Exein Pulsar
Pulsar is a powerful and modular runtime security observability framework for the IoT, based on eBPF.
Pulsar security framework can be added existing Yocto images by adding the meta-exein layer.
The meta-exein layer depends on meta-openembedded/meta-oe, meta-rust-bin, and on these system tools:
clang>= 13llvm-strip>= 13
These instructions are applicable to IoT Yocto v24.1 which is based on Kirkstone (Yocto 4.0). For later versions of Yocto, such as Yocto 5.0 Scarthgap, the meta-rust-bin layer is not needed.
Note
MediaTek has worked with Exein to make meta-exein compatible with meta-mediatek-bsp.
For bussiness inquiries and technical support, please contact Exein directly.
Prepare Yocto Build Environment
Prepare a Yocto build environment for you product images.
If you don’t have a working build environment yet and would like to
evaluate Pulsar on Genio EVK, follow Get Started with IoT Yocto and
build rity-demo-image. This creates a build directory containing
the Yocto build environment.
The steps below assumes that the build environment is build.
Add Pulsar to Your Yocto Image
Add Exein Layer
Install system dependencies on your build machine. Example for Debian/Ubuntu:
apt-get install clang llvm
Run the following command to download the
meta-exeinlayer:
git clone https://github.com/exein-io/meta-exein.git -b kirkstone $PROJ_ROOT/src/meta-exein
Clone dependency layer
meta-openembedded/meta-oe:
git clone https://github.com/openembedded/meta-openembedded.git -b kirkstone $PROJ_ROOT/src/meta-openembedded
Clone dependency layer
meta-rust-bin
git clone https://github.com/rust-embedded/meta-rust-bin $PROJ_ROOT/src/meta-rust-bin
Add Necessary Layers
Add meta-exein and meta-openembedded layers to
build/conf/bblayers.conf
<absolute_path_to_rity>/meta-openembedded/meta-oe \
<absolute_path_to_rity>/meta-exein \
and only for Yocto kirkstone
<absolute_path_to_rity>/meta-rust-bin \
Add Necessary Configurations
Add the necessary configurations to the bottom of
build/conf/local.conf
IMAGE_INSTALL:append = " pulsar"
DISTRO_FEATURES:append = " btf"
Build Image
If you already have your own Yocto image recipe, simply build your image.
If you are evaluating on Genio EVK, follow Get Started with IoT Yocto and
build rity-demo-image.
Running Pulsar
The following filesystems must be mounted: tracefs, securityfs and
cgroup2. If not currently mounted, you can mount them by using the
following instructions as root:
mount tracefs:
mount -t tracefs tracefs /sys/kernel/tracing
mount securityfs:
mount -t securityfs securityfs /sys/kernel/security
mount cgroup2:
mount -t cgroup2 cgroup2 /sys/fs/cgroup
To start Pulsar, run the follow command as root:
pulsard
[2024-11-29T12:15:45Z INFO pulsar::pulsard::daemon] Starting module rules-engine
[2024-11-29T12:15:45Z INFO pulsar::pulsard::daemon] Starting module process-monitor
[2024-11-29T12:15:46Z INFO pulsar::pulsard::daemon] Starting module file-system-monitor
[2024-11-29T12:15:46Z INFO pulsar::pulsard::daemon] Starting module threat-logger
To check status of the daemon, on another terminal, run as root:
pulsar status
+---------------------+---------+
| MODULE | STATUS |
+=====================+=========+
| desktop-notifier | Created |
+---------------------+---------+
| file-system-monitor | Running |
+---------------------+---------+
| network-monitor | Created |
+---------------------+---------+
| process-monitor | Running |
+---------------------+---------+
| rules-engine | Running |
+---------------------+---------+
| smtp-notifier | Created |
+---------------------+---------+
| threat-logger | Running |
+---------------------+---------+
Note
The rule files under /var/lib/pulsar/rules/ should be considered as a generic examples only. You can customize
the rules file to fit your system by adding exceptions to the default behavior.
For more information, and for learning how to interact with the Pulsar agent, please refer to the documentation available here.