combining trusted/security layers


Trevor Woerner
 

Hi everyone, and thanks for all the feedback that's been given already.

I think it would be a great idea if we could get the various trusted/security
layers working together on one layer instead of having separate efforts. As
far as I'm aware, there are currently 3 such layers:

meta-measured (http://layers.openembedded.org/layerindex/branch/master/layer/meta-measured/)
meta-security (http://layers.openembedded.org/layerindex/branch/master/layer/meta-security/)
meta-secure-core (http://layers.openembedded.org/layerindex/branch/master/layer/meta-secure-core/)

I personally am most familiar with meta-measured, and I'm mostly only
interested in tpm2 on an RPi3B+.

In an effort to try to help gather the data required to jumpstart this
conversation, I've created a simple google doc that lists these three layers,
their recipes, and provides the results of building against 2 MACHINEs:

intel-corei7-64 (from meta-intel)
raspberrypi3 (from meta-raspberrypi)

https://docs.google.com/spreadsheets/d/1AlH0Q0lGC3idwyFLSt7df09sIXkBuv191fVESUA-oQY/edit?usp=sharing

Please have a look. This spreadsheet is very simple, and only looks at
recipes, it does not include any information about various bbappends, nor
kernel configurations, packagegroups, classes, sample images, etc...

meta-measured is a plain, straight-forward layer that contains recipes.

meta-security contains recipes, but also contains 2 sub-layers:
- meta-tpm
- meta-security-compliance

meta-secure-core is a meta-layer, containing no recipes itself, but collecting
together a set of sub-layers:
- meta
- meta-encrypted-storage
- meta-integrity
- meta-efi-secure-boot
- meta-ids
- meta-signing-key
- meta-tpm
- meta-tpm2

From what is presented in the spreadsheet, in my opinion, I don't think it'll
be too hard to get everything in one layer. Surprisingly, there isn't a lot of
overlap. Therefore, all the unique bits from each layer can simply be added to
the one chosen layer. The only real overlap is in the tpm stuff, and that
should be easy to update once in the chosen layer.

The easiest way to combine the layers would be to make meta-security another
sub-layer of meta-secure-core. But I think that might be too simplistic.
meta-security includes a hodgepodge of user-space tools and daemons for
doing miscellaneous security things (recipes-security). meta-secure-core tries
to break logical activities into their own layers (i.e. meta-ids for intrusion
detection systems, meta-integrity for integrity measurement architecture
(ima), etc). If it would be possible to categorize all of the recipes in
meta-security's recipes-security directory, then maybe we could start
distributing them into meta-secure-core and/or creating spaces for them?

Thoughts?

Best regards,
Trevor

Join openembedded-architecture@lists.openembedded.org to automatically receive all group messages.