Date   

Re: No SELinux security context (/etc/crontab)

Mark Hatle
 

There SE Linux policy included in meta-selinux is just a starting point. It's
expected that you will have to update/customize it.

With that said, these types of issues, we will accept patches for them.

--Mark

On 10/10/19 5:06 AM, Oriya, Raxesh wrote:
Hi,

 

I have enabled SELinux in my yocto project(warrior branch) but *cron *is not
functioning because of some SELinux context isuue. I am using *minimum* SELinux
policy. Here is the error from `/var/log/messages`

 

    Oct  9 04:50:01 panther2 cron.info crond[261]: ((null)) No SELinux security
context (/etc/crontab)       

    Oct  9 04:50:01 panther2 cron.info crond[261]: (root) FAILED (loading cron
table)                      

 

Here are some contexts for relevant files,

 

    root@panther2:~# ps -efZ | grep cron

    system_u:system_r:kernel_t:s0   root       464     1  0 04:54 ?    00:00:00
/usr/sbin/crond -n

 

    root@panther2:~# ls -lZ /etc/crontab

    -rw-------. 1 root root system_u:object_r:unconfined_t:s0 653 Oct  9  2019
/etc/crontab

 

    root@panther2:~# ls -lZ /usr/sbin/crond

    -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 68160 Oct  9  2019
/usr/sbin/crond

 

Any help? Thanks !!

 

Regards,

Thanks


Re: Partitioning SD cards

Andy Pont
 

I wrote...

I have created a “wic” directory in my custom layer and copied sdimage-bootpart.wks into it as sdimage-project.wks without making any changes but “wic list image” throws an error with the new .wks file:

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb0 in position 37: invalid start byte
Ignore that, I deleted the directory and tried again and it is OK now!

-Andy.


Re: Partitioning SD cards

Andy Pont
 

Maciej wrote...

How do I stop the wic generation process including the FAT formatted “boot” partition?
This depends on the wic (.wks) file you are using.
I have been using the default one (sdimage-bootpart.wks)?

What is the best strategy for partitioning / formatting / mounting the second partition as /home?  Should it be part of the image build process or a one-time task run at first boot?
Use --exclude-path and --rootfs-dir flags in the .wks file.
You can look at my example, where I extract one subdir from rootfs (/storage in this case) on a separate partition.
https://github.com/3mdeb/meta-rte/blob/master/wic/sunxi-mmc-spl.wks
I have created a “wic” directory in my custom layer and copied sdimage-bootpart.wks into it as sdimage-project.wks without making any changes but “wic list image” throws an error with the new .wks file:

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xb0 in position 37: invalid start byte

-Andy.


Re: [opkg-devel] [OE-core][opkg-utils ] Bug 13528 : adding SPDX license identifier

Yann CARDAILLAC
 

Hi,

GPL-2.0-only was applied to script without previous Licences and GPL-2.0-or-later to those mentioning it, however I'm wondering if I should also add a SPDX id to the makefile ?

Here's first attempt without identifier to the Makefile.

Best regards,



On Fri, Oct 11, 2019 at 6:45 PM <richard.purdie@...> wrote:
On Fri, 2019-10-11 at 15:54 +0000, Alejandro Del Castillo wrote:
> On 10/11/19 8:51 AM, Ycn aKaJoseph wrote:
> > Hi guys,
> >
> > https://bugzilla.yoctoproject.org/show_bug.cgi?id=13528
> > <
> > https://urldefense.com/v3/__https://bugzilla.yoctoproject.org/show_bug.cgi?id=13528__;!fqWJcnlTkjM!8RtsWJXbDz_l063ZSVKrRMwvQ5KGdD0lk9aSjlUW9VHM2wufITJnBuIvovQxoT0yJXu-6Q$
> > >
> >
> > I'm about to work on that bug however most of the script in opkg-
> > utils
> > dir are un-licenced and there's no hint for me to decide what SPDX
> > Identifier to add.
>
> thanks for doing this!
>
> > The doubt concerns those script :
> > makePackage
> > opkg-build
> > opkg-buildpackage
> > opkg-compare-indexes
> > opkg-diff
> > opkg-extract-file
> > opkg-graph-deps
> > opkg-list-fields
> > opkg-make-index
> > opkg-show-deps
> > opkg-unbuild
> > opkg-update-index
> >
> > What license do you want them to carry ?
>
> Looking at the commit history, opkg-graph-deps was authored by Haris
> Okanovic, and the rest by Richard Purdie (included them on the
> thread).
>
> My take on it:  since opkg is licensed as GPLv2+, and the files that
> have a license in opkg-utils are GPLv2+, make sense to me to license
> the rest as GPLv2+ too.

I didn't author these, they were imported from ipkg-utils which was
part of handhelds.org. I did modify things quite a bit during the
import.

handhelds.org's CVS repos aren't there any more but I do have old
sources lying around locally. I have a snapshot of the CVS repo from
20050930 and it has GPLv2 COPYING file (not 2+, just 2).

I'd suggest we follow the original licensing of that and go with GPLv2.

Cheers,

Richard





Re: Partitioning SD cards

Maciej Pijanowski
 


On 14.10.2019 14:13, Andy Pont wrote:
Hello,

I am working on a custom platform where U-Boot will be programmed into an SPI NOR flash device and the ext4 file systems will be in a removable microSD card.  The Linux kernel itself will be stored in the /boot directory of the root file system.

The customer wants the (16GB) microSD card formatted as 1GB to mount at / and the remaining 15GB mounted as /home.

In the recipe for my image I have defined the following to try to create a suitable image for writing to the microSD card:

IMAGE_FSTYPES_append = " wic"
IMAGE_ROOTFS_SIZE = “1048576”

The image file that is being created is bigger than 1GB even though the root file system is only a little over 450MB.  Looking at the contents of what gets written to the microSD card this looks as though it is, in part, because it also includes the ~20MB “boot” partition containing the boot files.

A couple of questions…

How do I stop the wic generation process including the FAT formatted “boot” partition?
This depends on the wic (.wks) file you are using.

What is the best strategy for partitioning / formatting / mounting the second partition as /home?  Should it be part of the image build process or a one-time task run at first boot?
Use --exclude-path and --rootfs-dir flags in the .wks file.
You can look at my example, where I extract one subdir from rootfs (/storage in this case) on a separate partition.
https://github.com/3mdeb/meta-rte/blob/master/wic/sunxi-mmc-spl.wks

The rootfs parts should be named somewhere, like in distro config: https://github.com/3mdeb/meta-rte/blob/master/conf/distro/rte.conf#L50

-Andy.



-- 
Maciej Pijanowski
Embedded Systems Engineer
GPG: F1401D2E1CCB19EF
https://3mdeb.com | @3mdeb_com


Partitioning SD cards

Andy Pont
 

Hello,

I am working on a custom platform where U-Boot will be programmed into an SPI NOR flash device and the ext4 file systems will be in a removable microSD card.  The Linux kernel itself will be stored in the /boot directory of the root file system.

The customer wants the (16GB) microSD card formatted as 1GB to mount at / and the remaining 15GB mounted as /home.

In the recipe for my image I have defined the following to try to create a suitable image for writing to the microSD card:

IMAGE_FSTYPES_append = " wic"
IMAGE_ROOTFS_SIZE = “1048576”

The image file that is being created is bigger than 1GB even though the root file system is only a little over 450MB.  Looking at the contents of what gets written to the microSD card this looks as though it is, in part, because it also includes the ~20MB “boot” partition containing the boot files.

A couple of questions…

How do I stop the wic generation process including the FAT formatted “boot” partition?

What is the best strategy for partitioning / formatting / mounting the second partition as /home?  Should it be part of the image build process or a one-time task run at first boot?

-Andy.



Re: Where to get kconfig-frontends package?

Matouš Pokorný <matous.pokorny@...>
 

Hello!

Thank you very much for helpful answer. So, we switch the source to this.

Matous Pokorny
Embedded System Developer

DataVision s.r.o.
Ukrajinska 2a
101 00 Praha 10
Czech Republic

GSM: (+420) 723 280 471


čt 10. 10. 2019 v 11:07 odesílatel Peter Kjellerstedt <peter.kjellerstedt@...> napsal:

I have been in contact with Yann E Morin, the maintainer of the kconfig-frontends repository, and it turns out his server did not survive their last move of house. However, he pointed out that he has published the code to GitLab and recommended to use that repository instead: https://gitlab.com/ymorin/kconfig-frontends

 

I will send a patch to the openembedded-devel list to update the recipe to use the GitLab repository.

 

//Peter

 

From: yocto-bounces@... <yocto-bounces@...> On Behalf Of Matouš Pokorný
Sent: den 26 september 2019 14:02
To: yocto@...
Subject: [yocto] Where to get kconfig-frontends package?

 

Hello!

 

I come from NuttX RTOS project (nuttx.org), and we use Kconfig tool for configuration. The toolchain build script gets kconfig-frontends source code from the same server as Yocto (http://ymorin.is-a-geek.org). The server is down for approx. one week and it caused the fail during the toolchain building. Have you met this problem as well? We would like to switch to another more reliable repository, but I read, the server's owner is one of the Linux core developers. So the server is a kind of primary source. Do you have a suggestion on how to solve this problem? I would like to ask you for help because you know the Linux ecosystem and are in the same situation as we are.

 

Thank you.

 

Matous Pokorny

Embedded System Developer

 

DataVision s.r.o.

Ukrajinska 2a

101 00 Praha 10

Czech Republic

 

GSM: (+420) 723 280 471


Re: Kernel patches pulled from BSP definition file are not applied

Diego Santa Cruz
 

From: Bruce Ashfield <bruce.ashfield@...>

On Fri, Oct 11, 2019 at 1:11 PM Diego Santa Cruz
<Diego.SantaCruz@...> wrote:
Can anyone provide some advice as to what would be the recommended way
to apply kernel patches listed in a mybsp-patches.scc file for a BSP?
The way to do this, is to put your BSP definition file on the SRC_URI, and if you
are including the standard/ktype or any of the other common kernel meta data
files, you need to inhibit any included meta data from adding patches to the
patch queue (since they are already applied to the kernel).

As an example, here's a 'myqemux86-64.scc' file that I use as a test:

---------------
define KMACHINE myqemux86-64
define KARCH x86
define KTYPE standard

include ktypes/standard.scc nopatch

patch foo.patch
-------------

When that is on the SRC_URI, it will be found as the BSP definition, and you'll get
"foo.patch" in the patch queue .. but importantly *not* all of the patches that
make up the ktypes/standard.scc (and includes). If you aren't using linux-yocto,
or you aren't building on top of a kernel repository with integrated patches, then
don't add the 'nopatch', since you'd want any found patches to be applied at
build time.
I'm using linux-intel.


I thought we had documented the nopatch directive in the yocto mega manual,
but I just checked the kernel meta data section and I don't see it. I'll follow up
and try to figure out where that documentation went ... and get it added if it is
missing.
BTW, the existing documentation about nocfg under https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#kernel-types is not very clear and from what I got from the spp tool's code the nocfg directive is always inherited and the "inherit" keyword seems to be ignored. There is also the "force" option to kconf which is not documented.

Out of curiosity, how were you getting your BSP definition to be located by the
do_metadata function (there are a few different ways) ?
(since you need at least one .scc file or kernel-meta structure on the SRC_URI to
get it added to the search path). If you were adding it to the SRC_URI directly
and the patches weren't being applied, then that's a bug.
My explanation was probably a bit short. I'm using recipe-space metadata as explained at https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#recipe-space-metadata, although the explanation there is a bit short and I could not make it work until I saw the working example in the meta-xilinx layer if I remember well.

I am using linux-intel (from the meta-intel layer), I have set MACHINE="fukiran" (KMACHINE gets the same value) and I have this in my bbappend.

FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI_append = " file://spx-intel-kmeta;type=kmeta;destsuffix=spx-intel-kmeta"

The recipe-space metadata tree is as follows

files/
`-- spx-intel-kmeta
|-- backports
| `-- drivers
| |-- 0001-tty-Add-NULL-TTY-driver.patch
| |-- null-tty.cfg
| `-- null-tty.scc
|-- bsp
| `-- spx-intel
| |-- 0001-platform-x86-spx-fukiran-info-new-driver-for-Spineti.patch
| |-- fukiran.cfg
| |-- fukiran-patches.scc
| |-- fukiran.scc
| `-- fukiran-standard.scc
|-- cfg
| `-- fs
| |-- squashfs.cfg
| `-- squashfs.scc
`-- features
|-- media
| |-- media-cec.cfg
| `-- media-cec.scc
`-- wifi
|-- atheros-10k-pci.cfg
`-- atheros-10k-pci.scc

The BSP definition file fukiran-standard.scc with the content below is thus located automatically (I followed the best I can the instructions in the Yocto docs to write the BSP definition file, although I did not quite get what is the "branch" directive for, I guess it is used when composing a kernel repo tree).

# fukiran-standard.scc
#
# Standard ktype for Fukiran (Apollo Lake SoC).
#

define KMACHINE fukiran
define KARCH x86_64
define KTYPE standard

include ktypes/standard/standard.scc
branch fukiran

include bsp/intel-common/intel-common-drivers.scc
include bsp/intel-common/intel-corei7-64.scc
include fukiran.scc

And fukiran.scc is

kconf hardware fukiran.cfg

patch 0001-platform-x86-spx-fukiran-info-new-driver-for-Spineti.patch

include features/media/media-cec.scc

A short description of what is happening behind the scenes. The kernel meta-
data is used in two ways: to construct a new kernel repo from scratch (i.e. when
I start a new reference kernel version, or when building on top of a non
integrated repository) and to construct a configuration for the kernel. Patches
and config data are kept together, so everything you need for a feature is in one
place. When you are building, the meta data gathering routine is running in that
2nd mode. Hence why the BSP definition is not used for patching, but is only
used to generate the configuration queue. Only elements on the SRC_URI are
always added to the patch queue .. since those patches are not already applied
to the base repo (and if they are, you shouldn't have them on the SRC_URI and
you'll get a patch error) .. There's even a longer winded explanation about how
the original build processing attempted to detected which patches weren't
already applied ... and was horribly complex and fragile, hence why the
simpler/split processing I described is used.
I see, that was the key bit of information I was lacking: that the patches are already applied in the linux-yocto repo, so they need to be skipped when building.

As in my case the BSP specific patches are not applied to the kernel repo then I should add the BSP definition file to SRC_URI. I have thus changed my bbappend to have

FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
SRC_URI_append = " file://spx-intel-kmeta;type=kmeta;destsuffix=spx-intel-kmeta"
SRC_URI_append_fukiran = " file://spx-intel-kmeta/bsp/spx-intel/fukiran-${LINUX_KERNEL_TYPE}.scc"

And also tweaked fukiran-standard.scc to have this line

include ktypes/standard/standard.scc nopatch

Let me know if that tweak doesn't work (and if you can, supply your BSP
definition / layer) .. since there may be a bug (see my comment on what you had
on your SRC_URI above and how your bsp definition was being located).
With the above tweaks it does work as expected and I understand why :-) There's no bug I can see, just the documentation which is a bit lacking or hard to follow.

BTW, the linux-intel kernel repo does not have the patches from ktypes/standard/standard.scc applied and they are not being applied during build either (I do not see any scc file with patches being added to SRC_URI or KERNEL_FEATURES in the linux-intel recipe and in my test none are added to the patch queue), so it appears that the meta-intel layer has decided to build without those patches.

Many thanks for the long explanation which made things clear!

Best,

Diego

Cheers,

Bruce



Adding the “mybsp-patches.scc” file to KERNEL_FEATURES works for me, but
seems a bit awkward given that there is a BSP definition scc file. It feels more
natural to include the mybsp-patches.scc from the BSP definition scc file, but
that does not work for me, the patches are ignored.



Thanks,



Diego

--
Diego Santa Cruz, PhD
Technology Architect
T +41 21 341 15 50
diego.santacruz@...
spinetix.com



From: yocto-bounces@... <yocto-bounces@...>
On Behalf Of Diego Santa Cruz
Sent: 09 October 2019 23:58
To: yocto@...
Subject: [yocto] Kernel patches pulled from BSP definition file are
not applied



Hello there,



I am trying to add a few BSP specific kernel patches for my BSP and I wanted
to pull them from the BSP definition scc file. However, I cannot get those
patches applied (I am using thud). After looking around the kernel-yocto.bbclass
it seems that patches which get pulled from the BSP definition file are ignored.
What is the rationale behind that behavior? How should I go about it?



To be more specific I have the following structure within my (recipe-space)
kernel metadata.



bsp

`-- mybsp

|-- mypatch.patch

|-- mybsp.cfg

|-- msbsp.scc

`-- mybsp-standard.scc



The mybsp-standard.scc is the BSP definition file, which includes
mybsp.scc (among other things). The mybsp.scc file looks as follows



kconf hardware mybsp.cfg

patch mypatch.patch



The mypatch.patch file does not get applied when building the kernel,
I checked and it is not added to the patch.queue file. But if I add
the following to the recipe



KERNEL_FEATURES += " bsp/mybsp/mybsp.scc"



Then the patch is added to patch.queue and is applied.



Looking into do_kernel_metadata in kernel-yocto.bbclass it parses the scc files
in two steps, run1 and run2.



The run1 step uses elements="`echo -n ${bsp_definition} ${sccs} ${patches}
${KERNEL_FEATURES}`" and generates cfg, merge and meta, so that picks up the
mybsp.scc file contents, but this step does not generate the patch queue.



The run2 step uses elements="`echo -n ${sccs} ${patches}
${KERNEL_FEATURES}`" and generates the patch queue, but this only includes
the scc files in SRC_URI and KERNEL_FEATURES, but specifically leaves out the
BSP definition file.



Adding the mybsp.scc file to KERNEL_FEATURES to get this to work seems a bit
odd. What is the recommended way of applying BSP specific kernel patches?



Thanks,



Diego

--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com



--
_______________________________________________
yocto mailing list
yocto@...
https://lists.yoctoproject.org/listinfo/yocto


--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II
--
Diego Santa Cruz, PhD
Technology Architect
spinetix.com


Re: download.yoctoproject.org - Certificate expired

Nicolas Dechesne
 

hi Guilhem,

On Sun, Oct 13, 2019 at 12:00 PM Guilhem Saurel <guilhem.saurel@...> wrote:

Hi,

The certificate installed on https://download.yoctoproject.org expired about 4
days ago. Is anyone else experiencing the same issue? Is a new certificate going
to be installed ?
thanks for reporting the issue. We will be looking into it!


Thanks,
Guilhem.
--
_______________________________________________
yocto mailing list
yocto@...
https://lists.yoctoproject.org/listinfo/yocto


Re: [layerindex-web] [PATCH 0/3] Some misc changes/fixes..

Paul Eggleton
 

Hi Mark

On Sunday, 13 October 2019 2:56:30 PM NZDT Mark Hatle wrote:
A few misc changes/fixes. The first two are well tested. However, I
suspect
the 3/3 may be incorrect and I've labeled it an RFC due to this.

1/3 - '.' wasn't allowed in branch names w/o an error. This turned out
to be a fairly simple fix.

2/3 - For people who want to use 'poky' repository and not bitbake +
openembedded-core. I've tested this locally in both configurations.

3/3 - When I was testing, my local git mirror is broken up with
directories that are called 'git.openembedded.org' and
'git.yoctoproject.org'
due to this, the system was matching and locking out the edit layer
vcs_web_url submissions... so I tried to make it better.. but I'm not
sure it's right.

Mark Hatle (3):
layerindex/urls.py: Allow branches with a '.' in the name
update.py: Allow bitbake to live in a subdirectory of a repository
editlayer: Be more specific on the searches
Thanks, I merged these - I did make a minor change to 2/3 to allow it to work
if BITBAKE_PATH doesn't appear in settings.py (I try to do this when adding
new settings in case the user doesn't add the default to their edited settings
file).

Cheers
Paul

--

Paul Eggleton
Intel System Software Products


Re: [warrior 0/3] Pull request

Armin Kuster
 

ping

On 10/6/19 8:40 AM, Armin Kuster wrote:
Please merge these changes to meta-yocto warrior

The following changes since commit c16082ffa61f485e120670fbdf075f3fa8597494:

poky.conf: Bump version for 2.7.1 warrior release (2019-06-30 22:41:39 +0100)

are available in the git repository at:

git://git.yoctoproject.org/poky-contrib meta-yocto/stable/warrior-next
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=meta-yocto/stable/warrior-next

Kevin Hao (1):
meta-yocto-bsp: Bump to the latest stable kernel for all the BSP

Ross Burton (2):
conf/poky: add debian-10 to the supported distribution list
conf/poky: add Fedora 30 and Opensuse Leap 15.1 to supported
distributions

meta-poky/conf/distro/poky.conf | 3 +++
.../recipes-kernel/linux/linux-yocto_4.19.bbappend | 20 ++++++++++----------
.../recipes-kernel/linux/linux-yocto_5.0.bbappend | 20 ++++++++++----------
3 files changed, 23 insertions(+), 20 deletions(-)


Re: [thud][PATCH] linux-yocto/4.14: meta-yocto-bsp update to 143

Armin Kuster
 

ping.

On 10/9/19 8:09 AM, Armin Kuster wrote:
Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-kernel/linux/linux-yocto_4.14.bbappend | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend
index 426757e..5277798 100644
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend
@@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc"
KMACHINE_genericx86-64 ?= "common-pc-64"
KMACHINE_beaglebone-yocto ?= "beaglebone"

-SRCREV_machine_genericx86 ?= "5252513a39b4b3773debab1f77071d7c430ecb10"
-SRCREV_machine_genericx86-64 ?= "5252513a39b4b3773debab1f77071d7c430ecb10"
-SRCREV_machine_edgerouter ?= "d8fb40cd0e99325715c70aed6f361a8318097829"
-SRCREV_machine_beaglebone-yocto ?= "c67809688bd22cb4cb909bcf1a1045e6337c3229"
-SRCREV_machine_mpc8315e-rdb ?= "258ee8228e0a512c6dbe2a0dadcd9f030ba45964"
+SRCREV_machine_genericx86 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine_genericx86-64 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine_edgerouter ?= "326e296f237347e965a38acb34f09e594430b0c6"
+SRCREV_machine_beaglebone-yocto ?= "1b8c86329c9dbb10b8fcaeb2dceb75680994cd84"
+SRCREV_machine_mpc8315e-rdb ?= "f26672ec1f164b0f2a15d629128a91093f971bdd"

COMPATIBLE_MACHINE_genericx86 = "genericx86"
COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
@@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter"
COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"

-LINUX_VERSION_genericx86 = "4.14.98"
-LINUX_VERSION_genericx86-64 = "4.14.98"
-LINUX_VERSION_edgerouter = "4.14.98"
-LINUX_VERSION_beaglebone-yocto = "4.14.98"
-LINUX_VERSION_mpc8315e-rdb = "4.14.98"
+LINUX_VERSION_genericx86 = "4.14.143"
+LINUX_VERSION_genericx86-64 = "4.14.143"
+LINUX_VERSION_edgerouter = "4.14.143"
+LINUX_VERSION_beaglebone-yocto = "4.14.143"
+LINUX_VERSION_mpc8315e-rdb = "4.14.143"


download.yoctoproject.org - Certificate expired

Guilhem Saurel <guilhem.saurel@...>
 

Hi,

The certificate installed on https://download.yoctoproject.org expired about 4
days ago. Is anyone else experiencing the same issue? Is a new certificate going
to be installed ?

Thanks,
Guilhem.


Re: [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

hongxu
 

On 10/13/19 5:22 AM, Mark Hatle wrote:
The original goal of this work was to enable a FIPS-140-2 OpenSSL module. Why
is NSS part of this?

Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?
No, there is no relation between openssl and nss, but while kernel enable

fips "pass boot params `fips=1"', nss fips is enabled and trigger the issue,

It seems all of them are part of fips system, fips includes kernel and userspace,

and fips 140-2 is also part of it

//Hongxu

--Mark

On 10/12/19 3:17 AM, Hongxu Jia wrote:
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips

...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.

$rpm -h
|error: Failed to initialize NSS library
...

Signed-off-by: Hongxu Jia <hongxu.jia@...>
---
.../nss/nss/0001-conditionally-enable-fips.patch | 93 ++++++++++++++++++++++
recipes-support/nss/nss_3.%.bbappend | 4 +
recipes-support/nss/nss_fips.inc | 4 +
3 files changed, 101 insertions(+)
create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
create mode 100644 recipes-support/nss/nss_3.%.bbappend
create mode 100644 recipes-support/nss/nss_fips.inc

diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 0000000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@...>
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@...>
+---
+ nss/coreconf/config.mk | 2 ++
+ nss/lib/freebl/nsslowhash.c | 2 +-
+ nss/lib/pk11wrap/pk11util.c | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4 ++++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
++++ b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
++++ b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
++++ b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+ if (d != '1')
+ return PR_FALSE;
+ return PR_TRUE;
++#else
++ return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 0000000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 0000000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+ file://0001-conditionally-enable-fips.patch \
+"


[layerindex-web] [PATCH 3/3] RFC: editlayer: Be more specific on the searches

Mark Hatle
 

Just because git.yoctoproject.org is in the URL, doesn't mean we can or
should force the vcs_web_url to be a specific value. If it starts with
git://git.yoctoproject.org then we can do this. git.openembedded.org
already did this.

This also changes github, gitlab and bitbucket references.

Signed-off-by: Mark Hatle <mark.hatle@...>
---
layerindex/tools/import_layer.py | 8 ++++----
layerindex/tools/import_wiki_layers.py | 13 ++++++++++---
templates/layerindex/editlayer.html | 8 ++++----
3 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/layerindex/tools/import_layer.py b/layerindex/tools/import_layer.py
index 8fcbc15..ace58e5 100755
--- a/layerindex/tools/import_layer.py
+++ b/layerindex/tools/import_layer.py
@@ -36,27 +36,27 @@ def set_vcs_fields(layer, repoval):
layer.vcs_web_tree_base_url = 'http://cgit.openembedded.org/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url = 'http://cgit.openembedded.org/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_commit_url = 'http://cgit.openembedded.org/' + reponame + '/commit/?id=%hash%'
- elif 'git.yoctoproject.org/' in repoval:
+ elif repoval.startswith('git://git.yoctoproject.org/'):
reponame = re.sub('^.*/', '', repoval)
layer.vcs_web_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame
layer.vcs_web_tree_base_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_commit_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/commit/?id=%hash%'
- elif 'github.com/' in repoval:
+ elif repoval.startswith('git://github.com/') or repoval.startswith('http://github.com/') or repoval.startswith('https://github.com/'):
reponame = re.sub('^.*github.com/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://github.com/' + reponame
layer.vcs_web_tree_base_url = 'http://github.com/' + reponame + '/tree/%branch%/'
layer.vcs_web_file_base_url = 'http://github.com/' + reponame + '/blob/%branch%/'
layer.vcs_web_commit_url = 'http://github.com/' + reponame + '/commit/%hash%'
- elif 'gitlab.com/' in repoval:
+ elif repoval.startswith('git://gitlab.com/') or repoval.startswith('http://gitlab.com/') or repoval.startswith('https://gitlab.com/'):
reponame = re.sub('^.*gitlab.com/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://gitlab.com/' + reponame
layer.vcs_web_tree_base_url = 'http://gitlab.com/' + reponame + '/tree/%branch%/'
layer.vcs_web_file_base_url = 'http://gitlab.com/' + reponame + '/blob/%branch%/'
layer.vcs_web_commit_url = 'http://gitlab.com/' + reponame + '/commit/%hash%'
- elif 'bitbucket.org/' in repoval:
+ elif repoval.startswith('git://bitbucket.org/') or repoval.startswith('http://bitbucket.org/') or repoval.startswith('https://bitbucket.org/'):
reponame = re.sub('^.*bitbucket.org/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://bitbucket.org/' + reponame
diff --git a/layerindex/tools/import_wiki_layers.py b/layerindex/tools/import_wiki_layers.py
index baf0c71..71f26ea 100755
--- a/layerindex/tools/import_wiki_layers.py
+++ b/layerindex/tools/import_wiki_layers.py
@@ -100,20 +100,27 @@ def main():
layer.vcs_web_tree_base_url = 'http://cgit.openembedded.org/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url = 'http://cgit.openembedded.org/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_commit_url = 'http://cgit.openembedded.org/' + reponame + '/commit/?id=%hash%'
- elif 'git.yoctoproject.org/' in repoval:
+ elif repoval.startswith('git://git.yoctoproject.org/'):
reponame = re.sub('^.*/', '', repoval)
layer.vcs_web_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame
layer.vcs_web_tree_base_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_file_base_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/tree/%path%?h=%branch%'
layer.vcs_web_commit_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/commit/?id=%hash%'
- elif 'github.com/' in repoval:
+ elif repoval.startswith('git://github.com/') or repoval.startswith('http://github.com/') or repoval.startswith('https://github.com/'):
reponame = re.sub('^.*github.com/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://github.com/' + reponame
layer.vcs_web_tree_base_url = 'http://github.com/' + reponame + '/tree/%branch%/'
layer.vcs_web_file_base_url = 'http://github.com/' + reponame + '/blob/%branch%/'
layer.vcs_web_commit_url = 'http://github.com/' + reponame + '/commit/%hash%'
- elif 'bitbucket.org/' in repoval:
+ elif repoval.startswith('git://gitlab.com/') or repoval.startswith('http://gitlab.com/') or repoval.startswith('https://gitlab.com/'):
+ reponame = re.sub('^.*gitlab.com/', '', repoval)
+ reponame = re.sub('.git$', '', reponame)
+ layer.vcs_web_url = 'http://gitlab.com/' + reponame
+ layer.vcs_web_tree_base_url = 'http://gitlab.com/' + reponame + '/tree/%branch%/'
+ layer.vcs_web_file_base_url = 'http://gitlab.com/' + reponame + '/blob/%branch%/'
+ layer.vcs_web_commit_url = 'http://gitlab.com/' + reponame + '/commit/%hash%'
+ elif repoval.startswith('git://bitbucket.org/') or repoval.startswith('http://bitbucket.org/') or repoval.startswith('https://bitbucket.org/'):
reponame = re.sub('^.*bitbucket.org/', '', repoval)
reponame = re.sub('.git$', '', reponame)
layer.vcs_web_url = 'http://bitbucket.org/' + reponame
diff --git a/templates/layerindex/editlayer.html b/templates/layerindex/editlayer.html
index a06c317..dd95ea3 100644
--- a/templates/layerindex/editlayer.html
+++ b/templates/layerindex/editlayer.html
@@ -204,7 +204,7 @@
this.vcs_web_commit_url = 'http://cgit.openembedded.org/' + reponame + '/commit/?id=%hash%'
this.vcs_web_type = 'cgit'
}
- else if( repoval.indexOf('git.yoctoproject.org/') > -1 ) {
+ else if( repoval.startsWith('git://git.yoctoproject.org/') ) {
reponame = repoval.replace(/^.*\//, '')
this.vcs_web_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame
this.vcs_web_tree_base_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/tree/%path%?h=%branch%'
@@ -212,7 +212,7 @@
this.vcs_web_commit_url = 'http://git.yoctoproject.org/cgit/cgit.cgi/' + reponame + '/commit/?id=%hash%'
this.vcs_web_type = 'cgit'
}
- else if( repoval.indexOf('github.com/') > -1 ) {
+ else if( repoval.startsWith('git://github.com/') ) {
reponame = repoval.replace(/^.*github.com\//, '')
reponame = reponame.replace(/.git$/, '')
this.vcs_web_url = 'http://github.com/' + reponame
@@ -221,7 +221,7 @@
this.vcs_web_commit_url = 'http://github.com/' + reponame + '/commit/%hash%/'
this.vcs_web_type = '(custom)'
}
- else if( repoval.indexOf('gitlab.com/') > -1 ) {
+ else if( repoval.startsWith('git://gitlab.com/') ) {
reponame = repoval.replace(/^.*gitlab.com\//, '')
reponame = reponame.replace(/.git$/, '')
this.vcs_web_url = 'http://gitlab.com/' + reponame
@@ -230,7 +230,7 @@
this.vcs_web_commit_url = 'http://gitlab.com/' + reponame + '/commit/%hash%/'
this.vcs_web_type = '(custom)'
}
- else if( repoval.indexOf('bitbucket.org/') > -1 ) {
+ else if( repoval.startsWith('git://bitbucket.org/') ) {
reponame = repoval.replace(/^.*bitbucket.org\//, '')
reponame = reponame.replace(/.git$/, '')
this.vcs_web_url = 'http://bitbucket.org/' + reponame
--
2.17.1


[layerindex-web] [PATCH 2/3] update.py: Allow bitbake to live in a subdirectory of a repository

Mark Hatle
 

Add a new BITBAKE_PATH to the settings file to specify the path within the
BITBAKE_REPO_URL where bitbake lives. This is useful when using a combined
repository, such as poky, that contains bitbake, openembedded-core and other
layers.

This change also changes the default path, in the fetch directory, for the
bitbake checkout. It no longer uses the path 'bitbake', but instead uses the
same URL processing as the layer fetching.

There is a side effect that, when using a shared fetch, the branch of the
layer will be used instead of the specified bitbake branch. Generally this
is a reasonable compromise, since in a combined repository bitbake and
openembedded-core component should already match.

Signed-off-by: Mark Hatle <mark.hatle@...>
---
docker/settings.py | 3 +++
layerindex/bulkchange.py | 8 +++++++-
layerindex/layerconfparse.py | 8 +++++++-
layerindex/update.py | 14 +++++++++++---
layerindex/update_layer.py | 6 +++++-
settings.py | 3 +++
6 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/docker/settings.py b/docker/settings.py
index 616b67b..2821d82 100644
--- a/docker/settings.py
+++ b/docker/settings.py
@@ -244,6 +244,9 @@ TEMP_BASE_DIR = "/tmp"
# Fetch URL of the BitBake repository for the update script
BITBAKE_REPO_URL = "git://git.openembedded.org/bitbake"

+# Path within the BITBAKE_REPO_URL, usually empty
+BITBAKE_PATH = ""
+
# Core layer to be used by the update script for basic BitBake configuration
CORE_LAYER_NAME = "openembedded-core"

diff --git a/layerindex/bulkchange.py b/layerindex/bulkchange.py
index f6506ef..ea1f85c 100644
--- a/layerindex/bulkchange.py
+++ b/layerindex/bulkchange.py
@@ -98,7 +98,13 @@ def main():

branch = utils.get_branch('master')
fetchdir = settings.LAYER_FETCH_DIR
- bitbakepath = os.path.join(fetchdir, 'bitbake')
+
+ import layerindex.models import LayerItem
+ bitbakeitem = LayerItem()
+ bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+ bitbakepath = os.path.join(fetchdir, bitbakeitem.get_fetch_dir())
+ if settings.BITBAKE_PATH:
+ bitbakepath = os.path.join(bitbakepath, settings.BITBAKE_PATH)

if not os.path.exists(bitbakepath):
sys.stderr.write("Unable to find bitbake checkout at %s" % bitbakepath)
diff --git a/layerindex/layerconfparse.py b/layerindex/layerconfparse.py
index 526d2c2..a0b7e1c 100644
--- a/layerindex/layerconfparse.py
+++ b/layerindex/layerconfparse.py
@@ -20,7 +20,13 @@ class LayerConfParse:

if not bitbakepath:
fetchdir = settings.LAYER_FETCH_DIR
- bitbakepath = os.path.join(fetchdir, 'bitbake')
+
+ from layerindex.models import LayerItem
+ bitbakeitem = LayerItem()
+ bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+ bitbakepath = os.path.join(fetchdir, bitbakeitem.get_fetch_dir())
+ if settings.BITBAKE_PATH:
+ bitbakepath = os.path.join(bitbakepath, settings.BITBAKE_PATH)
self.bbpath = bitbakepath

# Set up BBPATH.
diff --git a/layerindex/update.py b/layerindex/update.py
index 7faf6b5..57dd830 100755
--- a/layerindex/update.py
+++ b/layerindex/update.py
@@ -268,8 +268,6 @@ def main():
logger.error("Layer index lock timeout expired")
sys.exit(1)
try:
- bitbakepath = os.path.join(fetchdir, 'bitbake')
-
if not options.nofetch:
# Make sure oe-core is fetched since recipe parsing requires it
layerquery_core = LayerItem.objects.filter(comparison=False).filter(name=settings.CORE_LAYER_NAME)
@@ -285,7 +283,17 @@ def main():
if layer.vcs_url not in allrepos:
allrepos[layer.vcs_url] = (repodir, urldir, fetchdir, layer.name)
# Add bitbake
- allrepos[settings.BITBAKE_REPO_URL] = (bitbakepath, "bitbake", fetchdir, "bitbake")
+ if settings.BITBAKE_REPO_URL not in allrepos:
+ bitbakeitem = LayerItem()
+ bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+ bitbakeurldir = bitbakeitem.get_fetch_dir()
+ bitbakepath = os.path.join(fetchdir, bitbakeurldir)
+ allrepos[settings.BITBAKE_REPO_URL] = (bitbakepath, bitbakeurldir, fetchdir, "bitbake")
+
+ (bitbakepath, _, _, _) = allrepos[settings.BITBAKE_REPO_URL]
+ if settings.BITBAKE_PATH:
+ bitbakepath = os.path.join(bitbakepath, settings.BITBAKE_PATH)
+
# Parallel fetching
pool = multiprocessing.Pool(int(settings.PARALLEL_JOBS))
for url in allrepos:
diff --git a/layerindex/update_layer.py b/layerindex/update_layer.py
index 7131d70..f4111bd 100644
--- a/layerindex/update_layer.py
+++ b/layerindex/update_layer.py
@@ -300,7 +300,11 @@ def main():
logger.error("Please set LAYER_FETCH_DIR in settings.py")
sys.exit(1)

- bitbakepath = os.path.join(fetchdir, 'bitbake')
+ bitbakeitem = LayerItem()
+ bitbakeitem.vcs_url = settings.BITBAKE_REPO_URL
+ bitbakepath = os.path.join(fetchdir, bitbakeitem.get_fetch_dir())
+ if settings.BITBAKE_PATH:
+ bitbakepath = os.path.join(bitbakepath, settings.BITBAKE_PATH)

layer = utils.get_layer(options.layer)
urldir = layer.get_fetch_dir()
diff --git a/settings.py b/settings.py
index e0f5984..e9bf6cc 100644
--- a/settings.py
+++ b/settings.py
@@ -239,6 +239,9 @@ TEMP_BASE_DIR = "/tmp"
# Fetch URL of the BitBake repository for the update script
BITBAKE_REPO_URL = "git://git.openembedded.org/bitbake"

+# Path within the BITBAKE_REPO_URL, usually empty
+BITBAKE_PATH = ""
+
# Core layer to be used by the update script for basic BitBake configuration
CORE_LAYER_NAME = "openembedded-core"

--
2.17.1


[layerindex-web] [PATCH 1/3] layerindex/urls.py: Allow branches with a '.' in the name

Mark Hatle
 

Without this change the system will fail parsing various URL components

Signed-off-by: Mark Hatle <mark.hatle@...>
---
layerindex/urls.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/layerindex/urls.py b/layerindex/urls.py
index 7f4e545..89e70a2 100644
--- a/layerindex/urls.py
+++ b/layerindex/urls.py
@@ -107,7 +107,7 @@ urlpatterns = [
BulkChangeDeleteView.as_view(
template_name='layerindex/deleteconfirm.html'),
name="bulk_change_delete"),
- url(r'^branch/(?P<branch>[-\w]+)/',
+ url(r'^branch/(?P<branch>[-.\w]+)/',
include('layerindex.urls_branch')),
url(r'^updates/$',
UpdateListView.as_view(
@@ -146,17 +146,17 @@ urlpatterns = [
ClassicRecipeDetailView.as_view(
template_name='layerindex/classicrecipedetail.html'),
name='classic_recipe'),
- url(r'^comparison/recipes/(?P<branch>[-\w]+)/$',
+ url(r'^comparison/recipes/(?P<branch>[-.\w]+)/$',
ClassicRecipeSearchView.as_view(
template_name='layerindex/classicrecipes.html'),
name='comparison_recipe_search'),
- url(r'^comparison/search-csv/(?P<branch>[-\w]+)/$',
+ url(r'^comparison/search-csv/(?P<branch>[-.\w]+)/$',
ClassicRecipeSearchView.as_view(
template_name='layerindex/classicrecipes_csv.txt',
paginate_by=0,
content_type='text/csv'),
name='comparison_recipe_search_csv'),
- url(r'^comparison/stats/(?P<branch>[-\w]+)/$',
+ url(r'^comparison/stats/(?P<branch>[-.\w]+)/$',
ClassicRecipeStatsView.as_view(
template_name='layerindex/classicstats.html'),
name='comparison_recipe_stats'),
@@ -185,11 +185,11 @@ urlpatterns = [
url(r'^stoptask/(?P<task_id>[-\w]+)/$',
task_stop_view,
name='task_stop'),
- url(r'^ajax/layerchecklist/(?P<branch>[-\w]+)/$',
+ url(r'^ajax/layerchecklist/(?P<branch>[-.\w]+)/$',
LayerCheckListView.as_view(
template_name='layerindex/layerchecklist.html'),
name='layer_checklist'),
- url(r'^ajax/classchecklist/(?P<branch>[-\w]+)/$',
+ url(r'^ajax/classchecklist/(?P<branch>[-.\w]+)/$',
BBClassCheckListView.as_view(
template_name='layerindex/classchecklist.html'),
name='class_checklist'),
--
2.17.1


[layerindex-web] [PATCH 0/3] Some misc changes/fixes..

Mark Hatle
 

A few misc changes/fixes. The first two are well tested. However, I suspect
the 3/3 may be incorrect and I've labeled it an RFC due to this.

1/3 - '.' wasn't allowed in branch names w/o an error. This turned out
to be a fairly simple fix.

2/3 - For people who want to use 'poky' repository and not bitbake +
openembedded-core. I've tested this locally in both configurations.

3/3 - When I was testing, my local git mirror is broken up with
directories that are called 'git.openembedded.org' and 'git.yoctoproject.org'
due to this, the system was matching and locking out the edit layer
vcs_web_url submissions... so I tried to make it better.. but I'm not
sure it's right.

Mark Hatle (3):
layerindex/urls.py: Allow branches with a '.' in the name
update.py: Allow bitbake to live in a subdirectory of a repository
editlayer: Be more specific on the searches

docker/settings.py | 3 +++
layerindex/bulkchange.py | 8 +++++++-
layerindex/layerconfparse.py | 8 +++++++-
layerindex/tools/import_layer.py | 8 ++++----
layerindex/tools/import_wiki_layers.py | 13 ++++++++++---
layerindex/update.py | 14 +++++++++++---
layerindex/update_layer.py | 6 +++++-
layerindex/urls.py | 12 ++++++------
settings.py | 3 +++
templates/layerindex/editlayer.html | 8 ++++----
10 files changed, 60 insertions(+), 23 deletions(-)

--
2.17.1


Re: [meta-openssl102-fips][PATCH 3/3] nss: conditionally enable fips

Mark Hatle
 

The original goal of this work was to enable a FIPS-140-2 OpenSSL module. Why
is NSS part of this?

Is something inside of the OpenSSL patches requesting NSS support, or is this a
different -- but related request?

--Mark

On 10/12/19 3:17 AM, Hongxu Jia wrote:
Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
macro limitaition to fips enable test, currently we are not ready
to support nss fips

...
$ certutil -N -d sql:. --empty-password
|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
with the token or slot.

$rpm -h
|error: Failed to initialize NSS library
...

Signed-off-by: Hongxu Jia <hongxu.jia@...>
---
.../nss/nss/0001-conditionally-enable-fips.patch | 93 ++++++++++++++++++++++
recipes-support/nss/nss_3.%.bbappend | 4 +
recipes-support/nss/nss_fips.inc | 4 +
3 files changed, 101 insertions(+)
create mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
create mode 100644 recipes-support/nss/nss_3.%.bbappend
create mode 100644 recipes-support/nss/nss_fips.inc

diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
new file mode 100644
index 0000000..d11db91
--- /dev/null
+++ b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
@@ -0,0 +1,93 @@
+From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@...>
+Date: Sat, 12 Oct 2019 10:49:28 +0800
+Subject: [PATCH] conditionally enable fips
+
+Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
+macro limitaition to fips enable test, currently we are not ready
+to support nss fips
+
+...
+$ certutil -N -d sql:. --empty-password
+|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
+module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
+with the token or slot.
+
+$rpm -h
+|error: Failed to initialize NSS library
+...
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@...>
+---
+ nss/coreconf/config.mk | 2 ++
+ nss/lib/freebl/nsslowhash.c | 2 +-
+ nss/lib/pk11wrap/pk11util.c | 2 +-
+ nss/lib/sysinit/nsssysinit.c | 4 ++++
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 60a0841..dcca87f 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -179,6 +179,8 @@ endif
+ # executing the startup tests at library load time.
+ ifndef NSS_FORCE_FIPS
+ DEFINES += -DNSS_NO_INIT_SUPPORT
++else
++DEFINES += -DNSS_FORCE_FIPS
+ endif
+
+ ifdef NSS_SEED_ONLY_DEV_URANDOM
+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
+index 22f9781..baf71c3 100644
+--- a/nss/lib/freebl/nsslowhash.c
++++ b/nss/lib/freebl/nsslowhash.c
+@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
+ static int
+ nsslow_GetFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
+index 502c4d0..cd86270 100644
+--- a/nss/lib/pk11wrap/pk11util.c
++++ b/nss/lib/pk11wrap/pk11util.c
+@@ -98,7 +98,7 @@ SECMOD_Shutdown()
+ int
+ secmod_GetSystemFIPSEnabled(void)
+ {
+-#ifdef LINUX
++#if defined LINUX && defined NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
+index bd0fac2..5c09e8d 100644
+--- a/nss/lib/sysinit/nsssysinit.c
++++ b/nss/lib/sysinit/nsssysinit.c
+@@ -168,6 +168,7 @@ getFIPSEnv(void)
+ static PRBool
+ getFIPSMode(void)
+ {
++#ifdef NSS_FORCE_FIPS
+ FILE *f;
+ char d;
+ size_t size;
+@@ -186,6 +187,9 @@ getFIPSMode(void)
+ if (d != '1')
+ return PR_FALSE;
+ return PR_TRUE;
++#else
++ return PR_FALSE;
++#endif
+ }
+
+ #define NSS_DEFAULT_FLAGS "flags=readonly"
+--
+2.7.4
+
diff --git a/recipes-support/nss/nss_3.%.bbappend b/recipes-support/nss/nss_3.%.bbappend
new file mode 100644
index 0000000..9608ca3
--- /dev/null
+++ b/recipes-support/nss/nss_3.%.bbappend
@@ -0,0 +1,4 @@
+FIPSINC = ""
+FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'nss_fips.inc'}"
+
+require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
new file mode 100644
index 0000000..b183f55
--- /dev/null
+++ b/recipes-support/nss/nss_fips.inc
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
+SRC_URI += " \
+ file://0001-conditionally-enable-fips.patch \
+"


Pyro, imx-gpu-viv and libGL.so

Mauro Ziliani
 

Hi all.

I'm working with and kivy and SDL2.

My problem is that the recipe imx-gpu-viv installs libGL.so.1.2. in /usr/lib, while SDL2 is compiled against libGLESv2.

So when I starts the SDL application from a strange behaviour the libGL is loaded, which needs libXdamage.

But the bsp is without X and sdl2 fails.


If I remove libGL.so.1.2 and I symlink libGLESv2.so to libGL.so.1.2, this can solve my problem?

There is some recipe which solve di problem?


Mauro

11741 - 11760 of 58671