-
Overview
-
redpesk OS releases
-
Security updates
-
Application Framework Manager
-
Application Framework Binder
-
APIs & Services
-
Security manager
-
OP-TEE within redpesk
-
Trusted Boot
-
Recovery features
-
redpak
-
Minimal image
- Reduce image size
- Optimizing boot time
-
Kernel fragments description
- Introduction to Linux Kernel Configuration
- 01 Disable IPC, Timers and Audit
- 02 Disable Kconfig, Scheduler and Initrd
- 03 Disable Perf, Profiling and Errata
- 04 Disable EFI, Power Management Debug and Energy Model
- 05 Disable Schedutil, CPUFreq Governors and Virtualization
- 06 Disable Kprobes and Jump Labels
- 07 Disable GCC Plugins and Function Alignment
- 08 Disable Partition Parsers
- 09 Enable Inline Spinlocks and Kernel Operations
- 10 Disable Swap, Memory Hotplug and KSM
- 11 Disable Networking IPv4, IPv6, Netfilter
- 12 Disable SCTP, VLAN, TIPC, BATMAN
- 13 Disable Wireless, Bluetooth, CAN and RFKILL
- 14 Disable PCI and Firmware
- 15 Disable GNSS and ProcEvents
- 16 Disable Block Storage NBD and AoE
- 17 Disable EEPROM and Misc Drivers
- 18 Disable Network Device Drivers
- 19 Disable PHY Drivers
- 20 Disable PPP, WLAN Coexistence, and Failover
- 21 Disable Input Devices
- 22 Disable Serial, TTY and TPM
- 23 Disable I2C, Power and Sensor Drivers
- 24 Disable MFD, Display and Media Drivers
- 25 Disable USB, Sound, RTC and VirtIO
- 26 Disable Filesystem Encodings and Compatibility
- 27 Enable Minimal Cryptographic Core with SHA3 and XTS
- 28 Disable Hardware Cryptography, Keep DRBG and Jitter Entropy
- 29 Disable Kernel Debugging Features
- 30 Disable Filesystem Verity and SecurityFS
-
Zephyr in Redpesk
-
PERM-CHECK extension
-
Mender redpesk (OTA)
-
Hardware support
- Download images
- Image metrics
- Trusted Boot
- Boards - ARM64
- Boards - x86_64
- Boards - Virtual
- Miscs
Daemons of the application framework
Introduction
The application framework of redpesk provides two services running in background as daemons. They ensure that operations use correctly the security framework and that applications are executed in the correct security context.
-
afmpkg-installerd: this daemon installs and removes applications. It is automatically called when dnf installs or removes applications. It automatically stops after an inactivity period.
-
afm-system-daemon: this daemon handles life cycle of installed application: listing, starting, stopping. It can be accessed through the command line utility afm-util.
afm-system-daemon
The daemon afm-system-daemon is accessible through redpesk micro-service architecture using either the binder afb-binder, the client library libafbcli or the programs afb-client and afm-util.
It is installed as a systemd service and started automatically on need.
It can also be started, restarted, stopped, checked using systemctl
as below:
$ systemctl status afm-system-daemon
List of applications
At start afm-system-daemon scans the directories containing applications and load in memory a list of available applications accessible by current user.
afm-system-daemon provides the data it collects about applications to its clients. Clients may either request the full list of available applications or a more specific information about a given application.
Starting applications
afm-system-daemon starts application by using systemd. Systemd builds a secure environment for the application before starting it.
Once launched, running instances of application receive a runid that identify them. On previous versions, the runid had a special meaning. The current version uses the linux PID of the launched process as runid.
List of running applications
afm-system-daemon manages the list of applications that it launched.
When owning the right permissions, a client can get the list of running instances and details about a specific running instance. It can also terminate a given application.
afmpkg-installerd
The daemon afmpkg-installerd is activated by the dnf’s plugin named redpesk when it detects that the installed or removed package is an afmpkg.
After being used, if afmpkg-installerd is not used for 5 minutes, it automatically stops.
Installing applications
afmpkg-installerd reads the metadata of the installed package and check it.
When metadata are wrong, the installation is cancelled.
Otherwise, when metadata are valid, afmpkg-installerd contacts the security manager to setup the system security for the installed application.
After installing or removing an application, afmpkg-installerd sends to afm-system-daemon a signal telling it to update its applications database.
Removing applications
afmpkg-installerd contacts the security manager to cleanup the security rules for the removed application and to remove their security setup.