Re: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone

[Bruce Ashfield <bruce.ashfield@gmail.com>]

In message: [yocto] Yocto Kirkstone IMA Kernel Flags #kernel #kirkstone
on 02/04/2025 miriam.rico via lists.yoctoproject.org wrote:

> Hi,
>  
> I want to add IMA (Integrity Measurement Architecture) support to my Yocto
> build and I enabled it on my local.conf by adding: 
> 
> DISTRO_FEATURES:append = " integrity ima"
> IMAGE_CLASSES += "ima-evm-rootfs"
> IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
> IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/ima_privkey.pem"
> IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
> EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_evm.der"
>  
> Also, I added the meta-integrity layer to my bblayers.conf file.
>  
> After building the image, I noticed that the used algorithm is sha1. I would
> like to enable the sha256 algorithm, but I am having problems with it. I have
> tried to enable it using the kernel flags, but I can't get it. I have reviewed
> the configuration that applies when IMA is enabled and found it to be as
> follows (looking at the config file generated after compiling the kernel and
> doing a grep for IMA, I am using Kernel version 5.15):
>  
> # SPDX-License-Identifier: MIT
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_NG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> CONFIG_IMA_DEFAULT_HASH="sha1"
> CONFIG_IMA_APPRAISE=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> CONFIG_SIGNATURE=y
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
>  
> So I created a fragment file with the following:
>  
> CONFIG_IMA_SIG_TEMPLATE=y
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
> CONFIG_IMA_DEFAULT_HASH_SHA256=y
> CONFIG_IMA_DEFAULT_HASH="sha256"
> 
> Then, I add it to my linux-yocto_%.bbappend file:
> 
> FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
> SRC_URI += "file://enable-ima.cfg "
> 
> But after recompiling the kernel, the template and the hash remain "ima-ng" and
> "sha1". 
> 
> I have also tried to create the fragment file using menuconfig, activating
> "ima-sig" and "sha256", using diffconfig to create fragment.cfg file, copying
> the fragment file to meta-my-layer/recipes-kernel/linux/files and adding it to
> my linux-yocto_%.bbappend file, but the result has been the same, the template
> and the algorithm have not changed.
>  
> FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
> SRC_URI += "file://fragment.cfg "
>  
> I have been going through the tasks logs trying to see where the problem might
> be and found do_kernel_configme log. In the log, I saw the following:
> 
> Final scc/cfg list:  /home/.../Yocto/build/tmp/work/genericx86_64-poky-linux/
> linux-yocto/5.15.72+gitAUTOINC+441f5fe000_0b628306d1-r0/kernel-meta/bsp/
> common-pc-64/common-pc-64-standard.scc /home/
> /home/.../Yocto/my_yocto_project/meta-my-layer/recipes-kernel/linux/files/
> enable-ima.cfg
> /home/.../Yocto/my_yocto_project/meta-security/meta-tpm/recipes-kernel/linux/
> linux-yocto/tpm2.scc features/ima/ima.scc
>  
> So I thought that maybe the kernel features are applied after the user-created
> fragments. So, I added the following options to my enable-ima.cfg fragment to
> see if it was true or not.
>  
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
>  
> After recompiling the kernel, the result was the following:
>  
> # CONFIG_MDIO_BCM_UNIMAC is not set
> CONFIG_FB_CFB_IMAGEBLIT=y
> CONFIG_FB_SYS_IMAGEBLIT=y
> CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
> # CONFIG_HID_PRIMAX is not set
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> CONFIG_IMA_NG_TEMPLATE=y
> # CONFIG_IMA_SIG_TEMPLATE is not set
> CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
> CONFIG_IMA_DEFAULT_HASH_SHA1=y
> # CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
> # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
> CONFIG_IMA_DEFAULT_HASH="sha1"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> # CONFIG_IMA_ARCH_POLICY is not set
> CONFIG_IMA_APPRAISE_BUILD_POLICY=y
> CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y
> CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> CONFIG_IMA_APPRAISE_MODSIG=y
> CONFIG_IMA_TRUSTED_KEYRING=y
> # CONFIG_IMA_BLACKLIST_KEYRING is not set
> CONFIG_IMA_LOAD_X509=y
> CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
> CONFIG_IMA_APPRAISE_SIGNED_INIT=y
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> # CONFIG_IMA_DISABLE_HTABLE is not set
>  
> The newly added options appear in the configuration.
>  
> Can anyone tell me which is the order of applying Kernel configuration? I am
> not sure whether I am following the correct order. How can I apply my Kernel
> configuration? 

I've send the order several times for documenation, but I admit that
I haven't really gone to check to see if it is there. I've also answered
on the list a few times over the years, but also, that only helps if
you know what to look/search for.

Fragments are applied in the order they are found. And that order
is of course governed by the standard bitbake variable processing
rules (default values, overrides, etc, etc). A bbappend like you
tried first would work, unless the processing order of the variable
puts another fragment after that manipulates the same variable (as
you also found)

KERNEL_FEATURES are always applied after all "in tree" (aka
kernel-cache) and user supplied fragments (i.e. bbappends), since
KERNEL_FEATURES have more stringent checks to see that they
exist and are applied. They form a "contract" that if they aren't
applied, then we have a problem. Of course the order of KERNEL_FEATURES
is also controlled by normal bitbake variable processing rules.

So yes, if you have another fragment that is modifying an option
that yuo want to apply, you can either :remove that feature / fragment
from the SRC_URI or create a KERNEL_FEATURE that will be applied
after the usersupplied 'standard' fragments.

Bruce

>  
> Any answer will be appreciated.
>  
> Thank you,
>  
> Miriam
>  
>  

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#65063): https://lists.yoctoproject.org/g/yocto/message/65063
> Mute This Topic: https://lists.yoctoproject.org/mt/112045333/1050810
> Mute #kernel:https://lists.yoctoproject.org/g/yocto/mutehashtag/kernel
> Mute #kirkstone:https://lists.yoctoproject.org/g/yocto/mutehashtag/kirkstone
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>