From patchwork Wed Mar 16 14:31:15 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anu Deepthika <anudeepthika@code1.emi.philips.com>
X-Patchwork-Id: 5332
Return-Path: <Nandipati.AnuDeepthika@philips.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 72D02C433F5
	for <webhook@archiver.kernel.org>; Wed, 16 Mar 2022 09:01:50 +0000 (UTC)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com
 (EUR01-VE1-obe.outbound.protection.outlook.com [40.107.14.129])
 by mx.groups.io with SMTP id smtpd.web09.22869.1647421307790637046
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 16 Mar 2022 02:01:49 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@philips.onmicrosoft.com
 header.s=selector2-philips-onmicrosoft-com header.b=VOHRWikG;
 spf=pass (domain: code1.emi.philips.com, ip: 40.107.14.129,
 mailfrom: anudeepthika@code1.emi.philips.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=UZdmUSbgfd0Olyph3ngwrpCUIf1vSIEpa7j3gL7RPYSLTJ+llvNlAQycPeKo1SNy2neMoTjmGxli9WkRnVSaYxlK7zIEZPinYmNeFoIL4oKlf0qjP2VNUrIFnVK+i0E7kJayouAL1PAdX8xdaCEPxv1I+qYKQcnh+ItpTfuNe6R+vCJXHRzNtpuafS/pn+Q1OEXqA/lRtnbsxJ5jIf7su8MMgIwvp/2Ia4CVPwXsO2JfnXf6Nv18IJXdZOe4t3Y0M3Z3CHS8jOXJL1aryr4eGf8meGN9w1iwJBolzY+vT57iy/IF1Vm92F2kwaZ8lAP+g9Ao9BL8RX/0QIJSHY04lA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=PZn4BHuM7cbEcXUJOr3FpEM/rkUdFh/vH5OMBREfu6s=;
 b=euExcxqELCdzk4Z9rhbbEdnHbUxxmYSX7zGKntNhqrLoJvoGuSHdHYmRKnUT8PBrQ4gTKAmVeaMTDz5WDvArGqLYVJaPowfSWQ5UoaRwlfB6HcfErKF58XMHvEY6B5WG0dKYLaYfZj53724rwm/6vTj3kOlVy7bEgS36Q79S0BoYabtNYyeZi0the8F69PBdkkNKiaj3bCxIkIqGfK34O7WqOoI5yZBd/9j9/YB8GWT2dD1ibsXb9h/E19SBY0FqHT+ctnIYfRpVKQ2t+RLSIi2VXP3BuxcZNMyCohI6SGzNluCb6n8E7kDwyyFQBsRDcrGTg0omK+6Ij08QVRp/jA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 18.136.170.117) smtp.rcpttodomain=lists.openembedded.org
 smtp.mailfrom=code1.emi.philips.com; dmarc=pass (p=reject sp=reject pct=100)
 action=none header.from=code1.emi.philips.com; dkim=none (message not
 signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=Philips.onmicrosoft.com; s=selector2-Philips-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=PZn4BHuM7cbEcXUJOr3FpEM/rkUdFh/vH5OMBREfu6s=;
 b=VOHRWikGIqa0NwWQqQFy6bpcEpynhZy2z1RqZYrgwlQGqSicaBeMv+MbcYkridLvNEbTrP2izFNzvEIcCHXzvdYqxlgEiy6Ae4MTlws+MWdyUFYniim2rGD31oplHTPe1q9MXFsYW6kvaJQuGu1rcxeZdC6XUKosi8YUW+ehMR4=
Received: from DB8PR09CA0027.eurprd09.prod.outlook.com (2603:10a6:10:a0::40)
 by AMAP122MB0215.EURP122.PROD.OUTLOOK.COM (2603:10a6:20b:197::20) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.29; Wed, 16 Mar
 2022 09:01:44 +0000
Received: from DB5EUR01FT074.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:10:a0:cafe::8c) by DB8PR09CA0027.outlook.office365.com
 (2603:10a6:10:a0::40) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14 via Frontend
 Transport; Wed, 16 Mar 2022 09:01:44 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 18.136.170.117)
 smtp.mailfrom=code1.emi.philips.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=code1.emi.philips.com;
Received-SPF: Pass (protection.outlook.com: domain of code1.emi.philips.com
 designates 18.136.170.117 as permitted sender)
 receiver=protection.outlook.com; client-ip=18.136.170.117;
 helo=ext-asp1.smtp.philips.com;
Received: from ext-asp1.smtp.philips.com (18.136.170.117) by
 DB5EUR01FT074.mail.protection.outlook.com (10.152.5.22) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5081.10 via Frontend Transport; Wed, 16 Mar 2022 09:01:43 +0000
Received: from smtprelay-asp1.philips.com ([161.92.84.252])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
	(Client did not present a certificate)
	by ext-asp1.smtp.philips.com with ESMTP
	id UPCWngOMfcz85UPK1nhEQe; Wed, 16 Mar 2022 08:47:57 +0000
Received: from INGBTCPIC6LX130.in-101.lan.philips.com ([161.85.104.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
	(Client did not present a certificate)
	by smtprelay-asp1.philips.com with ESMTPA
	id UPXFnVE2fpiPMUPXLn9fhg; Wed, 16 Mar 2022 09:01:43 +0000
X-CLAM-Verdict: legit
X-CLAM-Score: ??
X-CLAM-Description: ??
From: Anu Deepthika <anudeepthika@code1.emi.philips.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][PATCH v5] usbguard: Add inital recipe
Date: Wed, 16 Mar 2022 20:01:15 +0530
Message-ID: <20220316143115.3790996-1-anudeepthika@code1.emi.philips.com>
X-Mailer: git-send-email 2.25.1
Reply-To: Nandipati.AnuDeepthika@philips.com
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 90338f1b-33fb-4d77-a89a-08da072b97fb
X-MS-TrafficTypeDiagnostic: AMAP122MB0215:EE_
X-Microsoft-Antispam-PRVS: 
	<AMAP122MB0215CAF1D3A61ADE908BA92D8E119@AMAP122MB0215.EURP122.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	V4cy3pVeGRMb3cKquKXD42GvxU+NBqecH3Pku/I4jPBHG3B4p6QkxPjSjGd+nuLEMs0F0J2WQA8N2cQxtiyQC16u8H6aGysccwJ6ib6hbaQcUzdNqL7EQzAfVIUXdjqdATirltn0JbQunNkYXg8eQ59mYMETsjAQtYypsefO0SobEKt5jp8p6grBW5XUfsvkMfFRvMr1bRef4zxqBWC1Y2n8o09317HIFU/i4lfeOQ2t9uJiNNcewT4h+EPXVKRSIcDmHtTKezbl0QmKI1KI5jacYQ8tZv02ejRR8X0/Jp61G/wtCk+iiSEy/RY+XssKjJTJjDb5sTutvzVTl29YE0o6MiqzPEZJZWBTPb+HCGw3wUqKl9JkeEn7G3qpbujXjyVzYCmQzmYCgOS0wNxtx4TdhiUOeegwJq6ewsjD+B9heE2iEOKn5meUUGm5PtN0Q/K+LzV5jVEsdsEeQBoYNyiwrFn4Hnhm2GeuEigdXQdj4LHYMraI2qcB4UGJ87PH1P5PnkeSR+oXuF3KmiHvbKz/E1GWsOONCaRrsRlKO1n4lprMuYp97Y8c1St5e0yFlw5xFGz5Wd3PjJj8DLEM8S+1OJrAAEGAhIcVfdbBCRqEP+BhBQElNPU+M3UujiqrKJXw3owWknBDrBrr6EhMB6R0uprIWEAm9ey0gKR1G8qR1ih2myLWEAGvOISlvqKxt4Ghr8bmvL94cd6R3tuyKLsjdAQ0ahlsvtlblPvW8Ac4sJ0f32oSKcwDkdqCNYsIFhZA+BDO5DvrURiT2jQvT+ybt/mLViQJeksHn4zFinA=
X-Forefront-Antispam-Report: 
	CIP:18.136.170.117;CTRY:SG;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:ext-asp1.smtp.philips.com;PTR:ec2-18-136-170-117.ap-southeast-1.compute.amazonaws.com;CAT:NONE;SFS:(13230001)(4636009)(46966006)(40470700004)(36840700001)(8936002)(2906002)(36860700001)(956004)(6666004)(2616005)(82960400001)(1076003)(186003)(6916009)(336012)(26005)(47076005)(83380400001)(86362001)(34020700004)(82310400004)(70206006)(70586007)(5660300002)(508600001)(40460700003)(316002)(8676002)(81166007)(356005);DIR:OUT;SFP:1102;
X-OriginatorOrg: code1.emi.philips.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Mar 2022 09:01:43.6380
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 90338f1b-33fb-4d77-a89a-08da072b97fb
X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4;Ip=[18.136.170.117];Helo=[ext-asp1.smtp.philips.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DB5EUR01FT074.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AMAP122MB0215
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 16 Mar 2022 09:01:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/96020

From: "Anu Deepthika, Nandipati" <Nandipati.AnuDeepthika@philips.com>

Set one crypto-backend library at a time
OpenSSL is the crypto-backend library set for device hashing
Override PACKAGECONFIG to replace it with libsodium or libgcrypt

Signed-off-by: Anu Deepthika, Nandipati <Nandipati.AnuDeepthika@philips.com>
---
 ...kgconfig-instead-of-libgcrypt-config.patch | 106 ++++++++++++++++++
 .../usbguard/usbguard_1.1.0.bb                |  74 ++++++++++++
 2 files changed, 180 insertions(+)
 create mode 100644 meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch
 create mode 100644 meta-oe/recipes-security/usbguard/usbguard_1.1.0.bb

diff --git a/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch b/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch
new file mode 100644
index 000000000..a7a3eb043
--- /dev/null
+++ b/meta-oe/recipes-security/usbguard/usbguard/0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch
@@ -0,0 +1,106 @@
+From e36cbf9d7a32de9945a8b6c62ad29dfb60358081 Mon Sep 17 00:00:00 2001
+From: "Anu Deepthika, Nandipati" <Nandipati.AnuDeepthika@philips.com>
+Date: Wed, 9 Mar 2022 02:03:51 +0530
+Subject: [PATCH] Add and use pkgconfig instead of libgcrypt-config
+
+Upstream-Status: Pending
+
+Signed-off-by: Anu Deepthika, Nandipati <Nandipati.AnuDeepthika@philips.com>
+---
+ m4/libgcrypt.m4 | 56 ++-----------------------------------------------
+ 1 file changed, 2 insertions(+), 54 deletions(-)
+
+diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4
+index 9a29eb5..465fe24 100644
+--- a/m4/libgcrypt.m4
++++ b/m4/libgcrypt.m4
+@@ -22,17 +22,7 @@ dnl with a changed API.
+ dnl
+ AC_DEFUN([AM_PATH_LIBGCRYPT],
+ [ AC_REQUIRE([AC_CANONICAL_HOST])
+-  AC_ARG_WITH(libgcrypt-prefix,
+-            AS_HELP_STRING([--with-libgcrypt-prefix=PFX],
+-                           [prefix where LIBGCRYPT is installed (optional)]),
+-     libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
+-  if test x$libgcrypt_config_prefix != x ; then
+-     if test x${LIBGCRYPT_CONFIG+set} != xset ; then
+-        LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
+-     fi
+-  fi
+ 
+-  AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no)
+   tmp=ifelse([$1], ,1:1.2.0,$1)
+   if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
+      req_libgcrypt_api=`echo "$tmp"     | sed 's/\(.*\):\(.*\)/\1/'`
+@@ -41,44 +31,8 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
+      req_libgcrypt_api=0
+      min_libgcrypt_version="$tmp"
+   fi
++  PKG_CHECK_MODULES(LIBGCRYPT, [libgcrypt >= $min_libgcrypt_version], [ok=yes], [ok=no])
+ 
+-  AC_MSG_CHECKING(for LIBGCRYPT - version >= $min_libgcrypt_version)
+-  ok=no
+-  if test "$LIBGCRYPT_CONFIG" != "no" ; then
+-    req_major=`echo $min_libgcrypt_version | \
+-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
+-    req_minor=`echo $min_libgcrypt_version | \
+-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'`
+-    req_micro=`echo $min_libgcrypt_version | \
+-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'`
+-    libgcrypt_config_version=`$LIBGCRYPT_CONFIG --version`
+-    major=`echo $libgcrypt_config_version | \
+-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'`
+-    minor=`echo $libgcrypt_config_version | \
+-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'`
+-    micro=`echo $libgcrypt_config_version | \
+-               sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'`
+-    if test "$major" -gt "$req_major"; then
+-        ok=yes
+-    else
+-        if test "$major" -eq "$req_major"; then
+-            if test "$minor" -gt "$req_minor"; then
+-               ok=yes
+-            else
+-               if test "$minor" -eq "$req_minor"; then
+-                   if test "$micro" -ge "$req_micro"; then
+-                     ok=yes
+-                   fi
+-               fi
+-            fi
+-        fi
+-    fi
+-  fi
+-  if test $ok = yes; then
+-    AC_MSG_RESULT([yes ($libgcrypt_config_version)])
+-  else
+-    AC_MSG_RESULT(no)
+-  fi
+   if test $ok = yes; then
+      # If we have a recent libgcrypt, we should also check that the
+      # API is compatible
+@@ -96,10 +50,8 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
+      fi
+   fi
+   if test $ok = yes; then
+-    LIBGCRYPT_CFLAGS=`$LIBGCRYPT_CONFIG --cflags`
+-    LIBGCRYPT_LIBS=`$LIBGCRYPT_CONFIG --libs`
+     ifelse([$2], , :, [$2])
+-    libgcrypt_config_host=`$LIBGCRYPT_CONFIG --host 2>/dev/null || echo none`
++	libgcrypt_config_host=`$PKG_CONFIG --variable=host libgcrypt`
+     if test x"$libgcrypt_config_host" != xnone ; then
+       if test x"$libgcrypt_config_host" != x"$host" ; then
+   AC_MSG_WARN([[
+@@ -112,10 +64,6 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
+ ***]])
+       fi
+     fi
+-  else
+-    LIBGCRYPT_CFLAGS=""
+-    LIBGCRYPT_LIBS=""
+-    ifelse([$3], , :, [$3])
+   fi
+   AC_SUBST(LIBGCRYPT_CFLAGS)
+   AC_SUBST(LIBGCRYPT_LIBS)
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-security/usbguard/usbguard_1.1.0.bb b/meta-oe/recipes-security/usbguard/usbguard_1.1.0.bb
new file mode 100644
index 000000000..3a2966ff4
--- /dev/null
+++ b/meta-oe/recipes-security/usbguard/usbguard_1.1.0.bb
@@ -0,0 +1,74 @@
+# Copyright (c) 2021 Koninklijke Philips N.V.
+#
+# SPDX-License-Identifier: MIT
+#
+SUMMARY = "USBGuard daemon for blacklisting and whitelisting of USB devices"
+DESCRIPTION = "The USBGuard software framework helps to protect your computer against \
+rogue USB devices (a.k.a. Bad USB) by implementing basic whitelisting and blacklisting \
+capabilities based on device attributes. This recipe takes OpenSSL as crypto-backend for \
+computing device hashes (Supported values are sodium, gcrypt, openssl)."
+HOMEPAGE = "https://usbguard.github.io/"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+SRC_URI = "https://github.com/USBGuard/usbguard/releases/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
+    file://0001-Add-and-use-pkgconfig-instead-of-libgcrypt-config.patch"
+
+SRC_URI[sha256sum] = "a39104042b0c57f969c4e6580f6d80ad7066551eda966600695e644081128a2d"
+
+inherit autotools-brokensep bash-completion pkgconfig systemd
+
+DEPENDS = "glib-2.0-native libcap-ng libqb libxml2-native libxslt-native pegtl protobuf protobuf-native xmlto-native"
+
+S = "${WORKDIR}/${BPN}-${PV}"
+
+EXTRA_OECONF += "\
+    --with-bundled-catch \
+    --with-bundled-pegtl \
+"
+
+PACKAGECONFIG ?= "\
+    openssl \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'polkit', d)} \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
+"
+
+# USBGuard has made polkit mandatory to configure with-dbus
+PACKAGECONFIG[dbus] = "--with-dbus,--without-dbus,dbus-glib polkit"
+PACKAGECONFIG[libgcrypt] = "--with-crypto-library=gcrypt,,libgcrypt,,,libsodium openssl"
+PACKAGECONFIG[libsodium] = "--with-crypto-library=sodium,,libsodium,,,libgcrypt openssl"
+PACKAGECONFIG[openssl] = "--with-crypto-library=openssl,,openssl,,,libgcrypt libsodium"
+PACKAGECONFIG[polkit] = "--with-polkit,--without-polkit,polkit"
+PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd"
+
+SYSTEMD_PACKAGES = "${PN}"
+
+SYSTEMD_SERVICE:${PN} = "usbguard.service"
+
+SYSTEMD_PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'dbus', '${PN}-dbus', '', d)}"
+
+SYSTEMD_SERVICE:${PN}-dbus = "usbguard-dbus.service"
+
+PACKAGES =+ "${PN}-dbus"
+
+FILES:${PN} += "\
+    ${systemd_unitdir}/system/usbguard.service \
+    ${systemd_unitdir}/system/usbguard-dbus.service \
+    ${datadir}/polkit-1 \
+    ${datadir}/polkit-1/actions \
+    ${datadir}/dbus-1 \
+    ${nonarch_libdir}/tmpfiles.d \
+"
+
+do_install:append() {
+# Create /var/log/usbguard in runtime.
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
+        install -d ${D}${nonarch_libdir}/tmpfiles.d
+        echo "d ${localstatedir}/log/${BPN} 0755 root root -" > ${D}${nonarch_libdir}/tmpfiles.d/${BPN}.conf
+    fi
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+        install -d ${D}${sysconfdir}/default/volatiles
+        echo "d root root 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
+    fi
+    rm -rf ${D}${localstatedir}/log
+}