{"id":50774669,"url":"https://github.com/roastercode/yocto-hardened","last_synced_at":"2026-06-11T22:30:17.711Z","repository":{"id":349324312,"uuid":"1201864128","full_name":"roastercode/yocto-hardened","owner":"roastercode","description":"Hardened Yocto Homebacked Solution for studies without project boundaries","archived":false,"fork":false,"pushed_at":"2026-05-10T20:30:32.000Z","size":439,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-10T22:25:17.231Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"BitBake","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/roastercode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-05T09:13:57.000Z","updated_at":"2026-05-10T20:30:36.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/roastercode/yocto-hardened","commit_stats":null,"previous_names":["roastercode/yocto-hardened"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/roastercode/yocto-hardened","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastercode%2Fyocto-hardened","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastercode%2Fyocto-hardened/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastercode%2Fyocto-hardened/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastercode%2Fyocto-hardened/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/roastercode","download_url":"https://codeload.github.com/roastercode/yocto-hardened/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastercode%2Fyocto-hardened/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34221150,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-11T22:30:17.075Z","updated_at":"2026-06-11T22:30:17.701Z","avatar_url":"https://github.com/roastercode.png","language":"BitBake","funding_links":[],"categories":[],"sub_categories":[],"readme":"# yocto-hardened — meta-custom\n\n**Author:** roastercode — Aurelien DESBRIERES `\u003caurelien@hackers.camp\u003e`\n\nCustom Yocto layer (meta-custom) implementing progressive security hardening\non top of Yocto Styhead (5.1) with `poky-hardened` distro.\n\nStudy project: from a minimal hardened image to a fully hardened OS,\nthen a production-grade HPC cluster with fault-tolerant filesystem.\n\n---\n\n## Repository Branches\n\n| Branch | Description | Target | Status |\n|--------|-------------|--------|--------|\n| `main` | Base hardening D1-D7, reference branch | QEMU x86-64 | stable |\n| `ext4-dm-verity-selinux` | ext4 + dm-verity + SELinux enforcing | BeagleBone Black | stable |\n| `squashfs-selinux-permissive` | SquashFS + SELinux permissive + dm-verity | BeagleBone Black | stable |\n| `yocto-hpc` | KVM HPC cluster — Slurm 25.11.4 (x86-64) | QEMU/KVM | archived |\n| `arm64-ftrfs` | **Active** — arm64 HPC + FTRFS filesystem | QEMU arm64 / KVM | **active** |\n\n### Branch relationships\n\n```\nmain  ──────────────────────────────────────── base hardening D1-D7\n  ├── ext4-dm-verity-selinux ──────────────── dm-verity + SELinux enforcing\n  ├── squashfs-selinux-permissive ──────────── squashfs + dm-verity\n  ├── yocto-hpc (archived) ─────────────────── HPC x86-64 precursor\n  └── arm64-ftrfs (ACTIVE) ─────────────────── arm64 + FTRFS + HPC\n```\n\n**`arm64-ftrfs` is the primary development branch.** It contains:\n- FTRFS out-of-tree kernel module (RS FEC, CRC32, Radiation Event Journal)\n- Slurm 25.11.4 HPC cluster (1 master + 3 compute nodes)\n- Full benchmark procedure and reproducible deployment scripts\n- All recent hardening fixes and documentation\n\nSee [arm64-ftrfs branch](https://github.com/roastercode/yocto-hardened/tree/arm64-ftrfs)\nand the [FTRFS kernel filesystem](https://github.com/roastercode/FTRFS).\n\n---\n\n## Hardening Levels (D1–D10)\n\n| Level | Measure | main | ext4-dm-verity | squashfs | yocto-hpc | arm64-ftrfs |\n|-------|---------|------|----------------|----------|-----------|-------------|\n| D1 | Compiler flags (SSP, FORTIFY, RELRO, PIE) | ✅ | ✅ | ✅ | ✅ | ✅ |\n| D2 | No debug-tweaks + hashed root password | ✅ | ✅ | ✅ | ✅ | ✅ |\n| D3 | Read-only rootfs + overlayfs-etc | ✅ | ✅ | ✅ | ✅ | ✅ |\n| D4 | CVE checking (NVD database) | ✅ | ✅ | ✅ | ✅ | ✅ |\n| D5 | Custom hardened distro (poky-hardened) | ✅ | ✅ | ✅ | ✅ | ✅ |\n| D6 | SELinux (refpolicy-targeted) | permissive | enforcing | permissive | permissive | permissive |\n| D7 | dm-verity kernel support | ✅ | ✅ | ✅ | ✅ | ✅ |\n| D8 | dm-verity bootloader integration | 🔧 | 🔧 | ✅ | N/A | 🔧 |\n| D9 | FTRFS RS FEC on data partition | ❌ | ❌ | ❌ | ❌ | ✅ |\n| D10 | IMA/EVM runtime file integrity | 🔲 | 🔲 | 🔲 | 🔲 | 🔲 |\n| D11 | Secure Boot | 🔲 | 🔲 | 🔲 | 🔲 | 🔲 |\n\n---\n\n## This Branch — `main`\n\nBase hardening reference point. Minimal hardened image for QEMU x86-64.\n\n### Layer contents\n\n- `poky-hardened` distro (CVE checking, SELinux, no x11, no debug-tweaks)\n- `custom-image` hardened image (read-only rootfs, overlayfs-etc)\n- `hello-custom` example recipe\n- `dm-verity-image.bbclass` — dm-verity support class\n\n### Host Requirements\n\n| Tool | Version |\n|------|---------|\n| GCC | 15.2.1 |\n| Python | 3.11.15 |\n| glibc | 2.42 |\n| Git | 2.52.0 |\n\n### Setup\n\n```bash\n# bblayers.conf\n/path/to/meta-custom\n/path/to/meta-openembedded/meta-oe\n/path/to/meta-openembedded/meta-python\n/path/to/meta-selinux\n\n# local.conf\nDISTRO = \"poky-hardened\"\n\n# Credentials (never commit)\ncp recipes-core/images/credentials.inc.example \\\n   recipes-core/images/credentials.inc\n# Generate hash: openssl passwd -6 \"yourpassword\"\n# Each $ must be escaped as \\$ in the BitBake file\n```\n\n### Build\n\n```bash\nsource oe-init-build-env build-qemu-x86\nbitbake custom-image\nrunqemu qemux86-64 nographic\n```\n\n---\n\n## License\n\nMIT — see `LICENSE`.\n\n## Maintainer\n\nAurelien DESBRIERES `\u003caurelien@hackers.camp\u003e`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froastercode%2Fyocto-hardened","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Froastercode%2Fyocto-hardened","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froastercode%2Fyocto-hardened/lists"}