Re: combining trusted/security layers

Randy MacLeod

On 05/24/2018 05:26 PM, Trevor Woerner wrote:
Hi everyone, and thanks for all the feedback that's been given already.
I think it would be a great idea if we could get the various trusted/security
layers working together on one layer instead of having separate efforts. As
far as I'm aware, there are currently 3 such layers:
From what is presented in the spreadsheet, in my opinion, I don't think it'll
be too hard to get everything in one layer. Surprisingly, there isn't a lot of
overlap. Therefore, all the unique bits from each layer can simply be added to
the one chosen layer. The only real overlap is in the tpm stuff, and that
should be easy to update once in the chosen layer.
The easiest way to combine the layers would be to make meta-security another
sub-layer of meta-secure-core. But I think that might be too simplistic.
meta-security includes a hodgepodge of user-space tools and daemons for
doing miscellaneous security things (recipes-security). meta-secure-core tries
to break logical activities into their own layers (i.e. meta-ids for intrusion
detection systems, meta-integrity for integrity measurement architecture
(ima), etc). If it would be possible to categorize all of the recipes in
meta-security's recipes-security directory, then maybe we could start
distributing them into meta-secure-core and/or creating spaces for them?
Add Jia, who I've been talking with about our discussion on the
YP tech call yesterday. Hopefully he'll get his email situation
fixed and can carry on without me being a relay node.

Email from Jia:

My email client has a filter problem on receiving emails from gmail for
unknown reason (not a proxy issue) so I cannot directly reply him. Could
you do me a favor to copy my reply to thereļ¼Ÿ

-- reply --

I'm pleasure to see this move. And it sounds great to combine all in one
with a unified design model. Meanwhile, it is effective to avoid the
duplication works on maintainability. Additionally, it also gives a
fine-grained degree on the selection of a subset of feature from the big

Categorizing the recipes in meta-security may be the hardest work in the
whole move. I take a quick glance at the list (thanks for Trevor!) and a
big catalog would be penetration test (meta-penetration-test?). We need
more catalogs to cover the remaining tools. Definitely, the naming
scheme for me is a challenge.

Regarding meta-tpm1/2, we could consider to cherry pick one among the 3
layers as the baseline and move the trivial parts in recipe from other 2
layers into the baseline. Other conflicting recipes would follow the
same methodology.


# Randy MacLeod
# Wind River Linux

Join to automatically receive all group messages.