Date   

Re: Custom python location on target #python

felixn1996@...
 

On Mon, Feb 22, 2021 at 04:57 AM, Josef Holzmayr wrote:
Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.
Hi
I am aware that what I am asking for is a bit ugly. 
 
The reason is that I have a small amount of memory at my disposal.  I'm working with a setup with two partitions, a root-fs and an overlayed application file system. None of them has enough space for python.
Therefore I want to install it on the eMMC, which has plenty of space.
So instead of /usr which is on the root/app file system, I would install it under /media/<somewhere> on the mounted eMMC. 
 
But maybe there exists a more elegant solution? 
 
Kind regards, 
Felix


Include "my.conf" in conf/local.conf

Mauro Ziliani
 

Hi all

Is it possible to include a fine in local.conf?


MZ


[opkg-utils PATCH v2] Makefile: separate manpages and utils install

Ryan Barnett
 

The installation of opkg-build man page introduces a host dependency
on perl for the pod2man package to generate the man page.

To allow the opkg-utils scripts to be installed separately from the
manpages, break apart the install step into two install steps:
install-utils and install-docs

CC: Christian Hermann <mail@hermannch.dev>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
---
v1 -> v2:
- Leave all target behavior unchanged (suggested by Christian)
---
Makefile | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 4049654..fe96d5a 100644
--- a/Makefile
+++ b/Makefile
@@ -27,9 +27,11 @@ mandir ?=3D $(PREFIX)/man
=20
all: $(UTILS) $(MANPAGES)
=20
-install: all
+install-utils: $(UTILS)
install -d $(DESTDIR)$(bindir)
install -m 755 $(UTILS) $(DESTDIR)$(bindir)
+
+install-docs: $(MANPAGES)
install -d $(DESTDIR)$(mandir)
for m in $(MANPAGES); \
do \
@@ -37,4 +39,6 @@ install: all
install -m 644 "$$m" $(DESTDIR)$(mandir)/man$${m##*.}; \
done
=20
-.PHONY: install all
+install: install-utils install-docs
+
+.PHONY: install install-utils install-docs all
--=20
2.25.1


Re: Custom python location on target #python

Josef Holzmayr
 

Howdy!

Am Mo., 22. Feb. 2021 um 13:22 Uhr schrieb <felixn1996@gmail.com>:
I'm new to the Yocto Project. It is my first time posting a Yocto related question. If this is the wrong place, I apologize in advance.
No problem, welcome on board!

I need to change the python installation location on my target from /usr/bin and /usr/lib to somewhere under /media.
I have searched around online and tried looking in the recipe: http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/recipes-devtools/python/python3_3.9.1.bb
Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.

Greetz


Custom python location on target #python

felixn1996@...
 

Hello! 
I'm new to the Yocto Project. It is my first time posting a Yocto related question. If this is the wrong place, I apologize in advance. 
 
I need to change the python installation location on my target from /usr/bin and /usr/lib to somewhere under /media.
 
I have searched around online and tried looking in the recipe: http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/recipes-devtools/python/python3_3.9.1.bb
 
But I have not made any progress so far.
 
Any help would be super appreciated!
Best regards,
Felix


Re: anyone bundled libbpf into a recipe?

Josef Holzmayr
 

https://twitter.com/TheYoctoJester/status/1358865946790797324

Am Mo., 22. Feb. 2021 um 12:24 Uhr schrieb Robert P. J. Day
<rpjday@crashcourse.ca>:



colleague wants a recipe for libbpf:

https://github.com/libbpf/libbpf

would anyone have done that already and is willing to let me steal it?

rday



anyone bundled libbpf into a recipe?

Robert P. J. Day
 

colleague wants a recipe for libbpf:

https://github.com/libbpf/libbpf

would anyone have done that already and is willing to let me steal it?

rday


[meta-selinux][PATCH] parted: remove bbappend

Yi Zhao
 

Remove bbappend since parted 3.4 has removed the enable_selinux
configure option[1].

Fixes:
QA Issue: parted: configure was passed unrecognised options: --enable-selinux [unknown-configure-option]

[1] https://git.savannah.gnu.org/cgit/parted.git/commit/?id=059200d50beb259c54469ae65f2d034af48ff849

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
recipes-extended/parted/parted_%.bbappend | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 recipes-extended/parted/parted_%.bbappend

diff --git a/recipes-extended/parted/parted_%.bbappend b/recipes-extended/parted/parted_%.bbappend
deleted file mode 100644
index 74e22b3..0000000
--- a/recipes-extended/parted/parted_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
--
2.25.1


Re: QA notification for completed autobuilder build (yocto-3.2.2.rc1)

Sangeeta Jain
 

Hi all,

This is the full report for yocto-3.2.2.rc1:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

No new issues found

Thanks,
Sangeeta

-----Original Message-----
From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf
Of Pokybuild User
Sent: Wednesday, 17 February, 2021 1:44 AM
To: yocto@lists.yoctoproject.org
Cc: qa-build-notification@lists.yoctoproject.org
Subject: [yocto] QA notification for completed autobuilder build (yocto-
3.2.2.rc1)


A build flagged for QA (yocto-3.2.2.rc1) was completed on the autobuilder and is
available at:


https://autobuilder.yocto.io/pub/releases/yocto-3.2.2.rc1


Build hash information:

bitbake: 0a3bf681530bd63fc0036ca81ef868ab53fde56c
meta-arm: aa63e31b6edb5197764c21434219050ab51f0fbd
meta-gplv2: 6e8e969590a22a729db1ff342de57f2fd5d02d43
meta-intel: 1d866c58534eb1d317b7a674c6e6c57ab9594fb0
meta-kernel: f793168bd19af3d8c5a260dd35f387ed9a31794b
meta-mingw: 352d8b0aa3c7bbd5060a4cc2ebe7c0e964de4879
oecore: ebaaee50cb3ac75112827f935c48affaf622ce7f
poky: d5d6286a66f46f4523e35e0e3f20cd7396195fdc



This is an automated message from the Yocto Project Autobuilder
Git: git://git.yoctoproject.org/yocto-autobuilder2
Email: richard.purdie@linuxfoundation.org



[opkg-utils PATCH] Makefile: seperate manpages and utils install

Ryan Barnett
 

The installation of opkg-build man page introduces a host dependency
on perl for the pod2man package to generate the man page.

To allow the opkg-utils scripts to be installed separately from the
manpages, break apart the install step into two install steps:
install-utils and install-docs

Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
---
Makefile | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 4049654..7b7b8d5 100644
--- a/Makefile
+++ b/Makefile
@@ -25,11 +25,13 @@ mandir ?=3D $(PREFIX)/man
%.1: %
pod2man -r "" -c "opkg-utils Documentation" $< $@
=20
-all: $(UTILS) $(MANPAGES)
+all: install
=20
-install: all
+install-utils: $(UTILS)
install -d $(DESTDIR)$(bindir)
install -m 755 $(UTILS) $(DESTDIR)$(bindir)
+
+install-docs: $(MANPAGES)
install -d $(DESTDIR)$(mandir)
for m in $(MANPAGES); \
do \
@@ -37,4 +39,6 @@ install: all
install -m 644 "$$m" $(DESTDIR)$(mandir)/man$${m##*.}; \
done
=20
-.PHONY: install all
+install: install-utils install-docs
+
+.PHONY: install install-utils install-docs all
--=20
2.25.1


Re: [meta-security] [PATCH V2 0/8] Some fixes for IMA/EVM

Armin Kuster
 

On 2/20/21 4:18 AM, liu.ming50@gmail.com wrote:
From: Ming Liu <liu.ming50@gmail.com>

Changes in patch set V2:

1 Split patches as suggested by Dmitry Baryshkov.
Thanks for for the changes.
This series is now being build tested etc.

Many thanks,

- armin


Ming Liu (8):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in
ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic

meta-integrity/README.md | 4 ++-
meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
.../initrdscripts/initramfs-framework-ima.bb | 2 +-
.../initrdscripts/initramfs-framework-ima/ima | 3 +-
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
.../ima-evm-utils/ima-evm-utils_git.bb | 1 +
6 files changed, 38 insertions(+), 21 deletions(-)
create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb


[meta-security][PATCH] softhsm: drop pkg as meta-oe has it

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-security/softHSM/softhsm_2.6.1.bb | 30 -----------------------
1 file changed, 30 deletions(-)
delete mode 100644 recipes-security/softHSM/softhsm_2.6.1.bb

diff --git a/recipes-security/softHSM/softhsm_2.6.1.bb b/recipes-security/softHSM/softhsm_2.6.1.bb
deleted file mode 100644
index 74e837a..0000000
--- a/recipes-security/softHSM/softhsm_2.6.1.bb
+++ /dev/null
@@ -1,30 +0,0 @@
-SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface."
-HOMEPAGE = "www.opendnssec.org"
-
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210"
-
-DEPENDS = "sqlite3"
-
-SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz"
-SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2"
-
-inherit autotools pkgconfig siteinfo
-
-EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr"
-EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}"
-
-PACKAGECONFIG ?= "pk11 openssl"
-
-PACKAGECONFIG[npm] = ",--disable-non-paged-memory"
-PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc"
-PACKAGECONFIG[gost] = "--enable-gost,--disable-gost"
-PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa"
-PACKAGECONFIG[fips] = "--enable-fips, --disable-fips"
-PACKAGECONFIG[notvisable] = "--disable-visibility"
-PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl"
-PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan"
-PACKAGECONFIG[migrate] = "--with-migrate"
-PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit"
-
-RDEPENDS_${PN} = "sqlite3"
--
2.17.1


[meta-security] [PATCH V2 8/8] ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integri=
ty/classes/ima-evm-rootfs.bbclass
index 4359af0..0acd6e7 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -28,6 +28,9 @@ IMA_EVM_ROOTFS_HASHED ?=3D ". -depth 0 -false"
# the iversion flags (needed by IMA when allowing writing).
IMA_EVM_ROOTFS_IVERSION ?=3D ""
=20
+# Avoid re-generating fstab when ima is enabled.
+WIC_CREATE_EXTRA_ARGS_append =3D "${@bb.utils.contains('DISTRO_FEATURES'=
, 'ima', ' --no-fstab-update', '', d)}"
+
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
=20
--=20
2.29.0


[meta-security] [PATCH V2 7/8] initramfs-framework-ima: let ima_enabled return 0

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

Otherwise, ima script would not run as intended.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framewor=
k-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework=
-ima/ima
index 16ed53f..cff26a3 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/i=
ma
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/i=
ma
@@ -6,6 +6,7 @@ ima_enabled() {
if [ "$bootparam_no_ima" =3D "true" ]; then
return 1
fi
+ return 0
}
=20
ima_run() {
--=20
2.29.0


[meta-security] [PATCH V2 6/8] README.md: update according to the refactoring in ima-evm-rootfs.bbclass

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
meta-integrity/README.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 4607948..5048fba 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -73,8 +73,10 @@ Adding the layer only enables IMA (see below regarding=
EVM) during
compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
=20
- INHERIT +=3D "ima-evm-rootfs"
+ IMAGE_CLASSES +=3D "ima-evm-rootfs"
IMA_EVM_KEY_DIR =3D "${INTEGRITY_BASE}/data/debug-keys"
+ IMA_EVM_PRIVKEY =3D "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+ IMA_EVM_X509 =3D "${IMA_EVM_KEY_DIR}/x509_ima.der"
=20
This uses the default keys provided in the "data" directory of the layer=
.
Because everyone has access to these private keys, such an image
--=20
2.29.0


[meta-security] [PATCH V2 5/8] meta: refactor IMA/EVM sign rootfs

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

The current logic in ima-evm-rootfs.bbclass does not guarantee
ima_evm_sign_rootfs is the last function in IMAGE_PREPROCESS_COMMAND
by appending to it, for instance, if there are other "_append" being
used as it's the case in openembedded-core/meta/classes/image.bbclass:

| IMAGE_PREPROCESS_COMMAND_append =3D " ${@ 'systemd_preset_all;' \
| if bb.utils.contains('DISTRO_FEATURES', 'systemd', True, False, d) \
| and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True,
| False, d) else ''} reproducible_final_image_task; "

and ima-evm-rootfs should be in IMAGE_CLASSES instead of in INHERIT
since that would impact all recipes but not only image recipes.

To fix the above issues, we introduce a ima_evm_sign_handler setting
IMA/EVM rootfs signing requirements/dependencies in event
bb.event.RecipePreFinalise, it checks 'ima' distro feature to decide if
IMA/EVM rootfs signing logic should be applied or not.

Also add ima-evm-keys to IMAGE_INSTALL.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 30 ++++++++-----------
1 file changed, 12 insertions(+), 18 deletions(-)

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integri=
ty/classes/ima-evm-rootfs.bbclass
index d6ade3b..4359af0 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -37,15 +37,6 @@ ima_evm_sign_rootfs () {
# reasons (including a change of the signing keys) without also
# re-running do_rootfs.
=20
- # Copy file(s) which must be on the device. Note that
- # evmctl uses x509_evm.der also for "ima_verify", which is probably
- # a bug (should default to x509_ima.der). Does not matter for us
- # because we use the same key for both.
- install -d ./${sysconfdir}/keys
- rm -f ./${sysconfdir}/keys/x509_evm.der
- install "${IMA_EVM_X509}" ./${sysconfdir}/keys/x509_evm.der
- ln -sf x509_evm.der ./${sysconfdir}/keys/x509_ima.der
-
# Fix /etc/fstab: it must include the "i_version" mount option for
# those file systems where writing files is allowed, otherwise
# these changes will not get detected at runtime.
@@ -80,13 +71,16 @@ ima_evm_sign_rootfs () {
}
=20
# Signing must run as late as possible in the do_rootfs task.
-# IMAGE_PREPROCESS_COMMAND runs after ROOTFS_POSTPROCESS_COMMAND, so
-# append (not prepend!) to IMAGE_PREPROCESS_COMMAND, and do it with
-# _append instead of +=3D because _append gets evaluated later. In
-# particular, we must run after prelink_image in
-# IMAGE_PREPROCESS_COMMAND, because prelinking changes executables.
-
-IMAGE_PREPROCESS_COMMAND_append =3D " ima_evm_sign_rootfs ; "
+# To guarantee that, we append it to IMAGE_PREPROCESS_COMMAND in
+# RecipePreFinalise event handler, this ensures it's the last
+# function in IMAGE_PREPROCESS_COMMAND.
+python ima_evm_sign_handler () {
+ if not e.data or 'ima' not in e.data.getVar('DISTRO_FEATURES').split=
():
+ return
=20
-# evmctl must have been installed first.
-do_rootfs[depends] +=3D "ima-evm-utils-native:do_populate_sysroot"
+ e.data.appendVar('IMAGE_PREPROCESS_COMMAND', ' ima_evm_sign_rootfs; =
')
+ e.data.appendVar('IMAGE_INSTALL', ' ima-evm-keys')
+ e.data.appendVarFlag('do_rootfs', 'depends', ' ima-evm-utils-native:=
do_populate_sysroot')
+}
+addhandler ima_evm_sign_handler
+ima_evm_sign_handler[eventmask] =3D "bb.event.RecipePreFinalise"
--=20
2.29.0


[meta-security] [PATCH V2 4/8] initramfs-framework-ima: RDEPENDS on ima-evm-keys

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../recipes-core/initrdscripts/initramfs-framework-ima.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framewor=
k-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-=
ima.bb
index dacdc8b..77f6f7c 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.b=
b
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.b=
b
@@ -27,5 +27,5 @@ do_install () {
=20
FILES_${PN} =3D "/init.d ${sysconfdir}"
=20
-RDEPENDS_${PN} =3D "keyutils ${IMA_POLICY}"
+RDEPENDS_${PN} =3D "keyutils ima-evm-keys ${IMA_POLICY}"
RDEPENDS_${PN} +=3D "initramfs-framework-base"
--=20
2.29.0


[meta-security] [PATCH V2 3/8] ima-evm-keys: add recipe

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

Create a recipe to package IMA/EMV public keys.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-=
keys_1.0.bb

diff --git a/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.=
0.bb b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
new file mode 100644
index 0000000..62685bb
--- /dev/null
+++ b/meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY =3D "IMA/EMV public keys"
+LICENSE =3D "MIT"
+LIC_FILES_CHKSUM =3D "file://${COREBASE}/meta/COPYING.MIT;md5=3D3da9cfbc=
b788c80a0384361b4de20420"
+
+inherit features_check
+REQUIRED_DISTRO_FEATURES =3D "ima"
+
+ALLOW_EMPTY_${PN} =3D "1"
+
+do_install () {
+ if [ -e "${IMA_EVM_X509}" ]; then
+ install -d ${D}/${sysconfdir}/keys
+ install "${IMA_EVM_X509}" ${D}${sysconfdir}/keys/x509_evm.der
+ lnr ${D}${sysconfdir}/keys/x509_evm.der ${D}${sysconfdir}/keys/x=
509_ima.der
+ fi
+}
--=20
2.29.0


[meta-security] [PATCH V2 2/8] initramfs-framework-ima: fix a wrong path

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

/etc/ima-policy > /etc/ima/ima-policy.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framewor=
k-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework=
-ima/ima
index 8616f99..16ed53f 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/i=
ma
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/i=
ma
@@ -46,7 +46,7 @@ ima_run() {
# ("[Linux-ima-user] IMA policy loading via cat") and we get better =
error reporting when
# checking the write of each line. To minimize the risk of policy lo=
ading going wrong we
# also remove comments and blank lines ourselves.
- if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ =
*$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy=
: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Inva=
lid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima-policy >/sys=
/kernel/security/ima/policy; then
+ if ! (set -e; while read i; do if echo "$i" | grep -q -e '^#' -e '^ =
*$'; then debug "Skipping IMA policy: $i"; else debug "Writing IMA policy=
: $i"; if echo $i; then sleep ${bootparam_ima_delay:-0}; else fatal "Inva=
lid line in IMA policy: $i"; exit 1; fi; fi; done) </etc/ima/ima-policy >=
/sys/kernel/security/ima/policy; then
fatal "Could not load IMA policy."
fi
}
--=20
2.29.0


[meta-security] [PATCH V2 1/8] ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty

Ming Liu <liu.ming50@...>
 

From: Ming Liu <liu.ming50@gmail.com>

'ima' does not have to be in native DISTRO_FEATURES, unset it to avoid
sanity check for ima-evm-utils-native.

Signed-off-by: Ming Liu <liu.ming50@gmail.com>
---
.../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_=
git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.=
bb
index 7f649c2..bd85583 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
@@ -26,6 +26,7 @@ S =3D "${WORKDIR}/git"
inherit pkgconfig autotools features_check
=20
REQUIRED_DISTRO_FEATURES =3D "ima"
+REQUIRED_DISTRO_FEATURES_class-native =3D ""
=20
EXTRA_OECONF_append_class-target =3D " --with-kernel-headers=3D${STAGING=
_KERNEL_BUILDDIR}"
=20
--=20
2.29.0

1061 - 1080 of 53453