Hi,

Please correct me, but I think the system environment set up in Yocto
Linux may not be the same as other distributions. I have a shell
script to set up export PATH and LD_LIBRARY_PATH, I want to avoid
putting full path in ExecStart and all of my shell scripts

ExecStart=my_measurement.sh

I have been thinking of the following options, but I am not sure which
one works, if the syntax is correct or not, which one is the best for
common practice, appreciate your advice.

(1) Setup in all systemd service scripts

[Service]
EnvironmentFile=/usr/bin/my_export.sh
ExecStart=my_measurement.sh

Is the syntax above statements in service scripts correct? Will it work?

(2) Add my_export.sh to /etc/profile.d

That one works for Ubuntu, Debian and CentOS, will all Yocto systemd
service scripts pick up environment setup from /etc/profile.d
automatically in Yocto Linux distribution?

(3) Add my_export.sh to /etc/default

Some distributions automatically pick setup from /etc/default, does it
work for Yocto Linux for systemd service scripts to pick up
my_export.sh setup from /etc/default?

Thank you.

Kind regards,

- jupiter

Thanks for your great help. A native recipe is what I needed with data in it only. So my native recipe copies files into ${D}${datadir}/${PN}.

Then my image build uses DEPENDS= to bring in the native recipe.

Then my IMAGE_POSTPROCESS_COMMAND can reference ${STAGING_DATADIR_NATIVE}/[native recipe name] to find the data it needs.

Then I don't need to patch the bbclass file.


From: yocto@... <yocto@...> on behalf of Josef Holzmayr <jester@...>
Sent: Monday, August 9, 2021 12:41 AM
To: yocto@...
Subject: Re: [yocto] How does one add do_fetch, do_unpack to an image recipe?
 
Howdy!

Am 07.08.2021 um 02:25 schrieb John Klug:

I am using dunfell.

In the documentation I see:

http://mail2.multitech.com:32224/?dmVyPTEuMDAxJiYyOTU2NDk0NDY2NmQ1NDQyND02MTEwQzAxOF8yMDIxXzcwNzFfMSYmYjc2MzZjMTgxNGE4NTkzPTIzMzMmJnVybD1odHRwcyUzQSUyRiUyRnd3dyUyRXlvY3RvcHJvamVjdCUyRW9yZyUyRmRvY3MlMkZjdXJyZW50JTJGYml0YmFrZS11c2VyLW1hbnVhbCUyRmJpdGJha2UtdXNlci1tYW51YWwlMkVodG1sJTIzdW5zZXR0aW5nLXZhcmlhYmxlcw==

In case some filter removes the yocto URL, I am referring to:

      docs/current/bitbake-user-manual/bitbake-user-manual.html#unsetting-variables

Which has this example:

      unset do_fetch[noexec]

If I put this in my image recipe, the do_fetch noexec item still exists.

In order to fix this problem I had to patch openembedded-core/meta/classes/image.bbclass, and remove the line setting do_fetch[noexec]="1" and the ones following.

I need to do a fetch for my IMAGE_POSTPROCESS_COMMAND.

 From first glance, I'd guess that the approach is just not correct. If
that thing to be fetched also needs to go *into* the image: make it a
recipe on its own. If you only need it during build time, then it should
probably be a -native dependency, and therefore again a recipe on its
own. Then the image recipe can depend on it and use its contents during
the build/postprocess stage.

Greetz

Thanks.

Greetings,

I'm trying to play an Ogg/Vorbis sample from an image I generated with
Poky (master) and meta-oe (master), by adding "ogg123" and "alsa-utils"
(for testing purposes) to "core-image-minimal".

I built the image for qemux86-64 and tested it ran in a chroot on my x86
build machine. I mounted proc, sysfs and devtmpfs on /proc, /sys/ and
/dev in the chroot, respectively.

I could play a WAV file through "aplay" (from alsa-utils) from the
chroot, but I didn't manage to play an Ogg/Vorbis sample on the audio card:
# ogg123 /sample.ogg
=== Could not load default driver and no driver specified in config
file. Exiting.

However, I could "play" the sample file to a WAV file:
ogg123 -d wav -f output.wav /sample.ogg

Looking at the code, it seems there's a back-end issue (libao,
alsa-lib?), so I suspect ogg123 or libao were built with missing
features. I checked that libao was configured with Alsa support.

I'll go on investigating, but if you have ideas, I'm interested!

Cheers,
Michael.

--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

It is clear that the build system cannot find anything that is providing 'python-hello' recipe.

Which means it parsed all layers in bblayers.conf and it didn't find any python-hello_*.bb file (the _* is the version)

It is mentioned in the tutorial that you provided that the recipe should be in meta-layer/recipes-custom/python-hello

So, you need to create that layer, follow:

bitbake-layers create-layer meta-custom
bitbake-layers add-layer meta-custom

Now, in that layer create folders: recipes-custom/python-hello, in that you should have:

1. another folder: files in that you put python-hello.py
2. python-hello.bb

the content of all of that is in the tutorial .

Hello everyone, 
SO i ve been following this tutorial to be able to execute hello world on the raspberry pi, but i tried so much and still not working, please any help? e 
I followed the tutorial from the Scripts et modules PYthon part: https://www.blaess.fr/christophe/yocto-lab/sequence-III-1/index.html#scripts-et-modules-python

This fixes a bug in libselinux that gets triggered by loading another
policy at runtime. Before this patch, the userspace class cache was not
flushed when a new policy was loaded. This led to SELinux-aware
processes performing invalid lookups if their lifecycle overlapped with
a policy load. Specifically, lookups performed by dbus-daemon would
yield invalid results due to using outdated class IDs in their query.
---
...t-flush_class_cache-call-it-on-polic.patch | 126 ++++++++++++++++++
recipes-security/selinux/libselinux_3.0.bb | 1 +
2 files changed, 127 insertions(+)
create mode 100644 recipes-security/selinux/libselinux/0001-libselinux-export-flush_class_cache-call-it-on-polic.patch

diff --git recipes-security/selinux/libselinux/0001-libselinux-export-flush_class_cache-call-it-on-polic.patch recipes-security/selinux/libselinux/0001-libselinux-export-flush_class_cache-call-it-on-polic.patch
new file mode 100644
index 0000000..dd79f64
--- /dev/null
+++ recipes-security/selinux/libselinux/0001-libselinux-export-flush_class_cache-call-it-on-polic.patch
@@ -0,0 +1,126 @@
+From 7bece3768b8ce63d79ef59bab83517b4e950f8fb Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@...>
+Date: Tue, 21 Jan 2020 11:18:22 -0500
+Subject: [PATCH] libselinux: export flush_class_cache(), call it on policyload
+
+Rename flush_class_cache() to selinux_flush_class_cache(), export it
+for direct use by userspace policy enforcers, and call it on all policy
+load notifications rather than only when using selinux_check_access().
+This ensures that policy reloads that change a userspace class or
+permission value will be reflected by subsequent string_to_security_class()
+or string_to_av_perm() calls.
+
+Signed-off-by: Stephen Smalley <sds@...>
+---
+ libselinux/include/selinux/selinux.h | 3 +++
+ libselinux/src/avc_internal.c | 2 ++
+ libselinux/src/checkAccess.c | 13 -------------
+ libselinux/src/selinux_internal.h | 3 +--
+ libselinux/src/stringrep.c | 4 +++-
+ 5 files changed, 9 insertions(+), 16 deletions(-)
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/selinux/commit/7bece3768b8ce63d79ef59bab83517b4e950f8fb]
+
+diff --git libselinux/include/selinux/selinux.h libselinux/include/selinux/selinux.h
+index fe46e681..7922d96b 100644
+--- libselinux/include/selinux/selinux.h
++++ libselinux/include/selinux/selinux.h
+@@ -418,6 +418,9 @@ extern int security_av_string(security_class_t tclass,
+ /* Display an access vector in a string representation. */
+ extern void print_access_vector(security_class_t tclass, access_vector_t av);
+
++/* Flush the SELinux class cache, e.g. upon a policy reload. */
++extern void selinux_flush_class_cache(void);
++
+ /* Set the function used by matchpathcon_init when displaying
+ errors about the file_contexts configuration. If not set,
+ then this defaults to fprintf(stderr, fmt, ...). */
+diff --git libselinux/src/avc_internal.c libselinux/src/avc_internal.c
+index 49cecc96..568a3d92 100644
+--- libselinux/src/avc_internal.c
++++ libselinux/src/avc_internal.c
+@@ -23,6 +23,7 @@
+ #include "callbacks.h"
+ #include "selinux_netlink.h"
+ #include "avc_internal.h"
++#include "selinux_internal.h"
+
+ #ifndef NETLINK_SELINUX
+ #define NETLINK_SELINUX 7
+@@ -207,6 +208,7 @@ static int avc_netlink_process(void *buf)
+ avc_prefix, rc, errno);
+ return rc;
+ }
++ selinux_flush_class_cache();
+ rc = selinux_netlink_policyload(msg->seqno);
+ if (rc < 0)
+ return rc;
+diff --git libselinux/src/checkAccess.c libselinux/src/checkAccess.c
+index 16bfcfb6..7227ffe5 100644
+--- libselinux/src/checkAccess.c
++++ libselinux/src/checkAccess.c
+@@ -10,25 +10,12 @@
+ static pthread_once_t once = PTHREAD_ONCE_INIT;
+ static int selinux_enabled;
+
+-static int avc_reset_callback(uint32_t event __attribute__((unused)),
+- security_id_t ssid __attribute__((unused)),
+- security_id_t tsid __attribute__((unused)),
+- security_class_t tclass __attribute__((unused)),
+- access_vector_t perms __attribute__((unused)),
+- access_vector_t *out_retained __attribute__((unused)))
+-{
+- flush_class_cache();
+- return 0;
+-}
+-
+ static void avc_init_once(void)
+ {
+ selinux_enabled = is_selinux_enabled();
+ if (selinux_enabled == 1) {
+ if (avc_open(NULL, 0))
+ return;
+- avc_add_callback(avc_reset_callback, AVC_CALLBACK_RESET,
+- 0, 0, 0, 0);
+ }
+ }
+
+diff --git libselinux/src/selinux_internal.h libselinux/src/selinux_internal.h
+index 8b4bed2f..61b78aaa 100644
+--- libselinux/src/selinux_internal.h
++++ libselinux/src/selinux_internal.h
+@@ -107,8 +107,7 @@ hidden_proto(selinux_trans_to_raw_context);
+ hidden_proto(security_get_initial_context);
+ hidden_proto(security_get_initial_context_raw);
+ hidden_proto(selinux_reset_config);
+-
+-hidden void flush_class_cache(void);
++hidden_proto(selinux_flush_class_cache);
+
+ extern int require_seusers hidden;
+ extern int selinux_page_size hidden;
+diff --git libselinux/src/stringrep.c libselinux/src/stringrep.c
+index 4db95398..29757b75 100644
+--- libselinux/src/stringrep.c
++++ libselinux/src/stringrep.c
+@@ -158,7 +158,7 @@ err1:
+ return NULL;
+ }
+
+-hidden void flush_class_cache(void)
++void selinux_flush_class_cache(void)
+ {
+ struct discover_class_node *cur = discover_class_cache, *prev = NULL;
+ size_t i;
+@@ -180,6 +180,8 @@ hidden void flush_class_cache(void)
+ discover_class_cache = NULL;
+ }
+
++hidden_def(selinux_flush_class_cache)
++
+ security_class_t string_to_security_class(const char *s)
+ {
+ struct discover_class_node *node;
+--
+2.25.1
+
diff --git recipes-security/selinux/libselinux_3.0.bb recipes-security/selinux/libselinux_3.0.bb
index 05d2346..17a25a9 100644
--- recipes-security/selinux/libselinux_3.0.bb
+++ recipes-security/selinux/libselinux_3.0.bb
@@ -12,4 +12,5 @@ SRC_URI += "\
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
file://0001-Fix-building-against-musl-and-uClibc-libc-libraries.patch \
+ file://0001-libselinux-export-flush_class_cache-call-it-on-polic.patch \
"
--
2.25.1

Howdy!

Am 07.08.2021 um 02:25 schrieb John Klug:

I am using dunfell.
In the documentation I see:
https://www.yoctoproject.org/docs/current/bitbake-user-manual/bitbake-user-manual.html#unsetting-variables
In case some filter removes the yocto URL, I am referring to:
docs/current/bitbake-user-manual/bitbake-user-manual.html#unsetting-variables
Which has this example:
unset do_fetch[noexec]
If I put this in my image recipe, the do_fetch noexec item still exists.
In order to fix this problem I had to patch openembedded-core/meta/classes/image.bbclass, and remove the line setting do_fetch[noexec]="1" and the ones following.
I need to do a fetch for my IMAGE_POSTPROCESS_COMMAND.

From first glance, I'd guess that the approach is just not correct. If that thing to be fetched also needs to go *into* the image: make it a recipe on its own. If you only need it during build time, then it should probably be a -native dependency, and therefore again a recipe on its own. Then the image recipe can depend on it and use its contents during the build/postprocess stage.

Greetz

Thanks.

Howdy!

Am 08.08.2021 um 16:11 schrieb chiefsleepyeye@...:

I'm new to yocto so forgive me if this has been answered before.  I searched a number of resources and wasn't able to find an answer.  I've been able to install yocto and make modifications to the bblayers.conf and local.conf files to add recipes and layers that provide recipes for the components I need.  I wanted to add hotplug and  found there is a "meta package" from yocto called "linux-hotplug".  The problem I'm having is finding out which layer provides that recipe.  Can someone point me in the right direction and/or point me at a tool that allows searching through all recipes, configured for use or not, for recipes. I've used oe-pkgutils-tool and bitbake-layers but, as far as I can tell they only search in layers configured to be used.  I also tried the layer search tool on the open embedded website but got no hits for the aforementioned recipe.  I feel like I'm missing something here but I don't know what.  Any help would be appreciated.  Thanks to all.

http://layers.openembedded.org

respectively for you http://layers.openembedded.org/layerindex/branch/master/recipes/?q=hotplug obviously... gut it doesn't seem that the information you based your question on is accurate, no "linux-hotplug" there. If I had to guess, then you found either something massively outdated, or referring to a non-openly accessible layer.

Greetz

Mike

YP AB Intermittent failures meeting
===================================
Aug 5, 2021, 9 AM ET
https://windriver.zoom.us/j/3696693975

Attendees: Tony, Richard, Trevor, Randy, Sakib!


Summary:
========

ptest failures again are better but there's still room
for improvement.

The make/ninja load average limit is in but it's not clear
if it's effective yet and it breaks dunfell. Trevor investigating.

There's not much new this week, I've commented on a few existing
activities below and added "Aug 5" in most cases.

We did talk about the YP SWAT process and trying to get people
to all follow the same workflow and for the people who are working
on reporting and analysis tools to understand what SWAT does.
Alex is going to think about it and come up with a plan.

If anyone wants to help, we could use more eyes on the logs,
particularly the summary logs and understanding iostat #
when the dd test times out.

I moved Michael to BCC here and
I'll drop him next week unless asked to do otherwise.


Plans for the week:
===================

All: Wait and see if the ptest failure rate continues to be lower
than previous weeks.

Richard:
Alex: SWAT plans.
Sakib: hook more responsive load average in to latency test. (v3)
Trevor: patch to set PARALLEL_MAKE : -l 50
-> dunfell, gatesgarth, hardknott (Aug 5 - it's a priority)
Investigate dunfell which failed with this change.
Tony:
Saul:
Randy: Look at performance data


Meeting Notes:
==============

1. job server

- ninja could be patched with make's more responsive algorithm
next or is this good enough?

- Richard suggested that we extract make's code for measuring the load
average to a separate binary and run it in the periodic io latency
test. Also can we translate it to python?
- Trevor is working on this and had some problems so next week.


2. AB status

Trevor is learning about buildbot and working on a scheduling bug
(CentOS worker?)

bitbake layer setup tool should allow multiple backends:
eg: kas, a y-a-helper.

ptest cases are improving, we may be close to done!
Let's wait a week to see how things go.
(July29, Aug 5, we're not done...)

- development week with lots of failures and a-quick builds
so it's hard to say.

- lttng timeouts are still happening so RP is going to increase
timeout for all ptests from 300, 450. (Aug 5, timeout bumped)

3. Sakib's improvements to the logging are merged.

Sakib generated a summary of all high latency 'top' logs from
~July 23->July 29 by just running his summary script on the
merged raw top logs.

<snip last week's summary of summaries text>

More analysis required....


Still relevant parts of
Previous Meeting Notes:
=======================


4. bitbake server timeout ( no change july 29)

"Timeout while waiting for a reply from the bitbake server (60s)"

Clearly the YP ABs aren't running in docker but what
about firmware and kernel tunings.



5. io stalls (no update: July 29)

Richard said that it would make sense to write an ftrace utility
/ script to monitor io latency and we could install it with sudo
Ch^W mentioned ftrace on IRC.
Sakib and Randy will work on that but not for a week or two.





../Randy

I'm new to yocto so forgive me if this has been answered before.  I searched a number of resources and wasn't able to find an answer.  I've been able to install yocto and make modifications to the bblayers.conf and local.conf files to add recipes and layers that provide recipes for the components I need.  I wanted to add hotplug and  found there is a "meta package" from yocto called "linux-hotplug".  The problem I'm having is finding out which layer provides that recipe.  Can someone point me in the right direction and/or point me at a tool that allows searching through all recipes, configured for use or not, for recipes.  I've used oe-pkgutils-tool and bitbake-layers but, as far as I can tell they only search in layers configured to be used.  I also tried the layer search tool on the open embedded website but got no hits for the aforementioned recipe.  I feel like I'm missing something here but I don't know what.  Any help would be appreciated.  Thanks to all.

Mike

I am using dunfell.

In the documentation I see:

https://www.yoctoproject.org/docs/current/bitbake-user-manual/bitbake-user-manual.html#unsetting-variables

In case some filter removes the yocto URL, I am referring to:

docs/current/bitbake-user-manual/bitbake-user-manual.html#unsetting-variables

Which has this example:

unset do_fetch[noexec]

If I put this in my image recipe, the do_fetch noexec item still exists.

In order to fix this problem I had to patch openembedded-core/meta/classes/image.bbclass, and remove the line setting do_fetch[noexec]="1" and the ones following.

I need to do a fetch for my IMAGE_POSTPROCESS_COMMAND.


Thanks.

It looks like I missed a case for the new bitbake override syntax. My tests
weren't done from a fresh build so either a preexisting image was still
available, or the unfixed syntax caused a race.

Signed-off-by: Trevor Woerner <twoerner@...>
---
classes/rockchip-gpt-img.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/rockchip-gpt-img.bbclass b/classes/rockchip-gpt-img.bbclass
index 434c100..b698db0 100644
--- a/classes/rockchip-gpt-img.bbclass
+++ b/classes/rockchip-gpt-img.bbclass
@@ -9,7 +9,7 @@ IMG_ROOTFS_TYPE = "ext4"
IMG_ROOTFS = "${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.${IMG_ROOTFS_TYPE}"

# This image depends on the rootfs image
-IMAGE_TYPEDEP_rockchip-gpt-img = "${IMG_ROOTFS_TYPE}"
+IMAGE_TYPEDEP:rockchip-gpt-img = "${IMG_ROOTFS_TYPE}"

GPTIMG = "${IMAGE_NAME}-gpt.img"
GPTIMG_SYMLK = "${IMAGE_BASENAME}-${MACHINE}-gpt.img"
--
2.30.0.rc0

I'll get this staged later today.

Thanks for running the conversion.

Hello All,

This is the full report for yocto-3.1.10.rc1:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

One issue observed in this release:

Bug 14488 - AB-INT PTEST: tcl socket.test intermittent failure

======= Bugs ========
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14488

Thanks,
Sangeeta

This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-openssl102-fips

Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@...>
---
README.build | 8 ++++----
README.openssh_cavstest | 2 +-
classes/fips_kernel.bbclass | 4 ++--
classes/image-enable-fips.bbclass | 2 +-
conf/layer.conf | 4 ++--
.../openssh/openssh_8.%.bbappend | 2 +-
recipes-connectivity/openssh/openssh_fips.inc | 16 ++++++++--------
.../openssl/openssl-fips-example_2.0.16.bb | 6 +++---
.../openssl/openssl-fips_2.0.16.bb | 6 +++---
.../openssl/openssl_1.0.2%.bbappend | 2 +-
recipes-connectivity/openssl/openssl_fips.inc | 8 ++++----
recipes-support/fipscheck/fipscheck_1.5.0.bb | 6 +++---
recipes-support/rng-tools/rng-tools_6.%.bbappend | 2 +-
recipes-support/rng-tools/rng-tools_fips.inc | 2 +-
14 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/README.build b/README.build
index 36e3875..b675686 100644
--- a/README.build
+++ b/README.build
@@ -44,7 +44,7 @@ to image [3]
[2] git://git.yoctoproject.org/meta-openssl102
Manually set 1.0.2% to openssl preferred version
echo "PREFERRED_VERSION_openssl = '1.0.2%'" >> conf/local.conf
-[3] echo "IMAGE_INSTALL_append = ' packagegroup-core-buildessential'" >> conf/local.conf
+[3] echo "IMAGE_INSTALL:append = ' packagegroup-core-buildessential'" >> conf/local.conf

The easiest way to do this with Wind River Linux is include:

@@ -56,7 +56,7 @@ Additionally you will need a way to get the openssl-fips module source to
the target for the build. Adding ssh/scp is recommended, to add these
add the following to your local.conf file:

- IMAGE_INSTALL_append = " openssh-ssh openssh-scp"
+ IMAGE_INSTALL:append = " openssh-ssh openssh-scp"

If you are building with configurations that have security software enabled,
such as SE Linux, you may be required to boot in a non-enforcing mode to
@@ -132,7 +132,7 @@ Building Steps (based on section 4 of the UsersGuide-2.0.pdf):
prebuilt tar archive.

For Yocto, in your build directory, edit conf/local.conf, add:
- IMAGE_INSTALL_append = " openssl-fips-dev"
+ IMAGE_INSTALL:append = " openssl-fips-dev"
OPENSSL_FIPS_ENABLED = "1"
OPENSSL_FIPS_PREBUILT = "<path>"

@@ -230,7 +230,7 @@ program, and embed the fingerprint.

On host:
edit local.conf to add openssl-fips-example to image
-$ echo 'IMAGE_INSTALL_append = " openssl-fips-example"' >> conf/local.conf
+$ echo 'IMAGE_INSTALL:append = " openssl-fips-example"' >> conf/local.conf
$ bitbake <image>

On target:
diff --git a/README.openssh_cavstest b/README.openssh_cavstest
index 2c31209..975a782 100644
--- a/README.openssh_cavstest
+++ b/README.openssh_cavstest
@@ -1,5 +1,5 @@
1. Install openssh-cavs to images
-$ echo "IMAGE_INSTALL_append = ' openssh-cavs'" >> conf/local.conf
+$ echo "IMAGE_INSTALL:append = ' openssh-cavs'" >> conf/local.conf
$ bitbake <image>

2. Run tests on target
diff --git a/classes/fips_kernel.bbclass b/classes/fips_kernel.bbclass
index 064088f..1a2525d 100644
--- a/classes/fips_kernel.bbclass
+++ b/classes/fips_kernel.bbclass
@@ -1,4 +1,4 @@
-FILESEXTRAPATHS_prepend := "${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
-SRC_URI_append = " \
+FILESEXTRAPATHS:prepend := "${LAYER_PATH_meta-openssl-one-zero-two-fips}/recipes-kernel/linux/files/:"
+SRC_URI:append = " \
file://crypto_fips.scc \
"
diff --git a/classes/image-enable-fips.bbclass b/classes/image-enable-fips.bbclass
index fcb5a40..5792883 100644
--- a/classes/image-enable-fips.bbclass
+++ b/classes/image-enable-fips.bbclass
@@ -1,4 +1,4 @@
-ROOTFS_POSTPROCESS_COMMAND_append = " enable_system_fips;"
+ROOTFS_POSTPROCESS_COMMAND:append = " enable_system_fips;"

enable_system_fips() {
install -d ${IMAGE_ROOTFS}${sysconfdir}
diff --git a/conf/layer.conf b/conf/layer.conf
index fc1dcbd..e9ac874 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,8 +18,8 @@ LAYERDEPENDS_meta-openssl-one-zero-two-fips = " \
meta-openssl-one-zero-two \
"

-IMAGE_CLASSES_append = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else ' image-enable-fips'}"
+IMAGE_CLASSES:append = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else ' image-enable-fips'}"

LAYER_PATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"

-KERNEL_CLASSES_append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', ' fips_kernel', '',d)}"
+KERNEL_CLASSES:append = " ${@bb.utils.contains('OPENSSL_FIPS_ENABLED', '1', ' fips_kernel', '',d)}"
diff --git a/recipes-connectivity/openssh/openssh_8.%.bbappend b/recipes-connectivity/openssh/openssh_8.%.bbappend
index 07799f6..a2e3aca 100644
--- a/recipes-connectivity/openssh/openssh_8.%.bbappend
+++ b/recipes-connectivity/openssh/openssh_8.%.bbappend
@@ -1,4 +1,4 @@
FIPSINC = ""
-FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'openssh_fips.inc'}"
+FIPSINC:class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'openssh_fips.inc'}"

require ${FIPSINC}
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index efba8db..b13e06e 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -1,9 +1,9 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/openssh:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/openssh:"
DEPENDS += " \
openssl-fips \
fipscheck \
"
-RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
+RRECOMMENDS:${PN}-sshd:remove = "rng-tools"

SRC_URI += " \
file://0001-openssh-8.6p1-fips.patch \
@@ -14,13 +14,13 @@ SRC_URI += " \
file://0001-ssh-cavs-set-kex-sessin_id-via-sshbuf_put.patch \
"

-do_install_append() {
+do_install:append() {
install -d ${D}${libdir}/fipscheck
}

inherit qemu

-pkg_postinst_append_${PN}-ssh () {
+pkg_postinst:append:${PN}-ssh () {
if [ -n "$D" ]; then
if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'true','false', d)}; then
${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
@@ -33,7 +33,7 @@ pkg_postinst_append_${PN}-ssh () {
fi
}

-pkg_postinst_append_${PN}-sshd () {
+pkg_postinst:append:${PN}-sshd () {
if [ -n "$D" ]; then
if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'true','false', d)}; then
${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
@@ -47,10 +47,10 @@ pkg_postinst_append_${PN}-sshd () {
}

PACKAGES =+ "${PN}-cavs"
-SUMMARY_${PN}-cavs = "CAVS tests for FIPS validation"
-FILES_${PN}-cavs = " \
+SUMMARY:${PN}-cavs = "CAVS tests for FIPS validation"
+FILES:${PN}-cavs = " \
${libexecdir}/ctr-cavstest \
${libexecdir}/ssh-cavs \
${libexecdir}/ssh-cavs_driver.pl"

-FILES_${PN} += "${libdir}/fipscheck"
+FILES:${PN} += "${libdir}/fipscheck"
diff --git a/recipes-connectivity/openssl/openssl-fips-example_2.0.16.bb b/recipes-connectivity/openssl/openssl-fips-example_2.0.16.bb
index 1a720cd..c6d069f 100644
--- a/recipes-connectivity/openssl/openssl-fips-example_2.0.16.bb
+++ b/recipes-connectivity/openssl/openssl-fips-example_2.0.16.bb
@@ -19,14 +19,14 @@ DEPENDS = " \
openssl \
"

-RDEPENDS_${PN} = " \
+RDEPENDS:${PN} = " \
openssl-fips-dev \
openssl-dev \
openssl-staticdev \
packagegroup-core-buildessential \
"

-FILES_${PN} += "${libdir}/ssl/fips-2.0/test"
+FILES:${PN} += "${libdir}/ssl/fips-2.0/test"

do_configure[noexec] = "1"

@@ -47,7 +47,7 @@ do_install() {
sed -i "s:@LIBDIR@:${libdir}:g" ${D}/${libdir}/ssl/fips-2.0/test/Makefile
}

-INSANE_SKIP_${PN} += "dev-deps"
+INSANE_SKIP:${PN} += "dev-deps"

python __anonymous() {
if d.getVar("OPENSSL_FIPS_ENABLED", True) != "1":
diff --git a/recipes-connectivity/openssl/openssl-fips_2.0.16.bb b/recipes-connectivity/openssl/openssl-fips_2.0.16.bb
index b7cb34b..7a2949a 100644
--- a/recipes-connectivity/openssl/openssl-fips_2.0.16.bb
+++ b/recipes-connectivity/openssl/openssl-fips_2.0.16.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
# Set "OPENSSL_FIPS_PREBUILT" to the location of the prebuilt
# openssl-fips-TARGET_ARCH-install.tar.bz2 files.
#
-FILESEXTRAPATHS_prepend := "${OPENSSL_FIPS_PREBUILT}:"
+FILESEXTRAPATHS:prepend := "${OPENSSL_FIPS_PREBUILT}:"

PREBUILT_OPENSSL_FIPS = "openssl-fips-${PV}-${TARGET_ARCH}-install.tar.bz2"

@@ -20,8 +20,8 @@ SRC_URI = "file://${PREBUILT_OPENSSL_FIPS} \
"
S = "${WORKDIR}"

-RDEPENDS_${PN}-dev = ""
-FILES_${PN}-dev += "${bindir}/fipsld ${libdir}/ssl/fips-2.0"
+RDEPENDS:${PN}-dev = ""
+FILES:${PN}-dev += "${bindir}/fipsld ${libdir}/ssl/fips-2.0"

INHIBIT_PACKAGE_DEBUG_SPLIT = '1'
INHIBIT_PACKAGE_STRIP = '1'
diff --git a/recipes-connectivity/openssl/openssl_1.0.2%.bbappend b/recipes-connectivity/openssl/openssl_1.0.2%.bbappend
index 517f1c2..41a7302 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2%.bbappend
+++ b/recipes-connectivity/openssl/openssl_1.0.2%.bbappend
@@ -1,4 +1,4 @@
FIPSINC = ""
-FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'openssl_fips.inc'}"
+FIPSINC:class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'openssl_fips.inc'}"

require ${FIPSINC}
diff --git a/recipes-connectivity/openssl/openssl_fips.inc b/recipes-connectivity/openssl/openssl_fips.inc
index 5480096..9ae23cd 100644
--- a/recipes-connectivity/openssl/openssl_fips.inc
+++ b/recipes-connectivity/openssl/openssl_fips.inc
@@ -1,11 +1,11 @@
-PACKAGECONFIG_append = " fips"
+PACKAGECONFIG:append = " fips"

PACKAGECONFIG[fips] = "fips --with-fipsdir=${STAGING_DIR_TARGET}${libdir}/ssl/fips-2.0,,openssl-fips,,"

-FILESEXTRAPATHS_prepend := "${THISDIR}/openssl:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/openssl:"

# This adds the necessary symbols if fips is enabled.
-SRC_URI_append = " file://openssl-fips-version.patch \
+SRC_URI:append = " file://openssl-fips-version.patch \
file://0001-make-fips_premain_dso-support-cross-compiling.patch \
"

@@ -14,7 +14,7 @@ DEPENDS += "qemu-native"
inherit qemu

# We need to run the special fips_premain_dso under QEMU
-do_compile_prepend() {
+do_compile:prepend() {
qemu_binary="${@qemu_wrapper_cmdline(d, '${STAGING_DIR_HOST}', ['${STAGING_LIBDIR}','${STAGING_BASELIBDIR}'])}"
cat << EOF > fips_premain_dso
#! /bin/sh
diff --git a/recipes-support/fipscheck/fipscheck_1.5.0.bb b/recipes-support/fipscheck/fipscheck_1.5.0.bb
index 970640d..df72454 100644
--- a/recipes-support/fipscheck/fipscheck_1.5.0.bb
+++ b/recipes-support/fipscheck/fipscheck_1.5.0.bb
@@ -27,13 +27,13 @@ EXTRA_OECONF += " \
EXTRA_OEMAKE += " \
-I${STAGING_LIBDIR_NATIVE}/ssl/fips-2.0/include \
"
-do_install_append() {
+do_install:append() {
install -d ${D}${libdir}/fipscheck
}

inherit qemu

-pkg_postinst_${PN} () {
+pkg_postinst:${PN} () {
if [ -n "$D" ]; then
if ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'true','false', d)}; then
${@qemu_run_binary(d, '$D', '${bindir}/fipshmac')} \
@@ -54,4 +54,4 @@ python __anonymous() {
raise bb.parse.SkipPackage("To enable the fipscheck recipe set OPENSSL_FIPS_ENABLED = '1'.")
}

-FILES_${PN} += "${libdir}/fipscheck"
+FILES:${PN} += "${libdir}/fipscheck"
diff --git a/recipes-support/rng-tools/rng-tools_6.%.bbappend b/recipes-support/rng-tools/rng-tools_6.%.bbappend
index c487175..7eeaecb 100644
--- a/recipes-support/rng-tools/rng-tools_6.%.bbappend
+++ b/recipes-support/rng-tools/rng-tools_6.%.bbappend
@@ -1,4 +1,4 @@
FIPSINC = ""
-FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'rng-tools_fips.inc'}"
+FIPSINC:class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'rng-tools_fips.inc'}"

require ${FIPSINC}
diff --git a/recipes-support/rng-tools/rng-tools_fips.inc b/recipes-support/rng-tools/rng-tools_fips.inc
index d5f6435..e3b89ca 100644
--- a/recipes-support/rng-tools/rng-tools_fips.inc
+++ b/recipes-support/rng-tools/rng-tools_fips.inc
@@ -1,2 +1,2 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/rng-tools:"
+FILESEXTRAPATHS:prepend := "${THISDIR}/rng-tools:"

--
2.25.1

Refresh patches:
0001-openssh-8.6p1-fips.patch
0001-conditional-enable-fips-mode.patch

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../0001-conditional-enable-fips-mode.patch | 38 +++++++------
...ps.patch => 0001-openssh-8.6p1-fips.patch} | 55 ++++++++++---------
recipes-connectivity/openssh/openssh_fips.inc | 2 +-
3 files changed, 50 insertions(+), 45 deletions(-)
rename recipes-connectivity/openssh/openssh/{0001-openssh-8.4p1-fips.patch => 0001-openssh-8.6p1-fips.patch} (92%)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index 9fd19c0..9bec7d7 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 48888de317391522186c6ae24a8d6d7d7add2673 Mon Sep 17 00:00:00 2001
+From 1696484c2a06e2ec095d748d2155eb8206dd850b Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
Date: Sat, 21 Dec 2019 13:03:23 +0800
Subject: [PATCH] conditional enable fips mode
@@ -14,11 +14,12 @@ The ssh_malloc_init function is removed in openssh 8.1p1, we need to
insert ssh_enable_fips_mode function to main function for all
applications.

+Rebase to 8.6p1
Signed-off-by: Yi Zhao <yi.zhao@...>
---
sftp-server-main.c | 1 +
sftp-server.c | 1 +
- sftp.c | 1 +
+ sftp.c | 2 ++
ssh-add.c | 1 +
ssh-agent.c | 1 +
ssh-keygen.c | 1 +
@@ -29,7 +30,7 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
sshd.c | 1 +
xmalloc.c | 20 ++++++++++++++++++++
xmalloc.h | 1 +
- 13 files changed, 32 insertions(+)
+ 13 files changed, 33 insertions(+)

diff --git a/sftp-server-main.c b/sftp-server-main.c
index 06566d3..a10566d 100644
@@ -44,10 +45,10 @@ index 06566d3..a10566d 100644
sanitise_stdfd();

diff --git a/sftp-server.c b/sftp-server.c
-index 7300900..42da9d7 100644
+index 838f048..8a8d87b 100644
--- a/sftp-server.c
+++ b/sftp-server.c
-@@ -1616,6 +1616,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1656,6 +1656,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
extern char *optarg;
extern char *__progname;

@@ -56,19 +57,20 @@ index 7300900..42da9d7 100644
log_init(__progname, log_level, log_facility, log_stderr);

diff --git a/sftp.c b/sftp.c
-index fb3c08d..85b9b67 100644
+index 3f46c55..e9c8f1d 100644
--- a/sftp.c
+++ b/sftp.c
-@@ -2345,6 +2345,7 @@ main(int argc, char **argv)
- size_t num_requests = DEFAULT_NUM_REQUESTS;
+@@ -2342,6 +2342,8 @@ main(int argc, char **argv)
+ size_t num_requests = 0;
long long limit_kbps = 0;

+ ssh_enable_fips_mode();
++
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
msetlocale();
diff --git a/ssh-add.c b/ssh-add.c
-index 7edb9f9..c75f85b 100644
+index 92192fc..4ed14cd 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -667,6 +667,7 @@ main(int argc, char **argv)
@@ -80,7 +82,7 @@ index 7edb9f9..c75f85b 100644
sanitise_stdfd();

diff --git a/ssh-agent.c b/ssh-agent.c
-index 58fe6dd..9018a7c 100644
+index 48a47d4..8a0d7a2 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1388,6 +1388,7 @@ main(int ac, char **av)
@@ -92,7 +94,7 @@ index 58fe6dd..9018a7c 100644
sanitise_stdfd();

diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 6451584..246caa1 100644
+index fc73943..cdb45a9 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -3153,6 +3153,7 @@ main(int argc, char **argv)
@@ -140,7 +142,7 @@ index a9a6fe3..3c76f70 100644
seed_rng();
TAILQ_INIT(&pkcs11_keylist);
diff --git a/ssh.c b/ssh.c
-index 729d87a..ab78b53 100644
+index a6e7642..8f91534 100644
--- a/ssh.c
+++ b/ssh.c
@@ -650,6 +650,7 @@ main(int ac, char **av)
@@ -152,10 +154,10 @@ index 729d87a..ab78b53 100644
sanitise_stdfd();

diff --git a/sshd.c b/sshd.c
-index fee4703..07faf7b 100644
+index b2ab001..8112d2c 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -1534,6 +1534,7 @@ main(int ac, char **av)
+@@ -1535,6 +1535,7 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;

@@ -199,13 +201,13 @@ index b48d33b..456a063 100644
+ }
+}
diff --git a/xmalloc.h b/xmalloc.h
-index abaf7ad..b3b1c8c 100644
+index a6b8d23..18fe756 100644
--- a/xmalloc.h
+++ b/xmalloc.h
-@@ -26,3 +26,4 @@ int xasprintf(char **, const char *, ...)
- __attribute__((__nonnull__ (2)));
+@@ -25,3 +25,4 @@ int xasprintf(char **, const char *, ...)
+ __attribute__((__format__ (printf, 2, 3))) __attribute__((__nonnull__ (2)));
int xvasprintf(char **, const char *, va_list)
- __attribute__((__nonnull__ (2)));
+ __attribute__((__nonnull__ (2)));
+void ssh_enable_fips_mode(void);
--
2.17.1
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.6p1-fips.patch
similarity index 92%
rename from recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
rename to recipes-connectivity/openssh/openssh/0001-openssh-8.6p1-fips.patch
index 10687ff..ff1b5dc 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.4p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.6p1-fips.patch
@@ -1,7 +1,7 @@
-From 0452f9dc4acf90b8d7ac6ddf6ebbe455d202ce54 Mon Sep 17 00:00:00 2001
+From 064c5cafa532166058a5cc694c4398ed2aaae8d1 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
Date: Sat, 21 Dec 2019 11:45:38 +0800
-Subject: [PATCH] openssh 8.4p1 fips
+Subject: [PATCH] openssh 8.6p1 fips

Port openssh-7.7p1-fips.patch from Fedora
https://src.fedoraproject.org/rpms/openssh.git
@@ -19,6 +19,9 @@ Port openssh-7.7p1-fips.patch from Fedora
https://src.fedoraproject.org/rpms/openssh.git
(commit: fbd5f1bee2e2cdc7b1b47f4604b8347d8c3ed63f)

+Signed-off-by: Yi Zhao <yi.zhao@...>
+
+Rebase to 8.6p1
Signed-off-by: Yi Zhao <yi.zhao@...>
---
Makefile.in | 14 +++++++-------
@@ -38,10 +41,10 @@ Signed-off-by: Yi Zhao <yi.zhao@...>
14 files changed, 171 insertions(+), 20 deletions(-)

diff --git a/Makefile.in b/Makefile.in
-index e3cd296..bf53fb0 100644
+index b749206..ee58570 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -204,25 +204,25 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -205,25 +205,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@

ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -73,7 +76,7 @@ index e3cd296..bf53fb0 100644

ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -231,7 +231,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+@@ -232,7 +232,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)

ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
@@ -97,10 +100,10 @@ index 32771f2..74fac3b 100644
return (&aes_ctr);
}
diff --git a/dh.c b/dh.c
-index b5bb35e..676f893 100644
+index ce2eb47..c038961 100644
--- a/dh.c
+++ b/dh.c
-@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max)
+@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max)
int best, bestcount, which, linenum;
struct dhgroup dhg;

@@ -110,10 +113,10 @@ index b5bb35e..676f893 100644
+ return (dh_new_group_fallback(max));
+ }
+
- if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
+ if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus",
- _PATH_DH_MODULI, strerror(errno));
-@@ -489,4 +495,38 @@ dh_estimate(int bits)
+ get_moduli_filename(), strerror(errno));
+@@ -502,4 +508,38 @@ dh_estimate(int bits)
return 8192;
}

@@ -153,7 +156,7 @@ index b5bb35e..676f893 100644
+
#endif /* WITH_OPENSSL */
diff --git a/dh.h b/dh.h
-index 5d6df62..54c7aa2 100644
+index c6326a3..e51e292 100644
--- a/dh.h
+++ b/dh.h
@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
@@ -163,9 +166,9 @@ index 5d6df62..54c7aa2 100644
+int dh_is_known_group(const DH *);

u_int dh_estimate(int);
-
+ void dh_set_moduli_file(const char *);
diff --git a/kex.c b/kex.c
-index 30425ab..1250f42 100644
+index 709a0ec..c4ac65f 100644
--- a/kex.c
+++ b/kex.c
@@ -165,7 +165,10 @@ kex_names_valid(const char *names)
@@ -257,7 +260,7 @@ index f03b7df..57b8779 100644
#define SSH_ALLOWED_CA_SIGALGS \
"ssh-ed25519," \
diff --git a/readconf.c b/readconf.c
-index 724974b..870a654 100644
+index 0f27652..6311bd1 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2475,11 +2475,16 @@ fill_default_options(Options * options)
@@ -283,10 +286,10 @@ index 724974b..870a654 100644
do { \
if ((r = kex_assemble_names(&options->what, \
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index d8dc712..c6e62e4 100644
+index 798b24b..bbc2380 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
-@@ -157,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -160,6 +160,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_open
SC_DENY(__NR_open, EACCES),
#endif
@@ -297,7 +300,7 @@ index d8dc712..c6e62e4 100644
SC_DENY(__NR_openat, EACCES),
#endif
diff --git a/servconf.c b/servconf.c
-index 9695583..98f6303 100644
+index 4d1910f..4502fef 100644
--- a/servconf.c
+++ b/servconf.c
@@ -218,11 +218,16 @@ assemble_algorithms(ServerOptions *o)
@@ -323,7 +326,7 @@ index 9695583..98f6303 100644
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f11..6451584 100644
+index 027c6db..fc73943 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
@@ -359,7 +362,7 @@ index cfb5f11..6451584 100644
error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno));
diff --git a/ssh.c b/ssh.c
-index 53330da..729d87a 100644
+index 35b6b51..a6e7642 100644
--- a/ssh.c
+++ b/ssh.c
@@ -77,6 +77,8 @@
@@ -400,7 +403,7 @@ index 53330da..729d87a 100644
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
strlen(options.sk_provider) > 1) {
diff --git a/sshd.c b/sshd.c
-index eff4778..fee4703 100644
+index 8918eb2..b2ab001 100644
--- a/sshd.c
+++ b/sshd.c
@@ -66,6 +66,7 @@
@@ -420,7 +423,7 @@ index eff4778..fee4703 100644
#include "openbsd-compat/openssl-compat.h"
#endif

-@@ -1536,6 +1539,18 @@ main(int ac, char **av)
+@@ -1537,6 +1540,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);

@@ -439,7 +442,7 @@ index eff4778..fee4703 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -2017,6 +2032,10 @@ main(int ac, char **av)
+@@ -2023,6 +2038,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);

@@ -447,11 +450,11 @@ index eff4778..fee4703 100644
+ logit("FIPS mode initialized");
+ }
+
- /* Chdir to the root directory so that the current disk can be
- unmounted if desired. */
- if (chdir("/") == -1)
+ /*
+ * Chdir to the root directory so that the current disk can be
+ * unmounted if desired.
diff --git a/sshkey.c b/sshkey.c
-index b25c59a..8fcfe22 100644
+index e92709d..5bd4fa9 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 194a6f4..efba8db 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,7 +6,7 @@ DEPENDS += " \
RRECOMMENDS_${PN}-sshd_remove = "rng-tools"

SRC_URI += " \
- file://0001-openssh-8.4p1-fips.patch \
+ file://0001-openssh-8.6p1-fips.patch \
file://0001-conditional-enable-fips-mode.patch \
file://openssh-6.6p1-ctr-cavstest.patch \
file://openssh-6.7p1-kdf-cavs.patch \
--
2.25.1

Signed-off-by: Yi Zhao <yi.zhao@...>
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 01026f0..fc1dcbd 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -10,7 +10,7 @@ BBFILE_PRIORITY_meta-openssl-one-zero-two-fips = "5"

LAYERVERSION_meta-openssl-one-zero-two-fips = "1"

-LAYERSERIES_COMPAT_meta-openssl-one-zero-two-fips = "hardknott"
+LAYERSERIES_COMPAT_meta-openssl-one-zero-two-fips = "honister"

LAYERPATH_meta-openssl-one-zero-two-fips = "${LAYERDIR}"

--
2.25.1

This is the result of automated script conversion:
poky/scripts/contrib/convert-overrides.py meta-openssl102

Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../openssl/openssl_1.0.2u.bb | 44 +++++++++----------
1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/recipes-connectivity/openssl/openssl_1.0.2u.bb b/recipes-connectivity/openssl/openssl_1.0.2u.bb
index 10707ed..7fc3b12 100644
--- a/recipes-connectivity/openssl/openssl_1.0.2u.bb
+++ b/recipes-connectivity/openssl/openssl_1.0.2u.bb
@@ -9,7 +9,7 @@ LICENSE = "openssl"
LIC_FILES_CHKSUM = "file://LICENSE;md5=f475368924827d06d4b416111c8bdb77"

DEPENDS = "hostperl-runtime-native"
-DEPENDS_append_class-target = " openssl-native"
+DEPENDS:append:class-target = " openssl-native"

SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://run-ptest \
@@ -54,12 +54,12 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://CVE-2021-23841.patch \
"

-SRC_URI_append_class-target = " \
+SRC_URI:append:class-target = " \
file://reproducible-cflags.patch \
file://reproducible-mkbuildinf.patch \
"

-SRC_URI_append_class-nativesdk = " \
+SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"

@@ -73,8 +73,8 @@ UPSTREAM_CHECK_REGEX = "openssl-(?P<pver>1\.0.+)\.tar"
inherit pkgconfig siteinfo lib_package multilib_header ptest manpages

PACKAGECONFIG ?= "cryptodev-linux"
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""

PACKAGECONFIG[disable-weak-ciphers] = "no-des no-ec no-ecdh no-ecdsa no-md2 no-mdc2,,,"
PACKAGECONFIG[cryptodev-linux] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,,cryptodev-linux"
@@ -90,8 +90,8 @@ EXTRA_OEMAKE = "${@bb.utils.contains('PACKAGECONFIG', 'manpages', '', 'OE_DISABL
export OE_LDFLAGS = "${LDFLAGS}"

TERMIO ?= "-DTERMIO"
-TERMIO_libc-musl = "-DTERMIOS"
-EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
+TERMIO:libc-musl = "-DTERMIOS"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"

CFLAG = "${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB_ENDIAN', d)} \
${TERMIO} ${CFLAGS} -Wall"
@@ -100,7 +100,7 @@ CFLAG = "${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le', '-DL_ENDIAN', '-DB
# (and it causes issues with SELinux)
CFLAG += "-Wa,--noexecstack"

-CFLAG_append_class-native = " -fPIC"
+CFLAG:append:class-native = " -fPIC"

do_configure () {
# The crypto_use_bigint patch means that perl's bignum module needs to be
@@ -211,7 +211,7 @@ do_compile () {
oe_runmake
}

-do_compile_class-target () {
+do_compile:class-target () {
sed -i 's/\((OPENSSL=\)".*"/\1"openssl"/' Makefile
oe_runmake depend
cc_sanitized=$(echo "${CC} ${CFLAG}" | sed -e 's,--sysroot=${STAGING_DIR_TARGET},,g' -e 's|${DEBUG_PREFIX_MAP}||g' -e 's/[ \t]\+/ /g')
@@ -261,7 +261,7 @@ do_install () {
ln -sf ${@oe.path.relative('${libdir}/ssl', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl/openssl.cnf
}

-do_install_append_class-native () {
+do_install:append:class-native () {
create_wrapper ${D}${bindir}/openssl \
OPENSSL_CONF=${libdir}/ssl/openssl.cnf \
SSL_CERT_DIR=${libdir}/ssl/certs \
@@ -269,7 +269,7 @@ do_install_append_class-native () {
OPENSSL_ENGINES=${libdir}/ssl/engines
}

-do_install_append_class-nativesdk () {
+do_install:append:class-nativesdk () {
mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
}
@@ -329,18 +329,18 @@ do_install_ptest () {

PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"

-FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
-FILES_libssl = "${libdir}/libssl${SOLIBS}"
-FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf ${libdir}/ssl/openssl.cnf"
-FILES_${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
-FILES_${PN}-misc = "${libdir}/ssl/misc"
-FILES_${PN} =+ "${libdir}/ssl/*"
-FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf ${libdir}/ssl/openssl.cnf"
+FILES:${PN}-engines = "${libdir}/ssl/engines/*.so ${libdir}/engines"
+FILES:${PN}-misc = "${libdir}/ssl/misc"
+FILES:${PN} =+ "${libdir}/ssl/*"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"

-CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"

-RRECOMMENDS_libcrypto += "openssl-conf"
-RDEPENDS_${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
-RDEPENDS_${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"
+RRECOMMENDS:libcrypto += "openssl-conf"
+RDEPENDS:${PN}-misc = "${@bb.utils.filter('PACKAGECONFIG', 'perl', d)}"
+RDEPENDS:${PN}-ptest += "${PN}-misc make perl perl-module-filehandle bc"

BBCLASSEXTEND = "native nativesdk"
--
2.25.1