnjPYm7gk2lPxC3Xo8+xtHYFE3iXFMzIbYH5S0CL5aqwJlYA7+PMLcHBF M05atzvj++ZG/V9JciXgtojoC2TWQCAF6NZor7PjVOyVJU3JUJwBVq+6R5dd/1jA+T5V t62llj4ChVrEZkeLUzzMAvzAGLBBkovTHvVTzAlPWt6KmB1aVQp/hRqOsChSvdXpXSSE wQQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658639; x=1686250639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mhYCAm3DexfAA1RMQLBvyKiiCrW3ntGFDbxs1CepYaM=; b=dS+QnvQd1cYKzLFfAlTbAzaDTvILAyT1smUPmbyGp34QmJSRniWmlTBRn7Z8DN98g3 TUfq1Jb+YB7Nxs54QohkoOhkdipiORRytEsmi1bq7Q8YUZLROge31OF4Z+3JrJbeNy5W JRGQ3oL+12/gj8CyEevfufF8qrUWs04l8QtrC/51ToNAH2QIih3jGxG+xRQj0xJlS1fe 7t4+WWeh70/GZjtpeZk6mR0SLb+jjLKG0+z3H5tPxnAjZRrfWmCYX5dkQXUBacEZTfFa x8hFh9v3Bz6N4IOXp5RkRyLWhbE8i6rRyISTxj4lCSx/X5rp2mV8pW2PANggZgpK9ETk TTeQ== X-Gm-Message-State: AC+VfDxpZE7nzA2IOxRATtH/EKo5LZ0IzPFWACiRD+VCBIr6AVpftMgs 39oHEVZYUsYxhLeL3pdq8TbUQy8QMQnQwXhj X-Google-Smtp-Source: ACHHUZ4SXDGh0nD/mZGUAwKScG3ZiW4nIa5BGwycKlksrXd6SmGtu136NlgCiZicVxXR3fGwHdcEKQ== X-Received: by 2002:a7b:cd09:0:b0:3f1:80a7:bfb2 with SMTP id f9-20020a7bcd09000000b003f180a7bfb2mr10091465wmj.32.1683658639496; Tue, 09 May 2023 11:57:19 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:19 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 5/8] Revert "ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY" Date: Tue, 9 May 2023 18:56:28 +0000 Message-Id: <20230509185631.3182570-5-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59950 This reverts commit 292b49342cb47da59525a44227598cf136311e1b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- meta-integrity/README.md | 2 +- meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-integrity/README.md b/meta-integrity/README.md index 816b40d..eae1c57 100644 --- a/meta-integrity/README.md +++ b/meta-integrity/README.md @@ -187,7 +187,7 @@ IMA policy loading became broken in systemd 2.18. The modified systemd changes. To activate policy loading via systemd, place a policy file in `/etc/ima/ima-policy`, for example with: - IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple" + IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple" To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements` diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 6902d69..3cb0d07 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -69,10 +69,10 @@ ima_evm_sign_rootfs () { find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash # Optionally install custom policy for loading by systemd. - if [ "${IMA_EVM_POLICY}" ]; then + if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then install -d ./${sysconfdir}/ima rm -f ./${sysconfdir}/ima/ima-policy - install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy + install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy fi } From patchwork Tue May 9 18:56:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23752 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5530C7EE24 for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.web11.41729.1683658642339061280 for ; Tue, 09 May 2023 11:57:22 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=gG440C7h; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: quaresma.jose@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-3f4271185daso24208435e9.2 for ; Tue, 09 May 2023 11:57:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658640; x=1686250640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SJARBWLcGPmg62MUapt0k3CJXvej6f/6aZju3W+pZac=; b=gG440C7hDZ2Zs6zG37jr2iKRHJfwj8O95dXhSUQx+CD3bjmr0DS8FlRs3w7Au1Klww dx9BcYtNAwa0rw3VqyKa9o0ura4L3I3loPXlheowyDvyr+rZ+oQ3gMC50qpS6wqLyMCQ 9exd8FopKH92KFiQFtsYg13kVzvR9uNmZyaFRfHCJjuuN+A8hxrwTbgrmAL6ofLLXI8V FDIZjGEPWM02FnaF2y6VruTUuQJoOhhQGi4dWovsU4H3+tXVhS0lbu+QAfv8YqqIkg9B O61QKShQyLj8l629fQY8iu3xu3pxG5uCS3iXja4qdMLtIZ0/N5zZLJm4QIvBoP3GwtAS OK+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658640; x=1686250640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SJARBWLcGPmg62MUapt0k3CJXvej6f/6aZju3W+pZac=; b=ae4h5MFR2jiHQR2jyESl9JIGqySNIL+NPtRf1laPZfKz8yHEwY9Uq/gtQjKRIwd1jM 5h4MXrIO17JIL75O4oq7PpJnyAldHvC4KLTcRejT3hs1g00UvQjjrMsU9KgQwVeuAIjR FMtRZYReTy8+MLG9V0tdlhK0TI0xdSGsJ03Sdgyd0oN0uWb2ZuPxFmWzFg0cuZMgDLML RTO0Ycag13VvNU8bSioRj78UnWr23HWhkhrVcHUYQMlBTbCMhD/vOJ+vde/gPwc4jvjB YGGh+QmAMBNJxPWv/33H5WrEY84xos4uBU3HQmIkQlS+G8akMUEXnv6nTYE53CfHahbA LxYQ== X-Gm-Message-State: AC+VfDxUNOGzeybDeQrYToKjDt2SZLalPaMo4J52fkP8xDKEpMoJmg3V uTA5VIVhu7ZdtuV1plLQx+3eEn/Q2d/DbnEy X-Google-Smtp-Source: ACHHUZ4835GTXZabikaGzOtRMVyQoQ92FnNcYYIGgfpUNyTB9TJ1si5N78gkdE3fm8izfYUHa88Qww== X-Received: by 2002:a7b:c84c:0:b0:3f4:2506:3d58 with SMTP id c12-20020a7bc84c000000b003f425063d58mr4983724wml.23.1683658640270; Tue, 09 May 2023 11:57:20 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:19 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 6/8] Revert "ima: Fix the IMA kernel feature" Date: Tue, 9 May 2023 18:56:29 +0000 Message-Id: <20230509185631.3182570-6-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59951 This reverts commit f4f7624d2e50e19249e7a2a3798c1120e5183424. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- meta-integrity/classes/ima-evm-rootfs.bbclass | 5 +- .../0001-ima-fix-ima_inode_post_setattr.patch | 51 +++++++ ...for-creating-files-using-the-mknodat.patch | 138 ++++++++++++++++++ ...-file-hash-setting-by-user-to-fix-an.patch | 60 ++++++++ .../recipes-kernel/linux/linux/ima.cfg | 46 ------ .../recipes-kernel/linux/linux/ima.scc | 4 - .../recipes-kernel/linux/linux_ima.inc | 10 +- 7 files changed, 251 insertions(+), 63 deletions(-) create mode 100644 meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch create mode 100644 meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass index 3cb0d07..57de2f6 100644 --- a/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -17,7 +17,7 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" # with a .x509 suffix. See linux-%.bbappend for details. # # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. -IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" +IMA_EVM_ROOT_CA ?= "" # Sign all regular files by default. IMA_EVM_ROOTFS_SIGNED ?= ". -type f" @@ -31,9 +31,6 @@ IMA_EVM_ROOTFS_IVERSION ?= "" # Avoid re-generating fstab when ima is enabled. WIC_CREATE_EXTRA_ARGS:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' --no-fstab-update', '', d)}" -# Add necessary tools (e.g., keyctl) to image -IMAGE_INSTALL:append = "${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima-evm-utils', '', d)}" - ima_evm_sign_rootfs () { cd ${IMAGE_ROOTFS} diff --git a/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch new file mode 100644 index 0000000..64016dd --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0001-ima-fix-ima_inode_post_setattr.patch @@ -0,0 +1,51 @@ +From 45ea681ebc0dd44aaec5d3cc4143b9722070d3ac Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Tue, 8 Mar 2016 16:43:55 -0500 +Subject: [PATCH] ima: fix ima_inode_post_setattr + +Changing file metadata (eg. uid, guid) could result in having to +re-appraise a file's integrity, but does not change the "new file" +status nor the security.ima xattr. The IMA_PERMIT_DIRECTIO and +IMA_DIGSIG_REQUIRED flags are policy rule specific. This patch +only resets these flags, not the IMA_NEW_FILE or IMA_DIGSIG flags. + +With this patch, changing the file timestamp will not remove the +file signature on new files. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=42a4c603198f0d45b7aa936d3ac6ba1b8bd14a1b] + +Reported-by: Dmitry Rozhkov +Signed-off-by: Mimi Zohar +--- + security/integrity/ima/ima_appraise.c | 2 +- + security/integrity/integrity.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..a384ba1 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -327,7 +327,7 @@ void ima_inode_post_setattr(struct dentry *dentry) + if (iint) { + iint->flags &= ~(IMA_APPRAISE | IMA_APPRAISED | + IMA_APPRAISE_SUBMASK | IMA_APPRAISED_SUBMASK | +- IMA_ACTION_FLAGS); ++ IMA_ACTION_RULE_FLAGS); + if (must_appraise) + iint->flags |= IMA_APPRAISE; + } +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 0fc9519..f9decae 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -28,6 +28,7 @@ + + /* iint cache flags */ + #define IMA_ACTION_FLAGS 0xff000000 ++#define IMA_ACTION_RULE_FLAGS 0x06000000 + #define IMA_DIGSIG 0x01000000 + #define IMA_DIGSIG_REQUIRED 0x02000000 + #define IMA_PERMIT_DIRECTIO 0x04000000 +-- +2.5.0 + diff --git a/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch new file mode 100644 index 0000000..6ab7ce2 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/0002-ima-add-support-for-creating-files-using-the-mknodat.patch @@ -0,0 +1,138 @@ +From baaec960e9e7be0b526eaf831b079ddfe5c15124 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Thu, 10 Mar 2016 18:19:20 +0200 +Subject: [PATCH] ima: add support for creating files using the mknodat + syscall + +Commit 3034a14 "ima: pass 'opened' flag to identify newly created files" +stopped identifying empty files as new files. However new empty files +can be created using the mknodat syscall. On systems with IMA-appraisal +enabled, these empty files are not labeled with security.ima extended +attributes properly, preventing them from subsequently being opened in +order to write the file data contents. This patch marks these empty +files, created using mknodat, as new in order to allow the file data +contents to be written. + +Files with security.ima xattrs containing a file signature are considered +"immutable" and can not be modified. The file contents need to be +written, before signing the file. This patch relaxes this requirement +for new files, allowing the file signature to be written before the file +contents. + +Upstream-Status: Accepted [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/integrity/ima/ima_appraise.c?id=05d1a717ec0430c916a749b94eb90ab74bbfa356] + +Signed-off-by: Mimi Zohar +--- + fs/namei.c | 2 ++ + include/linux/ima.h | 7 ++++++- + security/integrity/ima/ima_appraise.c | 3 +++ + security/integrity/ima/ima_main.c | 32 +++++++++++++++++++++++++++++++- + 4 files changed, 42 insertions(+), 2 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index ccd7f98..19502da 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3526,6 +3526,8 @@ retry: + switch (mode & S_IFMT) { + case 0: case S_IFREG: + error = vfs_create(path.dentry->d_inode,dentry,mode,true); ++ if (!error) ++ ima_post_path_mknod(dentry); + break; + case S_IFCHR: case S_IFBLK: + error = vfs_mknod(path.dentry->d_inode,dentry,mode, +diff --git a/include/linux/ima.h b/include/linux/ima.h +index 120ccc5..7f51971 100644 +--- a/include/linux/ima.h ++++ b/include/linux/ima.h +@@ -20,7 +20,7 @@ extern void ima_file_free(struct file *file); + extern int ima_file_mmap(struct file *file, unsigned long prot); + extern int ima_module_check(struct file *file); + extern int ima_fw_from_file(struct file *file, char *buf, size_t size); +- ++extern void ima_post_path_mknod(struct dentry *dentry); + #else + static inline int ima_bprm_check(struct linux_binprm *bprm) + { +@@ -52,6 +52,11 @@ static inline int ima_fw_from_file(struct file *file, char *buf, size_t size) + return 0; + } + ++static inline void ima_post_path_mknod(struct dentry *dentry) ++{ ++ return; ++} ++ + #endif /* CONFIG_IMA */ + + #ifdef CONFIG_IMA_APPRAISE +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4df493e..20806ea 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -274,6 +274,11 @@ out: + xattr_value->type != EVM_IMA_XATTR_DIGSIG)) { + if (!ima_fix_xattr(dentry, iint)) + status = INTEGRITY_PASS; ++ } else if ((inode->i_size == 0) && ++ (iint->flags & IMA_NEW_FILE) && ++ (xattr_value && ++ xattr_value->type == EVM_IMA_XATTR_DIGSIG)) { ++ status = INTEGRITY_PASS; + } + integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename, + op, cause, rc, 0); +diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c +index eeee00dc..705bf78 100644 +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -242,7 +242,8 @@ static int process_measurement(struct file *file, int mask, int function, + ima_audit_measurement(iint, pathname); + + out_digsig: +- if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG)) ++ if ((mask & MAY_WRITE) && (iint->flags & IMA_DIGSIG) && ++ !(iint->flags & IMA_NEW_FILE)) + rc = -EACCES; + kfree(xattr_value); + out_free: +@@ -310,6 +311,35 @@ int ima_file_check(struct file *file, int mask, int opened) + EXPORT_SYMBOL_GPL(ima_file_check); + + /** ++ * ima_post_path_mknod - mark as a new inode ++ * @dentry: newly created dentry ++ * ++ * Mark files created via the mknodat syscall as new, so that the ++ * file data can be written later. ++ */ ++void ima_post_path_mknod(struct dentry *dentry) ++{ ++ struct integrity_iint_cache *iint; ++ struct inode *inode; ++ int must_appraise; ++ ++ if (!dentry || !dentry->d_inode) ++ return; ++ ++ inode = dentry->d_inode; ++ if (inode->i_size != 0) ++ return; ++ ++ must_appraise = ima_must_appraise(inode, MAY_ACCESS, FILE_CHECK); ++ if (!must_appraise) ++ return; ++ ++ iint = integrity_inode_get(inode); ++ if (iint) ++ iint->flags |= IMA_NEW_FILE; ++} ++ ++/** + * ima_module_check - based on policy, collect/store/appraise measurement. + * @file: pointer to the file to be measured/appraised + * +-- +2.5.0 + diff --git a/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch new file mode 100644 index 0000000..157c007 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux/Revert-ima-limit-file-hash-setting-by-user-to-fix-an.patch @@ -0,0 +1,60 @@ +From a34d61850b680c152e1dcc958ee83c3ab3261c3d Mon Sep 17 00:00:00 2001 +From: Patrick Ohly +Date: Tue, 15 Nov 2016 10:10:23 +0100 +Subject: [PATCH] Revert "ima: limit file hash setting by user to fix and log + modes" + +This reverts commit c68ed80c97d9720f51ef31fe91560fdd1e121533. + +The original motivation was security hardening ("File hashes are +automatically set and updated and should not be manually set.") + +However, that hardening ignores and breaks some valid use cases: +- File hashes might not be set because the file is currently + outside of the policy and therefore have to be set by the + creator. Examples: + - Booting into an initramfs with an IMA-enabled kernel but + without setting an IMA policy, then installing + the OS onto the target partition by unpacking a rootfs archive + which has the file hashes pre-computed. + - Unpacking a file into a staging area with meta data (like owner) + that leaves the file outside of the current policy, then changing + the meta data such that it becomes part of the current policy. +- "should not be set manually" implies that the creator is aware + of IMA semantic, the current system's configuration, and then + skips setting file hashes in security.ima if (and only if) the + kernel would prevent it. That's not the case for standard, unmodified + tools. Example: unpacking an archive with security.ima xattrs with + bsdtar or GNU tar. + +Upstream-Status: Submitted [https://sourceforge.net/p/linux-ima/mailman/message/35492824/] + +Signed-off-by: Patrick Ohly +--- + security/integrity/ima/ima_appraise.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index 4b9b4a4..b8b2dd9 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -385,14 +385,10 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { +- bool digsig; +- + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; +- digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); +- if (!digsig && (ima_appraise & IMA_APPRAISE_ENFORCE)) +- return -EPERM; +- ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ ima_reset_appraise_flags(d_backing_inode(dentry), ++ (xvalue->type == EVM_IMA_XATTR_DIGSIG) ? 1 : 0); + result = 0; + } + return result; +-- +2.1.4 + diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index 86fb3aa..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,46 +0,0 @@ -CONFIG_SQUASHFS_XATTR=y -CONFIG_KEYS=y -CONFIG_ASYMMETRIC_KEY_TYPE=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" -CONFIG_SECONDARY_TRUSTED_KEYRING=y -CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y -CONFIG_X509_CERTIFICATE_PARSER=y -CONFIG_PKCS8_PRIVATE_KEY_PARSER=y -CONFIG_CRYPTO_ECDSA=y -CONFIG_SECURITY=y -CONFIG_SECURITYFS=y -CONFIG_INTEGRITY=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_TRUSTED_KEYRING=y -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_LSM_RULES=y -# CONFIG_IMA_TEMPLATE is not set -# CONFIG_IMA_NG_TEMPLATE is not set -CONFIG_IMA_SIG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" -# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y -# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_ARCH_POLICY=y -CONFIG_IMA_APPRAISE_BUILD_POLICY=y -CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y -# CONFIG_IMA_APPRAISE_BOOTPARAM is not set -# CONFIG_IMA_APPRAISE_MODSIG is not set -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y -# CONFIG_IMA_BLACKLIST_KEYRING is not set -# CONFIG_IMA_LOAD_X509 is not set -CONFIG_IMA_APPRAISE_SIGNED_INIT=y -CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y -CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y -# CONFIG_IMA_DISABLE_HTABLE is not set -CONFIG_EVM=y -# CONFIG_EVM_LOAD_X509 is not set diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc deleted file mode 100644 index 6eb84b0..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.scc +++ /dev/null @@ -1,4 +0,0 @@ -define KFEATURE_DESCRIPTION "Enable IMA" - -kconf non-hardware ima.cfg - diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 0b6f530..3ab53e5 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,12 +1,4 @@ -FILESEXTRAPATHS:append := "${THISDIR}/linux:" - -SRC_URI += " \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ -" - -do_configure() { - sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config -} +KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}" KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" From patchwork Tue May 9 18:56:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23753 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EABDFC7EE30 for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.web10.41607.1683658643096682156 for ; Tue, 09 May 2023 11:57:23 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=PwWif3h7; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: quaresma.jose@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-30786c6082dso2583733f8f.2 for ; Tue, 09 May 2023 11:57:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658641; x=1686250641; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uTG9v7UT9PqUHXDM7SKfSlMyAOxVTJ89xs/zTkcfeA0=; b=PwWif3h7zIVNjoUW0mcGLbIkmIJ8tEV1NfMeFbba7m6ob4iyk3ON0qRx6pjicTaqSa FIr+CiDykrz99We428FU/ReajafwsjtQcic7W5vRI+w0A/5onovwR9NV22WZs4tGAn2s w027IfhbrmIUah4Jlvv+ky68ME5w46m14n+FkfvJ75VxNbvWiOnUDJPG34/ROJK+aMBr ttqVCO8aGVbG44WT1e32JCMbkR9K7aquuPEhQp3Z0Ah5GoocXGuljBeX74zc0PReTdvz fPsIfTTA1g/lmqFB7NpkvWszTj0lrIImbZoONrvNZrbZL3yjSfnz1SfhB3pQKQkWwFPc bxow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658641; x=1686250641; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uTG9v7UT9PqUHXDM7SKfSlMyAOxVTJ89xs/zTkcfeA0=; b=NdrMVNSbn8Zz56C6W3UWA2MUaaOCCzsL77p8blheK2BHwLADycgdxq5YdA2veYTYEo vf/bxXxGZGpBVytzbNlTwNL6PNfH0ZWuPJ6RnaDbMAq/xCRCEUvxyVtMW4Q/MKKA/7JX v2q+Kcx0WfnaG0dIxJFMABxIX+Tk9GZtuL3lpD6hw+07v9E+7uIdS3nUy0PLmXJJRDlf qRF9trGMRibhz1ZGQKcRJJjJUQ1jxYIeaehKhV6Q2uqowBNnbHtWhcc9UPqhGCEJXqvX ODjhzkehksD1l3nsFQJjPgsBKNpkha9i/TBfIWG7l7QKl65m5jG9ENzfA4EOeDbXuIpj dFTg== X-Gm-Message-State: AC+VfDxM/UZu4dsMPZexxzJOm0iYYyc0wfgpevT023CBqWQ0SQrkx45c 8eB+kfDnCTZMbn0jDJr7jLYJ9OtPu8Gar2TQ X-Google-Smtp-Source: ACHHUZ5C1uLYej20FiaUsr+FLh8JJbigh+l9qIbd7KV3qv5xbOa9T3a0zJpSu588pIbiJbTergY0Fg== X-Received: by 2002:a5d:5910:0:b0:307:a7af:402c with SMTP id v16-20020a5d5910000000b00307a7af402cmr1959275wrd.41.1683658641006; Tue, 09 May 2023 11:57:21 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:20 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 7/8] Revert "ima: Fix the ima_policy_appraise_all to appraise executables & libraries" Date: Tue, 9 May 2023 18:56:30 +0000 Message-Id: <20230509185631.3182570-7-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59952 This reverts commit cb8f26d82a35ba56f3bd40cd6ba105de03602a4b. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- .../files/ima_policy_appraise_all | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all index 3498025..36e71a7 100644 --- a/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all +++ b/meta-integrity/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all @@ -25,12 +25,5 @@ dont_appraise fsmagic=0xf97cff8c dont_appraise fsmagic=0x6e736673 # EFIVARFS_MAGIC dont_appraise fsmagic=0xde5e81e4 -# Cgroup -dont_appraise fsmagic=0x27e0eb -# Cgroup2 -dont_appraise fsmagic=0x63677270 -# Appraise libraries -appraise func=MMAP_CHECK mask=MAY_EXEC -# Appraise executables -appraise func=BPRM_CHECK +appraise From patchwork Tue May 9 18:56:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jose Quaresma X-Patchwork-Id: 23751 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C84B1C7EE2D for ; Tue, 9 May 2023 18:57:24 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.web10.41608.1683658643505526597 for ; Tue, 09 May 2023 11:57:23 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=JH+XeDjN; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: quaresma.jose@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-3f195b164c4so41671955e9.1 for ; Tue, 09 May 2023 11:57:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683658642; x=1686250642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0K7ipfpfyN+yaSl0KZgRk08Y7V3Z2mGMI7REKBvvf3c=; b=JH+XeDjN5j7WkphaszX/SWx5Wul8DwpiuuMrR2usgHOFRxcCN8Jxx79svpzkMhvexo YUafdEL8pI5Lw+ml7v+qy2cXjmcOrOi6ZTTJeNwWNYLaaQT8C4puCNRfaQoeAmY5ieqD IkFeBN2TSe0V4vAUW/xDdWa9WGBgp8iVQjusiOhwbxvSNOcRaAawVu343KHAcqp6egsl qvXnrIw/NT0G6B/Lv2mwJXusW9NXUeetN3xO1C17xsUooWOl9kJZfkFW6Bd2qu1Dyg6S SOVWha5d6ipIiKLoYNEY9ymc1dBb4tTz7RlRK4Zth5Odl5M07do4QRh7eYJ7ia8GyiRx cAwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683658642; x=1686250642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0K7ipfpfyN+yaSl0KZgRk08Y7V3Z2mGMI7REKBvvf3c=; b=FNppXk3k+m+qwrEl893LGbYkJebIued8xDprsGNX1tqq6tRIhvdPGsJJcaSGwx0AgK okvKbNbDcFTBkTagIX+Y7n7QridLUKUuKy/oVU5knnXwxPQlTugRFy9+oK8bsAQqdpe1 ID4/tWnyZRxydD0vHtzHOR/j8XDSAk2u7L7OGwxI8VuOWsoUiuVJRZg3vscnLjha+vDn KGkGSdi9Laj3gicRX5+3vrNkgDQ0wpYyHlLfIgi2ETX3VMlKnnAgj2n1nFrO+yMiweBN dwBvbYIhQQvN4bM313SACH3NwKLgjYfGM9Bu0CnZCNltPaoVjetHhCi+Ij8mCrhVXvVc d4iA== X-Gm-Message-State: AC+VfDznpJN7XtSRVIyeZXHxLvtGuFtpI7TCAwdnwVbWCLNg8+f6RfKN 1/Csk/3tS1y7rcDY6CMmcFn7F2cIkX9hzSZ/ X-Google-Smtp-Source: ACHHUZ4C/DgGZEa6C3gcVU7xXBq2B6h55h5pr9vn4WH4kfufZB/BLoSvucmnhimR0RWo4i0LejwNzg== X-Received: by 2002:a7b:c404:0:b0:3ed:b048:73f4 with SMTP id k4-20020a7bc404000000b003edb04873f4mr10873952wmi.5.1683658641641; Tue, 09 May 2023 11:57:21 -0700 (PDT) Received: from og-worker-dev-01.infra.foundries.io.net (51-159-19-113.rev.poneytelecom.eu. [51.159.19.113]) by smtp.gmail.com with ESMTPSA id k17-20020adfe3d1000000b00301a351a8d6sm15248310wrm.84.2023.05.09.11.57.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 11:57:21 -0700 (PDT) From: Jose Quaresma X-Google-Original-From: Jose Quaresma To: yocto@lists.yoctoproject.org Cc: stefanb@linux.ibm.com, Jose Quaresma Subject: [meta-security][PATCH 8/8] Revert "ima: Document and replace keys and adapt scripts for EC keys" Date: Tue, 9 May 2023 18:56:31 +0000 Message-Id: <20230509185631.3182570-8-jose.quaresma@foundries.io> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io> References: <20230509185631.3182570-1-jose.quaresma@foundries.io> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 18:57:24 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59953 This reverts commit 0652c9fd7496d021f91759cc7489b6faad3e04bd. The full patchset are overriding the do_configure task and also added a kernel patch on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend). So the patch fails in some recipes and also do_configure task doesn't make sense. This breaks many recipes like linux-firmware and maybe others. Signed-off-by: Jose Quaresma --- meta-integrity/data/debug-keys/README.md | 17 -------- .../data/debug-keys/ima-local-ca.pem | 15 ------- .../data/debug-keys/ima-local-ca.priv | 7 --- .../data/debug-keys/privkey_ima.pem | 17 ++++++-- meta-integrity/data/debug-keys/x509_ima.der | Bin 620 -> 707 bytes meta-integrity/scripts/ima-gen-CA-signed.sh | 9 ++-- meta-integrity/scripts/ima-gen-local-ca.sh | 6 +-- meta-integrity/scripts/ima-gen-self-signed.sh | 41 ++++++++++++++++++ 8 files changed, 62 insertions(+), 50 deletions(-) delete mode 100644 meta-integrity/data/debug-keys/README.md delete mode 100644 meta-integrity/data/debug-keys/ima-local-ca.pem delete mode 100644 meta-integrity/data/debug-keys/ima-local-ca.priv create mode 100755 meta-integrity/scripts/ima-gen-self-signed.sh diff --git a/meta-integrity/data/debug-keys/README.md b/meta-integrity/data/debug-keys/README.md deleted file mode 100644 index e613968..0000000 --- a/meta-integrity/data/debug-keys/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# EVM & IMA keys - -The following IMA & EVM debug/test keys are in this directory - -- ima-local-ca.priv: The CA's private key (password: 1234) -- ima-local-ca.pem: The CA's self-signed certificate -- privkey_ima.pem: IMA & EVM private key used for signing files -- x509_ima.der: Certificate containing public key (of privkey_ima.pem) to verify signatures - -The CA's (self-signed) certificate can be used to verify the validity of -the x509_ima.der certificate. Since the CA certificate will be built into -the Linux kernel, any key (x509_ima.der) loaded onto the .ima keyring must -pass this test: - -``` - openssl verify -CAfile ima-local-ca.pem x509_ima.der -```` diff --git a/meta-integrity/data/debug-keys/ima-local-ca.pem b/meta-integrity/data/debug-keys/ima-local-ca.pem deleted file mode 100644 index 4b48be4..0000000 --- a/meta-integrity/data/debug-keys/ima-local-ca.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICWzCCAgCgAwIBAgITYMKT7/z5qI+hLfNC6Jy6hhBCWDAKBggqhkjOPQQDAjB9 -MRQwEgYDVQQKDAtleGFtcGxlLmNvbTFAMD4GA1UEAww3bWV0YS1pbnRlbC1pb3Qt -c2VjdXJpdHkgZXhhbXBsZSBjZXJ0aWZpY2F0ZSBzaWduaW5nIGtleTEjMCEGCSqG -SIb3DQEJARYUam9obi5kb2VAZXhhbXBsZS5jb20wIBcNMjMwNDI2MTYyNjExWhgP -MjEyMzA0MDIxNjI2MTFaMH0xFDASBgNVBAoMC2V4YW1wbGUuY29tMUAwPgYDVQQD -DDdtZXRhLWludGVsLWlvdC1zZWN1cml0eSBleGFtcGxlIGNlcnRpZmljYXRlIHNp -Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRqb2huLmRvZUBleGFtcGxlLmNvbTBZ -MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCiC+YIbCoOhyLy63lOGbiK+DPkW7gMU -rmfVLIb4oTmKxZS5/L8VE6hjKDcLa7OauyuW2nd4fnFAautFxpw/Q0yjXTBbMAwG -A1UdEwQFMAMBAf8wHQYDVR0OBBYEFL/PiFFjjlzVtExXMb2uXOfIgeIEMB8GA1Ud -IwQYMBaAFL/PiFFjjlzVtExXMb2uXOfIgeIEMAsGA1UdDwQEAwIBBjAKBggqhkjO -PQQDAgNJADBGAiEA0HOxloLMr87yDoH3CljWDWb7M2zLA+BQFXLN511qDl0CIQDu -clewWaJHw4Wq8IN3JsrNDDw2GfrN3sx4hfWUK/0SPw== ------END CERTIFICATE----- diff --git a/meta-integrity/data/debug-keys/ima-local-ca.priv b/meta-integrity/data/debug-keys/ima-local-ca.priv deleted file mode 100644 index e13de23..0000000 --- a/meta-integrity/data/debug-keys/ima-local-ca.priv +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIHjME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAhinM5KnV2x5wICCAAw -DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI4Xbw/W1pgH0EgZCiurgCTUEIDbiK -x5kw3/Rg1/ZLwk5TEiMoIa9CmXEyuSRUla/Ta4o/rZEzKAp6vwkcupviirtWYems -lZNfggfzITWNEWtkU6BrhZgJ7kaeZrIbuAO7YUJy6Z2MQfgaKI9BE2EEgKJ+X5gY -LjkobSAtEqDjuheLgaXIMQ7/qT0MGmi6LmzwMEhu8ZXlNGg8udw= ------END ENCRYPTED PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/privkey_ima.pem b/meta-integrity/data/debug-keys/privkey_ima.pem index 8362cfe..502a0b6 100644 --- a/meta-integrity/data/debug-keys/privkey_ima.pem +++ b/meta-integrity/data/debug-keys/privkey_ima.pem @@ -1,5 +1,16 @@ -----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgmbPxV5LYZ530IfGm -SMpfPQFgoIkKPMRuNWLyVn+wiAOhRANCAAQ31W5ZQZdcwidgpyls2oO5rSsHLlqj -cKYaDF2fveMN5L/wBwEi84ubzz2+MkM9q7RaOSC4TPYHnhVvYcH+SsFv +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJw2G3d0fM36rcQU +Bt8V/SapJe0lxWJ+CY+HcMx8AhWY9XQ66AXcqBsRHiUnYCaFGXFI35VKGC6d/Gs6 +IWlHgI0tcTyzy5eul+BKRLy/3PNjkK2jJETlbetQy+gE6gUtg4RmPV5ALGksK74p +OrAfKnahoMi82NVIiBitwmRimms1AgMBAAECgYBTxciRFU1hAVBy2PKebKJoO0n1 +lc329fSWnmHlp5NOlcr8XCLWEfGtIk7ySd2MitCMKjKNU0EIrv0RXAlS9l9/gBYW +HY+eEaa6l80sp8q4aPKImSi0pb3LVNqWKXJg8qr4AZ45/TEL/fzILFv5QcY8xDjV +aj6DOlEnNDjlBlBbQQJBAMyYDlKItes/Rnmtp9roXj3XUfiBDHTLY2HVgDBe87sA +TOSnbgIv+6urd1h9XvBmJlRYH7YKJmBSZWcSlfdC6XkCQQDDdfkUMxQZo9PC/Eue +WYzytx4xUm3ItWcuKILtFgcNh3c4s4dMx4X/WhQj5/H/nVOIWDioQ0mrW3ap/qcb +SBydAkAf/gb/UPFhf9t9W3JMANn7wZfHzCYufT9lJQWOisqCC2H6v1Osc+Rey8k1 +xST7Yn3L4pvS03N8zGWe4IEi0QvBAkAWdTWbNos2rvYjzy05Enz5XkTf0eK/Tuh+ +CzWP3BoPWeM+5pHDJqGkx0rNHVdW0VLJtak83A5Y2/d0bMfygISZAkBFGui4HW+Q +1BlpmDeslsE11wm5jSmm6Ti12a2dVKGFo9QLQcSj4bfgxtqU2dQaYRmajXtSBrGQ +3vVaxg2EfqB1 -----END PRIVATE KEY----- diff --git a/meta-integrity/data/debug-keys/x509_ima.der b/meta-integrity/data/debug-keys/x509_ima.der index 3f6f24e61373912cf39598a427fba09c75e74592..087ca6bea53c172e7eb9a269183a32b3ecbd3aaa 100644 GIT binary patch delta 490 zcmaFEa+p=!powWe5Nj-8W@2Pw;$&Ev_Kw}@@5(*{UN%mxHjlRNyo`*jtPB$`lqe{O z^BS5N7#bNGn44Odm_$kN8yOm!8X6f{Km;b9FRgE!kF1fAm4Ugjm%*U1lc}+hVUC$} zc}dOLUu%zuu-zB^tF}`0t?JRFI?n#~f-^NtqBFjhSiNAqvqD->PE|cYtyQwn2h{MMs#v)Q%T$8e2$NAsBg}3FLd+H7cC8Z`C$b+PnStJa^8n7s+ z2dY2~IA);7CE4|y8dgPru-Va-?r`+w*M{B4Qk8-~RJ~DstJG$5*M+C#eBA$qBA?IQ zi#XD!^?xaMa-hvFpF;7>h^4<)8&z1mFsnIzMy+W^{27zLSGM&o2WzB{WS3ukm~v04 seSbc0i;m3fSIP33d0S_T-F&dflIgem)LYJa+g7k1Pdm)DaOKh($ delta 420 zcmX@i`i8~Opou91hlmxF;F8*?ZNGmrVi`wCpisYNB3X_?81B@_P|D=3Kb8W|gy7?~NG8JU?_ zL`m=)8G-~1j35FNcbC>j8VIwogNQzB$GENKEY [ req ] +default_bits = 1024 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -35,15 +36,13 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \ - -out csr_ima.pem -keyout privkey_ima.pem \ - -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \ +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ -CA $CA -CAkey $CAKEY -CAcreateserial \ -outform DER -out x509_ima.der diff --git a/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-integrity/scripts/ima-gen-local-ca.sh index 339d3e3..b600761 100755 --- a/meta-integrity/scripts/ima-gen-local-ca.sh +++ b/meta-integrity/scripts/ima-gen-local-ca.sh @@ -18,6 +18,7 @@ GENKEY=ima-local-ca.genkey cat << __EOF__ >$GENKEY [ req ] +default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -32,11 +33,10 @@ emailAddress = john.doe@example.com basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -keyUsage = cRLSign, keyCertSign +# keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \ - -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \ +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-integrity/scripts/ima-gen-self-signed.sh new file mode 100755 index 0000000..5ee876c --- /dev/null +++ b/meta-integrity/scripts/ima-gen-self-signed.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# Copied from ima-evm-utils. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = example.com +CN = meta-intel-iot-security example signing key +emailAddress = john.doe@example.com + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config $GENKEY \ + -outform DER -out x509_ima.der -keyout privkey_ima.pem