diff options
Diffstat (limited to 'external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb')
-rw-r--r-- | external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb new file mode 100644 index 00000000..dacdc8bf --- /dev/null +++ b/external/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -0,0 +1,31 @@ +# This recipe creates a module for the initramfs-framework in OE-core +# which initializes IMA by loading a policy before transferring +# control to the init process in the rootfs. The advantage over having +# that init process doing the policy loading (which systemd could do) +# is that already the integrity of the init binary itself will be +# checked by the kernel. + +SUMMARY = "IMA module for the modular initramfs system" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +# This policy file will get installed as /etc/ima/ima-policy. +# It is located via the normal file search path, so a .bbappend +# to this recipe can just point towards one of its own files. +IMA_POLICY ?= "ima-policy-hashed" + +SRC_URI = " file://ima" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "ima" + +do_install () { + install -d ${D}/${sysconfdir}/ima + install -d ${D}/init.d + install ${WORKDIR}/ima ${D}/init.d/20-ima +} + +FILES_${PN} = "/init.d ${sysconfdir}" + +RDEPENDS_${PN} = "keyutils ${IMA_POLICY}" +RDEPENDS_${PN} += "initramfs-framework-base" |