From: akuster808 <akuster808@gmail.com>
To: Jose Quaresma <quaresma.jose@gmail.com>, yocto@lists.yoctoproject.org
Cc: stefanb@linux.ibm.com, Jose Quaresma <jose.quaresma@foundries.io>
Subject: Re: [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch"
Date: Wed, 10 May 2023 07:44:35 -0400 [thread overview]
Message-ID: <c636e528-ca65-dae0-e772-2c43afd16ff3@gmail.com> (raw)
In-Reply-To: <20230509185631.3182570-1-jose.quaresma@foundries.io>
On 5/9/23 2:56 PM, Jose Quaresma wrote:
> This reverts commit 9de807705b27b05bbf84e9f16502fe6cdaa8928f.
>
> The full patchset are overriding the do_configure task and also added a kernel patch
> on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
> in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
> So the patch fails in some recipes and also do_configure task doesn't make sense.
> This breaks many recipes like linux-firmware and maybe others.
I fail to see how this package update is part of the issue above. I am
still trying to sort out the store here to figure out how we move forward.
- armin
>
> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
> ---
> ...ation-using-ioctl-when-evm_portable-.patch | 35 -------------------
> ...-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} | 9 ++---
> 2 files changed, 2 insertions(+), 42 deletions(-)
> delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_1.5.bb => ima-evm-utils_1.4.bb} (71%)
>
> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> deleted file mode 100644
> index 3624576..0000000
> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch
> +++ /dev/null
> @@ -1,35 +0,0 @@
> -From 00ace817c5134d9844db387cadb9517ebad43808 Mon Sep 17 00:00:00 2001
> -From: Stefan Berger <stefanb@linux.ibm.com>
> -Date: Tue, 18 Apr 2023 11:43:55 -0400
> -Subject: [PATCH] Do not get generation using ioctl when evm_portable is true
> -
> -If a signatures is detected as being portable do not attempt to read the
> -generation with the ioctl since in some cases this may not be supported
> -by the filesystem and is also not needed for computing a portable
> -signature.
> -
> -This avoids the current work-around of passing --generation 0 when the
> -ioctl is not supported by the filesystem.
> -
> -Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ----
> - src/evmctl.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/evmctl.c b/src/evmctl.c
> -index 6d2bb67..c35a28c 100644
> ---- a/src/evmctl.c
> -+++ b/src/evmctl.c
> -@@ -376,7 +376,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> - if (mode_str)
> - st.st_mode = strtoul(mode_str, NULL, 10);
> -
> -- if (!evm_immutable) {
> -+ if (!evm_immutable && !evm_portable) {
> - if (S_ISREG(st.st_mode) && !generation_str) {
> - int fd = open(file, 0);
> -
> ----
> -2.39.2
> -
> -
> diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> similarity index 71%
> rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
> rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> index 8ac080c..873aeeb 100644
> --- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.5.bb
> +++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
> @@ -6,13 +6,8 @@ DEPENDS += "openssl attr keyutils"
>
> DEPENDS:class-native += "openssl-native keyutils-native"
>
> -FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
> -
> -SRC_URI = " \
> - https://github.com/mimizohar/ima-evm-utils/releases/download/v${PV}/${BP}.tar.gz \
> - file://0001-Do-not-get-generation-using-ioctl-when-evm_portable-.patch \
> -"
> -SRC_URI[sha256sum] = "45f1caa3ad59ec59a1d6a74ea5df38c413488cd952ab62d98cf893c15e6f246d"
> +SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
> +SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
>
> inherit pkgconfig autotools features_check
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#59946): https://lists.yoctoproject.org/g/yocto/message/59946
> Mute This Topic: https://lists.yoctoproject.org/mt/98790790/3616698
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2023-05-10 11:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-09 18:56 [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 2/8] Revert "linux: overlayfs: Add kernel patch resolving a file change notification issue" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 3/8] Revert "integrity: Update the README for IMA support" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 4/8] Revert "ima: Sign all executables and the ima-policy in the root filesystem" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 5/8] Revert "ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 6/8] Revert "ima: Fix the IMA kernel feature" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 7/8] Revert "ima: Fix the ima_policy_appraise_all to appraise executables & libraries" Jose Quaresma
2023-05-09 18:56 ` [meta-security][PATCH 8/8] Revert "ima: Document and replace keys and adapt scripts for EC keys" Jose Quaresma
2023-05-10 11:44 ` akuster808 [this message]
2023-05-10 12:23 ` [yocto] [meta-security][PATCH 1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch" Stefan Berger
2023-05-10 13:15 ` Mikko Rapeli
2023-05-10 14:20 ` Stefan Berger
2023-05-10 14:34 ` Mikko Rapeli
2023-05-10 14:25 ` akuster808
2023-05-10 14:33 ` Jose Quaresma
[not found] ` <175DCECAC59B5A82.14362@lists.yoctoproject.org>
2023-05-10 14:35 ` Jose Quaresma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c636e528-ca65-dae0-e772-2c43afd16ff3@gmail.com \
--to=akuster808@gmail.com \
--cc=jose.quaresma@foundries.io \
--cc=quaresma.jose@gmail.com \
--cc=stefanb@linux.ibm.com \
--cc=yocto@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.