diff mbox series

[meta-security,5/8] Revert "ima: Rename IMA_EVM_POLICY_SYSTEMD to IMA_EVM_POLICY"

Message ID 20230509185631.3182570-5-jose.quaresma@foundries.io
State New
Headers show
Series [meta-security,1/8] Revert "ima-evm-utils: Update ima-evm-utils to v1.5 and add a patch" | expand

Commit Message

Jose Quaresma May 9, 2023, 6:56 p.m. UTC
This reverts commit 292b49342cb47da59525a44227598cf136311e1b.

The full patchset are overriding the do_configure task and also added a kernel patch
on meta-integrity/recipes-kernel/linux/linux_ima.inc and this file is included
in every recipe that follows the pattern pattern starting by linux- (recipes-kernel/linux/linux-%.bbappend).
So the patch fails in some recipes and also do_configure task doesn't make sense.
This breaks many recipes like linux-firmware and maybe others.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
---
 meta-integrity/README.md                      | 2 +-
 meta-integrity/classes/ima-evm-rootfs.bbclass | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 816b40d..eae1c57 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -187,7 +187,7 @@  IMA policy loading became broken in systemd 2.18. The modified systemd
 changes. To activate policy loading via systemd, place a policy file
 in `/etc/ima/ima-policy`, for example with:
 
-    IMA_EVM_POLICY = "${INTEGRITY_BASE}/data/ima_policy_simple"
+    IMA_EVM_POLICY_SYSTEMD = "${INTEGRITY_BASE}/data/ima_policy_simple"
 
 To check that measuring works, look at `/sys/kernel/security/ima/ascii_runtime_measurements`
 
diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integrity/classes/ima-evm-rootfs.bbclass
index 6902d69..3cb0d07 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -69,10 +69,10 @@  ima_evm_sign_rootfs () {
     find ${IMA_EVM_ROOTFS_HASHED} | xargs -d "\n" --no-run-if-empty --verbose evmctl ima_hash
 
     # Optionally install custom policy for loading by systemd.
-    if [ "${IMA_EVM_POLICY}" ]; then
+    if [ "${IMA_EVM_POLICY_SYSTEMD}" ]; then
         install -d ./${sysconfdir}/ima
         rm -f ./${sysconfdir}/ima/ima-policy
-        install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
+        install "${IMA_EVM_POLICY_SYSTEMD}" ./${sysconfdir}/ima/ima-policy
     fi
 }