meta-security: subtree update:4c2f7ffd49..e8c9e69c80

Armin Kuster (3):
      meta-security: Add gatesgarth to LAYERSERIES_COMPAT
      gitlab-ci: add meta-hardening build image
      gitlab-ci: add building meta-security-compliance pkgs

Sajjad Ahmed (1):
      layer.conf: use += instead of := to update BBFILES

Signed-off-by: Andrew Geissler <[email protected]>
Change-Id: Id5439f3fdfc88fe3c987ee3c8cb7d3ed6a5a6a22

meta-security/.gitlab-ci.yml

@@ -136,6 +136,16 @@ qemuarm64-musl:
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
 
+qemux86-harden:
+  extends: .build
+  script:
+  - kas build --target harden-image-minimal kas/$CI_JOB_NAME.yml 
+
+qemux86-comp:
+  extends: .build
+  script:
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml 
+
 qemux86-test:
   extends: .build
   allow_failure: true

meta-security/conf/layer.conf

@@ -9,6 +9,6 @@ BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
 BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "dunfell"
+LAYERSERIES_COMPAT_security = "gatesgarth"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

meta-security/kas/kas-security-base.yml

@@ -10,6 +10,7 @@ repos:
       meta-tpm:
       meta-integrity:
       meta-security-compliance:
+      meta-hardening:
 
   poky:
     url: https://git.yoctoproject.org/git/poky

meta-security/kas/qemux86-comp.yml

@@ -0,0 +1,11 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-compliance: |
+    IMAGE_INSTALL_append = " lynis"
+    IMAGE_INSTALL_append = " openscap openscap-daemon scap-security-guide"
+
+machine: qemux86

meta-security/kas/qemux86-harden.yml

@@ -0,0 +1,10 @@
+header:
+  version: 8
+  includes:
+    - kas-security-base.yml
+
+local_conf_header:
+  meta-security: |
+    DISTRO = "harden"
+
+machine: qemux86

meta-security/meta-hardening/conf/layer.conf

@@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer"
 BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_harden-layer = "10"
 
-LAYERSERIES_COMPAT_harden-layer = "dunfell"
+LAYERSERIES_COMPAT_harden-layer = "gatesgarth"
 
 LAYERDEPENDS_harden-layer = "core openembedded-layer"

meta-security/meta-integrity/conf/layer.conf

@@ -2,8 +2,7 @@
 BBPATH =. "${LAYERDIR}:"
 
 # We have a packages directory, add to BBFILES
-BBFILES := "${BBFILES} \
-            ${LAYERDIR}/recipes-*/*/*.bb \
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
             ${LAYERDIR}/recipes-*/*/*.bbappend"
 
 BBFILE_COLLECTIONS += "integrity"
@@ -21,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
-LAYERSERIES_COMPAT_integrity = "dunfell"
+LAYERSERIES_COMPAT_integrity = "gatesgarth"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
 

meta-security/meta-security-compliance/conf/layer.conf

@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer"
 BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_scanners-layer = "10"
 
-LAYERSERIES_COMPAT_scanners-layer = "dunfell"
+LAYERSERIES_COMPAT_scanners-layer = "gatesgarth"
 
 LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
 

meta-security/meta-security-isafw/conf/layer.conf

@@ -14,4 +14,4 @@ LAYERVERSION_security-isafw = "1"
 
 LAYERDEPENDS_security-isafw = "core"
 
-LAYERSERIES_COMPAT_security-isafw = "dunfell"
+LAYERSERIES_COMPAT_security-isafw = "gatesgarth"

meta-security/meta-tpm/conf/layer.conf

@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_tpm-layer = "10"
 
-LAYERSERIES_COMPAT_tpm-layer = "dunfell"
+LAYERSERIES_COMPAT_tpm-layer = "gatesgarth"
 
 LAYERDEPENDS_tpm-layer = " \
     core \