basesystem-jjsandbox/ToshikazuOhiwa/master-jj

recipes

1 files changed, 31 insertions, 0 deletions

diff --git a/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
new file mode 100644
index 00000000..dacdc8bf
--- /dev/null
+++ b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -0,0 +1,31 @@
+# This recipe creates a module for the initramfs-framework in OE-core
+# which initializes IMA by loading a policy before transferring
+# control to the init process in the rootfs. The advantage over having
+# that init process doing the policy loading (which systemd could do)
+# is that already the integrity of the init binary itself will be
+# checked by the kernel.
+
+SUMMARY = "IMA module for the modular initramfs system"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+# This policy file will get installed as /etc/ima/ima-policy.
+# It is located via the normal file search path, so a .bbappend
+# to this recipe can just point towards one of its own files.
+IMA_POLICY ?= "ima-policy-hashed"
+
+SRC_URI = " file://ima"
+
+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ima"
+
+do_install () {
+    install -d ${D}/${sysconfdir}/ima
+    install -d ${D}/init.d
+    install ${WORKDIR}/ima  ${D}/init.d/20-ima
+}
+
+FILES_${PN} = "/init.d ${sysconfdir}"
+
+RDEPENDS_${PN} = "keyutils ${IMA_POLICY}"
+RDEPENDS_${PN} += "initramfs-framework-base"