Date   

[layerindex][PATCH 0/4] Various fixes

Tim Orling
 

Various fixes to address errors and warnings when running update.py

The following changes since commit 796d2455bb862ed4c71eadfa9fcf4c002752c2f3:

templates/*: staticfiles -> static (2022-01-13 23:36:22 -0800)

are available in the Git repository at:

git://git.yoctoproject.org/layerindex-web timo/fixes
http://git.yoctoproject.org/cgit.cgi/layerindex-web/log/?h=timo/fixes

Tim Orling (4):
layerindex/urls.py: fix about url pattern
layerindex/models.py: add Inactive-Upstream
recipe{desc,parse}.py: BB_ENV_PASSTHROUGH_ADDITIONS
layerindex/utils.py: ignore 'core' in BBFILES_COLLECTIONS

.../migrations/0046_alter_patch_status.py | 18 ++++++++++++++++++
layerindex/models.py | 1 +
layerindex/recipedesc.py | 2 +-
layerindex/recipeparse.py | 2 +-
layerindex/urls.py | 2 +-
layerindex/utils.py | 7 ++++++-
6 files changed, 28 insertions(+), 4 deletions(-)
create mode 100644 layerindex/migrations/0046_alter_patch_status.py

--
2.30.2


[meta-security][PATCH 6/6] tpm2-pkcs11: update to 1.8.0

Petr Gotthard
 

The build patches are now included in the upstream,
the local binary checkes can be disabled with --disable-ptool-checks,
the boostrap doesn't need to be called if the release .tar.gz is used.

Signed-off-by: Petr Gotthard <petr.gotthard@...>
---
.../0001-remove-local-binary-checkes.patch | 77 -
.../0001-ssl-compile-against-OSSL-3.0.patch | 1305 -----------------
...ssl-require-version-1.1.0-or-greater.patch | 93 --
.../tpm2-pkcs11/files/bootstrap_fixup.patch | 12 -
...2-pkcs11_1.7.0.bb => tpm2-pkcs11_1.8.0.bb} | 18 +-
5 files changed, 7 insertions(+), 1498 deletions(-)
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
rename meta-tpm/recipes-tpm2/tpm2-pkcs11/{tpm2-pkcs11_1.7.0.bb => tpm2-pkcs11_1.8.0.bb} (76%)

diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
deleted file mode 100644
index 9d3f073..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@...>
-Date: Wed, 14 Oct 2020 08:55:33 -0700
-Subject: [PATCH] remove local binary checkes
-
-Signed-off-by: Armin Kuster <akuster808@...>
-
-Upsteam-Status: Inappropriate
-These are only needed to run on the tartget so we add an RDPENDS.
-Not needed for building.
-
----
- configure.ac | 48 ------------------------------------------------
- 1 file changed, 48 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 50e7d4b..2b9abcf 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -219,54 +219,6 @@ AX_PROG_JAVAC()
- AX_PROG_JAVA()
- m4_popdef([AC_MSG_ERROR])
-
--AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
-- AS_IF([test "x$tpm2_createprimary" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no])
-- AS_IF([test "x$tpm2_create" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no])
-- AS_IF([test "x$tpm2_evictcontrol" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no])
-- AS_IF([test "x$tpm2_readpublic" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no])
-- AS_IF([test "x$tpm2_load" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no])
-- AS_IF([test "x$tpm2_loadexternal" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no])
-- AS_IF([test "x$tpm2_unseal" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no])
-- AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no])
-- AS_IF([test "x$tpm2_sign" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no])
-- AS_IF([test "x$tpm2_getcap" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no])
-- AS_IF([test "x$tpm2_import" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])])
--
--AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no])
-- AS_IF([test "x$tpm2_changeauth" != "xyes"],
-- [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])])
--
- AC_DEFUN([integration_test_checks], [
-
- PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],,
---
-2.17.1
-
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
deleted file mode 100644
index ac2f92c..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
+++ /dev/null
@@ -1,1305 +0,0 @@
-From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@...>
-Date: Fri, 3 Sep 2021 11:24:40 -0500
-Subject: [PATCH 1/2] ssl: compile against OSSL 3.0
-
-Compile against OpenSSL. This moves functions non-deprecated things if
-possible and ignores deprecation warnings when not. Padding manipulation
-routines seem to have been marked deprecated in OSSL 3.0, so we need to
-figure out a porting strategy here.
-
-Fixes: #686
-
-Signed-off-by: William Roberts <william.c.roberts@...>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@...>
-
----
- src/lib/backend_esysdb.c | 5 +-
- src/lib/backend_fapi.c | 5 +-
- src/lib/encrypt.c | 2 +-
- src/lib/mech.c | 72 +---
- src/lib/object.c | 3 +-
- src/lib/sign.c | 2 +-
- src/lib/ssl_util.c | 531 ++++++++++++++++--------
- src/lib/ssl_util.h | 31 +-
- src/lib/tpm.c | 6 +-
- src/lib/utils.c | 35 +-
- src/lib/utils.h | 13 -
- test/integration/pkcs-sign-verify.int.c | 94 ++---
- 12 files changed, 441 insertions(+), 358 deletions(-)
-
-Index: git/src/lib/backend_esysdb.c
-===================================================================
---- git.orig/src/lib/backend_esysdb.c
-+++ git/src/lib/backend_esysdb.c
-@@ -3,6 +3,7 @@
- #include "config.h"
- #include "backend_esysdb.h"
- #include "db.h"
-+#include "ssl_util.h"
- #include "tpm.h"
-
- CK_RV backend_esysdb_init(void) {
-@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi
- }
-
- twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt;
-- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
-+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
- if (!sealobjauth) {
- rv = CKR_HOST_MEMORY;
- goto error;
-@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to
- */
- twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt;
-
-- twist oldauth = utils_hash_pass(toldpin, oldsalt);
-+ twist oldauth = ssl_util_hash_pass(toldpin, oldsalt);
- if (!oldauth) {
- goto out;
- }
-Index: git/src/lib/backend_fapi.c
-===================================================================
---- git.orig/src/lib/backend_fapi.c
-+++ git/src/lib/backend_fapi.c
-@@ -11,6 +11,7 @@
- #include "backend_fapi.h"
- #include "emitter.h"
- #include "parser.h"
-+#include "ssl_util.h"
- #include "utils.h"
-
- #ifdef HAVE_FAPI
-@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping
- }
-
- twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt;
-- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
-+ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
- if (!sealobjauth) {
- rv = CKR_HOST_MEMORY;
- goto error;
-@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke
- }
- rv = CKR_GENERAL_ERROR;
-
-- oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
-+ oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
- if (!oldauth) {
- goto out;
- }
-Index: git/src/lib/encrypt.c
-===================================================================
---- git.orig/src/lib/encrypt.c
-+++ git/src/lib/encrypt.c
-@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat
- CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) {
-
- EVP_PKEY *pkey = NULL;
-- CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+ CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
- if (rv != CKR_OK) {
- return rv;
- }
-Index: git/src/lib/mech.c
-===================================================================
---- git.orig/src/lib/mech.c
-+++ git/src/lib/mech.c
-@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C
- }
-
- int nid = 0;
-- CK_RV rv = ec_params_to_nid(a, &nid);
-+ CK_RV rv = ssl_util_params_to_nid(a, &nid);
- if (rv != CKR_OK) {
- return rv;
- }
-@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl
- }
-
- /* Apply the PKCS1.5 padding */
-- int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len,
-- inbuf, inlen);
-- if (!rc) {
-+ CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen,
-+ outbuf, padded_len);
-+ if (rv != CKR_OK) {
- LOGE("Applying RSA padding failed");
-- return CKR_GENERAL_ERROR;
-+ return rv;
- }
-
- *outlen = padded_len;
-@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md
- size_t key_bytes = *keybits / 8;
-
- unsigned char buf[4096];
-- int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf),
-- inbuf, inlen,
-- key_bytes);
-- if (rc < 0) {
-+ CK_ULONG buflen = sizeof(buf);
-+ CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes,
-+ buf, &buflen);
-+ if (rv != CKR_OK) {
- LOGE("Could not recover CKM_RSA_PKCS Padding");
-- return CKR_GENERAL_ERROR;
-+ return rv;
- }
-
-- /* cannot be < 0 because of check above */
-- if (!outbuf || (unsigned)rc > *outlen) {
-- *outlen = rc;
-+ if (!outbuf || buflen > *outlen) {
-+ *outlen = buflen;
- return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK;
- }
-
-- *outlen = rc;
-- memcpy(outbuf, buf, rc);
-+ *outlen = buflen;
-+ memcpy(outbuf, buf, buflen);
-
- return CKR_OK;
- }
-@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl,
- return CKR_GENERAL_ERROR;
- }
-
-- CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-- if (!exp_attr) {
-- LOGE("Signing key has no CKA_PUBLIC_EXPONENT");
-- return CKR_GENERAL_ERROR;
-- }
--
- if (modulus_attr->ulValueLen > *outlen) {
- LOGE("Output buffer is too small, got: %lu, required at least %lu",
- *outlen, modulus_attr->ulValueLen);
- return CKR_GENERAL_ERROR;
- }
-
-- BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL);
-- if (!e) {
-- LOGE("Could not convert exponent to bignum");
-- return CKR_GENERAL_ERROR;
-- }
--
-- BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL);
-- if (!n) {
-- LOGE("Could not convert modulus to bignum");
-- BN_free(e);
-- return CKR_GENERAL_ERROR;
-- }
--
-- RSA *rsa = RSA_new();
-- if (!rsa) {
-- LOGE("oom");
-- return CKR_HOST_MEMORY;
-- }
--
-- int rc = RSA_set0_key(rsa, n, e, NULL);
-- if (!rc) {
-- LOGE("Could not set modulus and exponent to OSSL RSA key");
-- BN_free(n);
-- BN_free(e);
-- RSA_free(rsa);
-- return CKR_GENERAL_ERROR;
-+ EVP_PKEY *pkey = NULL;
-+ rv = ssl_util_attrs_to_evp(attrs, &pkey);
-+ if (rv != CKR_OK) {
-+ return rv;
- }
-
-- rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
-- inbuf, md, -1);
-- RSA_free(rsa);
-- if (!rc) {
-+ rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf);
-+ EVP_PKEY_free(pkey);
-+ if (rv != CKR_OK) {
- LOGE("Applying RSA padding failed");
- return CKR_GENERAL_ERROR;
- }
-Index: git/src/lib/object.c
-===================================================================
---- git.orig/src/lib/object.c
-+++ git/src/lib/object.c
-@@ -15,6 +15,7 @@
- #include "object.h"
- #include "pkcs11.h"
- #include "session_ctx.h"
-+#include "ssl_util.h"
- #include "token.h"
- #include "utils.h"
-
-@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject *
- }
-
- int nid = 0;
-- CK_RV rv = ec_params_to_nid(a, &nid);
-+ CK_RV rv = ssl_util_params_to_nid(a, &nid);
- if (rv != CKR_OK) {
- return rv;
- }
-Index: git/src/lib/sign.c
-===================================================================
---- git.orig/src/lib/sign.c
-+++ git/src/lib/sign.c
-@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet
- }
-
- EVP_PKEY *pkey = NULL;
-- rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
- if (rv != CKR_OK) {
- return NULL;
- }
-Index: git/src/lib/ssl_util.c
-===================================================================
---- git.orig/src/lib/ssl_util.c
-+++ git/src/lib/ssl_util.c
-@@ -10,6 +10,7 @@
- #include <openssl/rsa.h>
- #include <openssl/sha.h>
-
-+#include "attrs.h"
- #include "log.h"
- #include "pkcs11.h"
- #include "ssl_util.h"
-@@ -19,194 +20,228 @@
- #include <openssl/evperr.h>
- #endif
-
--#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#include <openssl/core_names.h>
-+#endif
-
- /*
-- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to
-- * create an API compatible version of it.
-+ * TODO Port these routines
-+ * Deprecated function block to port
-+ *
-+ * There are no padding routine replacements in OSSL 3.0.
-+ * - per Matt Caswell (maintainer) on mailing list.
-+ * Signature verification can likely be done with EVP Verify interface.
- */
--size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-- point_conversion_form_t form,
-- unsigned char **pbuf, BN_CTX *ctx) {
--
-- /* Get the required buffer length */
-- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL);
-- if (!len) {
-- return 0;
-- }
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-+#endif
-
-- /* allocate it */
-- unsigned char *buf = OPENSSL_malloc(len);
-- if (!buf) {
-- return 0;
-- }
-+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
-+ const CK_BYTE_PTR inbuf, const EVP_MD *md,
-+ CK_BYTE_PTR outbuf) {
-
-- /* convert it */
-- len = EC_POINT_point2oct(group, point, form, buf, len, ctx);
-- if (!len) {
-- OPENSSL_free(buf);
-- return 0;
-+ RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
-+ if (!rsa) {
-+ return CKR_GENERAL_ERROR;
- }
-
-- *pbuf = buf;
-- return len;
--}
-+ int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
-+ inbuf, md, -1);
-
--size_t OBJ_length(const ASN1_OBJECT *obj) {
-+ return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR;
-+}
-
-- if (!obj) {
-- return 0;
-- }
-+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
-+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen) {
-
-- return obj->length;
-+ return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen,
-+ inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR;
- }
-
--const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) {
-+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
-+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) {
-
-- if (!obj) {
-- return NULL;
-+ int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen,
-+ inbuf, inlen, rsa_len);
-+ if (rc < 0) {
-+ return CKR_GENERAL_ERROR;
- }
-
-- return obj->data;
-+ /* cannot be negative due to check above */
-+ *outbuflen = rc;
-+ return CKR_OK;
- }
-
--const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) {
-- return ASN1_STRING_data((ASN1_STRING *)x);
--}
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#pragma GCC diagnostic pop
-+#endif
-
--int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-
-- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
-- return 0;
-- }
-+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
-+
-+ OSSL_PARAM params[] = {
-+ OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen),
-+ OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen),
-+ OSSL_PARAM_END
-+ };
-
-- if (n != NULL) {
-- BN_free(r->n);
-- r->n = n;
-+ /* convert params to EVP key */
-+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
-+ if (!evp_ctx) {
-+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
-+ return CKR_GENERAL_ERROR;
- }
-
-- if (e != NULL) {
-- BN_free(r->e);
-- r->e = e;
-+ int rc = EVP_PKEY_fromdata_init(evp_ctx);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ return CKR_GENERAL_ERROR;
- }
-
-- if (d != NULL) {
-- BN_free(r->d);
-- r->d = d;
-+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ return CKR_GENERAL_ERROR;
- }
-
-- return 1;
-+ EVP_PKEY_CTX_free(evp_ctx);
-+
-+ return CKR_OK;
- }
-
--int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
-+
-+ /*
-+ * The simplest way I have found to deal with this is to convert the ASN1 object in
-+ * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and
-+ * then take the int nid and convert it to a friendly name like prime256v1.
-+ * EVP_PKEY_fromdata can handle group by name.
-+ *
-+ * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value".
-+ */
-+ int curve_id = 0;
-+ CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id);
-+ if (rv != CKR_OK) {
-+ LOGE("Could not get nid from params");
-+ return rv;
-+ }
-
-- if (!r || !s) {
-- return 0;
-+ /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */
-+ const unsigned char *x = ecpoint->pValue;
-+ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
-+ if (!os) {
-+ SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s");
-+ return CKR_GENERAL_ERROR;
- }
-
-- BN_free(sig->r);
-- BN_free(sig->s);
-+ OSSL_PARAM params[] = {
-+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0),
-+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length),
-+ OSSL_PARAM_END
-+ };
-
-- sig->r = r;
-- sig->s = s;
-+ /* convert params to EVP key */
-+ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
-+ if (!evp_ctx) {
-+ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
-+ OPENSSL_free(os);
-+ return CKR_GENERAL_ERROR;
-+ }
-
-- return 1;
--}
-+ int rc = EVP_PKEY_fromdata_init(evp_ctx);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ OPENSSL_free(os);
-+ return CKR_GENERAL_ERROR;
-+ }
-
--EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) {
-- if (pkey->type != EVP_PKEY_EC) {
-- return NULL;
-+ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ OPENSSL_free(os);
-+ return CKR_GENERAL_ERROR;
- }
-
-- return pkey->pkey.ec;
-+ EVP_PKEY_CTX_free(evp_ctx);
-+ OPENSSL_free(os);
-+
-+ return CKR_OK;
- }
--#endif
-
--static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) {
-+#else
-
-- RSA *rsa = NULL;
-- BIGNUM *e = NULL, *n = NULL;
-+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
-
-- CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-- if (!exp) {
-- LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
-+ BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL);
-+ if (!e) {
-+ LOGE("Could not convert exponent to bignum");
- return CKR_GENERAL_ERROR;
- }
-
-- CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
-- if (!mod) {
-- LOGE("RSA Object must have attribute CKA_MODULUS");
-+ BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL);
-+ if (!n) {
-+ LOGE("Could not convert modulus to bignum");
-+ BN_free(e);
- return CKR_GENERAL_ERROR;
- }
-
-- rsa = RSA_new();
-+ RSA *rsa = RSA_new();
- if (!rsa) {
-- SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure");
-- goto error;
-+ LOGE("oom");
-+ return CKR_HOST_MEMORY;
- }
-
-- e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL);
-- if (!e) {
-- SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format");
-- goto error;
-+ int rc = RSA_set0_key(rsa, n, e, NULL);
-+ if (!rc) {
-+ LOGE("Could not set modulus and exponent to OSSL RSA key");
-+ BN_free(n);
-+ BN_free(e);
-+ RSA_free(rsa);
-+ return CKR_GENERAL_ERROR;
- }
-
-- n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL);
-- if (!n) {
-- SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format");
-- goto error;
-+ /* assigned to RSA key */
-+ n = e = NULL;
-+
-+ EVP_PKEY *pkey = EVP_PKEY_new();
-+ if (!pkey) {
-+ SSL_UTIL_LOGE("EVP_PKEY_new");
-+ RSA_free(rsa);
-+ return CKR_GENERAL_ERROR;
- }
-
-- if (!RSA_set0_key(rsa, n, e, NULL)) {
-- SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components");
-+ rc = EVP_PKEY_assign_RSA(pkey, rsa);
-+ if (rc != 1) {
- RSA_free(rsa);
-- BN_free(e);
-- BN_free(n);
-- goto error;
-+ EVP_PKEY_free(pkey);
-+ return CKR_GENERAL_ERROR;
- }
-
-- *outkey = rsa;
-+ *out_pkey = pkey;
-
- return CKR_OK;
--
--error:
-- RSA_free(rsa);
-- if (e) {
-- BN_free(e);
-- }
-- if (n) {
-- BN_free(n);
-- }
--
-- return CKR_GENERAL_ERROR;
- }
-
--static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) {
-+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
-
-- EC_KEY *key = EC_KEY_new();
-- if (!key) {
-+ EC_KEY *ecc = EC_KEY_new();
-+ if (!ecc) {
- LOGE("oom");
- return CKR_HOST_MEMORY;
- }
-
-- CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
-- if (!ecparams) {
-- LOGE("ECC Key must have attribute CKA_EC_PARAMS");
-- return CKR_GENERAL_ERROR;
-- }
--
-- CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
-- if (!ecpoint) {
-- LOGE("ECC Key must have attribute CKA_EC_POINT");
-- return CKR_GENERAL_ERROR;
-- }
--
- /* set params */
- const unsigned char *x = ecparams->pValue;
-- EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen);
-+ EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen);
- if (!k) {
- SSL_UTIL_LOGE("Could not update key with EC Parameters");
-- EC_KEY_free(key);
-+ EC_KEY_free(ecc);
- return CKR_GENERAL_ERROR;
- }
-
-@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY *
- ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
- if (os) {
- x = os->data;
-- k = o2i_ECPublicKey(&key, &x, os->length);
-+ k = o2i_ECPublicKey(&ecc, &x, os->length);
- ASN1_STRING_free(os);
- if (!k) {
- SSL_UTIL_LOGE("Could not update key with EC Points");
-- EC_KEY_free(key);
-+ EC_KEY_free(ecc);
- return CKR_GENERAL_ERROR;
- }
- }
-
-- *outkey = key;
-+ EVP_PKEY *pkey = EVP_PKEY_new();
-+ if (!pkey) {
-+ SSL_UTIL_LOGE("EVP_PKEY_new");
-+ EC_KEY_free(ecc);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc);
-+ if (!rc) {
-+ SSL_UTIL_LOGE("Could not set pkey with ec key");
-+ EC_KEY_free(ecc);
-+ EVP_PKEY_free(pkey);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ *out_pkey = pkey;
- return CKR_OK;
- }
-+#endif
-
--CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) {
-+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) {
-
-- CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE);
-+ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE);
- if (!a) {
- LOGE("Expected object to have attribute CKA_KEY_TYPE");
- return CKR_KEY_TYPE_INCONSISTENT;
-@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY *
- return CKR_OK;
- }
-
-- EVP_PKEY *pkey = EVP_PKEY_new();
-- if (!pkey) {
-- LOGE("oom");
-- return CKR_HOST_MEMORY;
-- }
-+ EVP_PKEY *pkey = NULL;
-
- if (key_type == CKK_EC) {
-- EC_KEY *e = NULL;
-- rv = convert_pubkey_ECC(&e, obj->attrs);
-- if (rv != CKR_OK) {
-- return rv;
-+
-+ CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
-+ if (!ecparams) {
-+ LOGE("ECC Key must have attribute CKA_EC_PARAMS");
-+ return CKR_GENERAL_ERROR;
- }
-- int rc = EVP_PKEY_assign_EC_KEY(pkey, e);
-- if (!rc) {
-- SSL_UTIL_LOGE("Could not set pkey with ec key");
-- EC_KEY_free(e);
-- EVP_PKEY_free(pkey);
-+
-+ CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
-+ if (!ecpoint) {
-+ LOGE("ECC Key must have attribute CKA_EC_POINT");
- return CKR_GENERAL_ERROR;
- }
-- } else if (key_type == CKK_RSA) {
-- RSA *r = NULL;
-- rv = convert_pubkey_RSA(&r, obj->attrs);
-+
-+ rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey);
- if (rv != CKR_OK) {
- return rv;
- }
-- int rc = EVP_PKEY_assign_RSA(pkey, r);
-- if (!rc) {
-- SSL_UTIL_LOGE("Could not set pkey with rsa key");
-- RSA_free(r);
-- EVP_PKEY_free(pkey);
-+
-+ } else if (key_type == CKK_RSA) {
-+
-+ CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-+ if (!exp) {
-+ LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
- return CKR_GENERAL_ERROR;
- }
-+
-+ CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
-+ if (!mod) {
-+ LOGE("RSA Object must have attribute CKA_MODULUS");
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ rv = get_RSA_evp_pubkey(exp, mod, &pkey);
-+ if (rv != CKR_OK) {
-+ return rv;
-+ }
-+
- } else {
- LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type);
-- EVP_PKEY_free(pkey);
- return CKR_KEY_TYPE_INCONSISTENT;
- }
-
-+ assert(pkey);
- *outpkey = pkey;
-
- return CKR_OK;
-@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
- }
- }
-
-- rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
-- if (!rc) {
-- SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
-- goto error;
-+ if (md) {
-+ rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
-+ if (!rc) {
-+ SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
-+ goto error;
-+ }
- }
-
- *outpkey_ctx = pkey_ctx;
-@@ -421,21 +482,12 @@ error:
- return CKR_GENERAL_ERROR;
- }
-
--static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
-- int padding, const EVP_MD *md,
-- CK_BYTE_PTR digest, CK_ULONG digest_len,
-- CK_BYTE_PTR signature, CK_ULONG signature_len) {
-+static CK_RV sig_verify(EVP_PKEY_CTX *ctx,
-+ const unsigned char *sig, size_t siglen,
-+ const unsigned char *tbs, size_t tbslen) {
-
- CK_RV rv = CKR_GENERAL_ERROR;
--
-- EVP_PKEY_CTX *pkey_ctx = NULL;
-- rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
-- EVP_PKEY_verify_init, &pkey_ctx);
-- if (rv != CKR_OK) {
-- return rv;
-- }
--
-- int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len);
-+ int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen);
- if (rc < 0) {
- SSL_UTIL_LOGE("EVP_PKEY_verify failed");
- } else if (rc == 1) {
-@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY
- rv = CKR_SIGNATURE_INVALID;
- }
-
-- EVP_PKEY_CTX_free(pkey_ctx);
- return rv;
- }
-
--static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-+static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen,
-+ unsigned char **outbuf, size_t *outlen) {
-
- if (siglen & 1) {
- LOGE("Expected ECDSA signature length to be even, got : %lu",
-@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT
- return CKR_GENERAL_ERROR;
- }
-
-- *outsig = ossl_sig;
-+ int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL);
-+ if (sig_len <= 0) {
-+ if (rc < 0) {
-+ SSL_UTIL_LOGE("ECDSA_do_verify failed");
-+ } else {
-+ LOGE("Expected length to be greater than 0");
-+ }
-+ ECDSA_SIG_free(ossl_sig);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ unsigned char *buf = calloc(1, sig_len);
-+ if (!buf) {
-+ LOGE("oom");
-+ ECDSA_SIG_free(ossl_sig);
-+ return CKR_HOST_MEMORY;
-+ }
-+
-+ unsigned char *p = buf;
-+ int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p);
-+ if (sig_len2 < 0) {
-+ SSL_UTIL_LOGE("ECDSA_do_verify failed");
-+ ECDSA_SIG_free(ossl_sig);
-+ free(buf);
-+ return CKR_GENERAL_ERROR;
-+ }
-+
-+ assert(sig_len == sig_len2);
-+
-+ ECDSA_SIG_free(ossl_sig);
-+
-+ *outbuf = buf;
-+ *outlen = sig_len;
-
- return CKR_OK;
- }
-
- static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
-+ const EVP_MD *md,
- CK_BYTE_PTR digest, CK_ULONG digest_len,
- CK_BYTE_PTR signature, CK_ULONG signature_len) {
-
-- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
-- if (!eckey) {
-- LOGE("Expected EC Key");
-- return CKR_GENERAL_ERROR;
-- }
--
- /*
- * OpenSSL expects ASN1 framed signatures, PKCS11 does flat
- * R + S signatures, so convert it to ASN1 framing.
-@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY *
- * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
- * For details.
- */
-- ECDSA_SIG *ossl_sig = NULL;
-- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
-+ unsigned char *buf = NULL;
-+ size_t buflen = 0;
-+ CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen);
- if (rv != CKR_OK) {
- return rv;
- }
-
-- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
-- if (rc < 0) {
-- ECDSA_SIG_free(ossl_sig);
-- SSL_UTIL_LOGE("ECDSA_do_verify failed");
-- return CKR_GENERAL_ERROR;
-+ EVP_PKEY_CTX *pkey_ctx = NULL;
-+ rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md,
-+ EVP_PKEY_verify_init, &pkey_ctx);
-+ if (rv != CKR_OK) {
-+ free(buf);
-+ return rv;
- }
-- ECDSA_SIG_free(ossl_sig);
-
-- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
-+ rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len);
-+
-+ EVP_PKEY_CTX_free(pkey_ctx);
-+ free(buf);
-+
-+ return rv;
-+}
-+
-+static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
-+ int padding, const EVP_MD *md,
-+ CK_BYTE_PTR digest, CK_ULONG digest_len,
-+ CK_BYTE_PTR signature, CK_ULONG signature_len) {
-+
-+ CK_RV rv = CKR_GENERAL_ERROR;
-+
-+ EVP_PKEY_CTX *pkey_ctx = NULL;
-+ rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
-+ EVP_PKEY_verify_init, &pkey_ctx);
-+ if (rv != CKR_OK) {
-+ return rv;
-+ }
-+
-+ rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len);
-+
-+ EVP_PKEY_CTX_free(pkey_ctx);
-+ return rv;
- }
-
- CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
-@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey
- digest, digest_len,
- signature, signature_len);
- case EVP_PKEY_EC:
-- return do_sig_verify_ec(pkey, digest, digest_len,
-+ return do_sig_verify_ec(pkey, md, digest, digest_len,
- signature, signature_len);
- default:
- LOGE("Unknown PKEY type, got: %d", type);
-@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY *
- EVP_PKEY_CTX_free(pkey_ctx);
- return rv;
- }
-+
-+twist ssl_util_hash_pass(const twist pin, const twist salt) {
-+
-+
-+ twist out = NULL;
-+ unsigned char md[SHA256_DIGEST_LENGTH];
-+
-+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-+ if (!ctx) {
-+ SSL_UTIL_LOGE("EVP_MD_CTX_new");
-+ return NULL;
-+ }
-+
-+ int rc = EVP_DigestInit(ctx, EVP_sha256());
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestInit");
-+ goto error;
-+ }
-+
-+ rc = EVP_DigestUpdate(ctx, pin, twist_len(pin));
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestUpdate");
-+ goto error;
-+ }
-+
-+ rc = EVP_DigestUpdate(ctx, salt, twist_len(salt));
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestUpdate");
-+ goto error;
-+ }
-+
-+ unsigned int len = sizeof(md);
-+ rc = EVP_DigestFinal(ctx, md, &len);
-+ if (rc != 1) {
-+ SSL_UTIL_LOGE("EVP_DigestFinal");
-+ goto error;
-+ }
-+
-+ /* truncate the password to 32 characters */
-+ out = twist_hex_new((char *)md, sizeof(md)/2);
-+
-+error:
-+ EVP_MD_CTX_free(ctx);
-+
-+ return out;
-+}
-+
-+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
-+
-+ const unsigned char *p = ecparams->pValue;
-+
-+ ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
-+ if (!a) {
-+ LOGE("Unknown CKA_EC_PARAMS value");
-+ return CKR_ATTRIBUTE_VALUE_INVALID;
-+ }
-+
-+ *nid = OBJ_obj2nid(a);
-+ ASN1_OBJECT_free(a);
-+
-+ return CKR_OK;
-+}
-Index: git/src/lib/ssl_util.h
-===================================================================
---- git.orig/src/lib/ssl_util.h
-+++ git/src/lib/ssl_util.h
-@@ -11,8 +11,8 @@
-
- #include "pkcs11.h"
-
-+#include "attrs.h"
- #include "log.h"
--#include "object.h"
- #include "twist.h"
-
- #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
-@@ -22,6 +22,10 @@
- #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
- #endif
-
-+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
-+#endif
-+
- /* OpenSSL Backwards Compat APIs */
- #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
- #include <string.h>
-@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const
-
- #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
-
--CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj);
-+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
-
- CK_RV ssl_util_encrypt(EVP_PKEY *pkey,
- int padding, twist label, const EVP_MD *md,
-@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
- fn_EVP_PKEY_init init_fn,
- EVP_PKEY_CTX **outpkey_ctx);
-
-+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
-+ const CK_BYTE_PTR inbuf, const EVP_MD *md,
-+ CK_BYTE_PTR outbuf);
-+
-+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
-+ CK_BYTE_PTR outbuf, CK_ULONG outbuflen);
-+
-+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
-+ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen);
-+
-+twist ssl_util_hash_pass(const twist pin, const twist salt);
-+
-+/**
-+ * Given an attribute of CKA_EC_PARAMS returns the nid value.
-+ * @param ecparams
-+ * The DER X9.62 parameters value
-+ * @param nid
-+ * The nid to set
-+ * @return
-+ * CKR_OK on success.
-+ */
-+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
-+
- #endif /* SRC_LIB_SSL_UTIL_H_ */
-Index: git/src/lib/tpm.c
-===================================================================
---- git.orig/src/lib/tpm.c
-+++ git/src/lib/tpm.c
-@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT
- tpm_key_data *keydat = (tpm_key_data *)udata;
-
- int nid = 0;
-- CK_RV rv = ec_params_to_nid(attr, &nid);
-+ CK_RV rv = ssl_util_params_to_nid(attr, &nid);
- if (rv != CKR_OK) {
- return rv;
- }
-@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_
- goto out;
- }
-
-- int rc = EC_POINT_set_affine_coordinates_GFp(group,
-+ int rc = EC_POINT_set_affine_coordinates(group,
- pub_key_point_tmp,
- bn_x,
- bn_y,
-@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct
- goto out;
- }
-
-- rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
- if (rv != CKR_OK) {
- goto out;
- }
-Index: git/src/lib/utils.c
-===================================================================
---- git.orig/src/lib/utils.c
-+++ git/src/lib/utils.c
-@@ -7,6 +7,7 @@
- #include <openssl/sha.h>
-
- #include "log.h"
-+#include "ssl_util.h"
- #include "token.h"
- #include "utils.h"
-
-@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist
- pin_to_use = newpin;
- }
-
-- *newauthhex = utils_hash_pass(pin_to_use, salt_to_use);
-+ *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use);
- if (!*newauthhex) {
- goto out;
- }
-@@ -330,22 +331,6 @@ out:
-
- }
-
--twist utils_hash_pass(const twist pin, const twist salt) {
--
--
-- unsigned char md[SHA256_DIGEST_LENGTH];
--
-- SHA256_CTX sha256;
-- SHA256_Init(&sha256);
--
-- SHA256_Update(&sha256, pin, twist_len(pin));
-- SHA256_Update(&sha256, salt, twist_len(salt));
-- SHA256_Final(md, &sha256);
--
-- /* truncate the password to 32 characters */
-- return twist_hex_new((char *)md, sizeof(md)/2);
--}
--
- size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) {
-
- switch(mttype) {
-@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp
-
- return CKR_OK;
- }
--
--CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
--
-- const unsigned char *p = ecparams->pValue;
--
-- ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
-- if (!a) {
-- LOGE("Unknown CKA_EC_PARAMS value");
-- return CKR_ATTRIBUTE_VALUE_INVALID;
-- }
--
-- *nid = OBJ_obj2nid(a);
-- ASN1_OBJECT_free(a);
--
-- return CKR_OK;
--}
-
- CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen,
- CK_BYTE_PTR out, CK_ULONG_PTR outlen) {
-Index: git/src/lib/utils.h
-===================================================================
---- git.orig/src/lib/utils.h
-+++ git/src/lib/utils.h
-@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U
- memcpy(dst, src, src_len);
- }
-
--twist utils_hash_pass(const twist pin, const twist salt);
--
- twist aes256_gcm_decrypt(const twist key, const twist objauth);
-
- twist aes256_gcm_encrypt(twist keybin, twist plaintextbin);
-@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra
- CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth);
-
- /**
-- * Given an attribute of CKA_EC_PARAMS returns the nid value.
-- * @param ecparams
-- * The DER X9.62 parameters value
-- * @param nid
-- * The nid to set
-- * @return
-- * CKR_OK on success.
-- */
--CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
--
--/**
- * Removes a PKCS7 padding on a 16 byte block.
- * @param in
- * The PKCS5 padded input.
-Index: git/test/integration/pkcs-sign-verify.int.c
-===================================================================
---- git.orig/test/integration/pkcs-sign-verify.int.c
-+++ git/test/integration/pkcs-sign-verify.int.c
-@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_
- assert_int_equal(rv, CKR_OK);
- }
-
--static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
--
-- CK_ULONG i;
-- for (i=0; i < attr_len; i++) {
-- CK_ATTRIBUTE_PTR a = &attrs[i];
-- if (a->type == type) {
-- return a;
-- }
-- }
--
-- return NULL;
--}
--
--#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
--#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
--#endif
--
--RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
--
-- RSA *ssl_rsa_key = NULL;
-- BIGNUM *e = NULL, *n = NULL;
--
-- /* get the exponent */
-- CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len);
-- assert_non_null(a);
--
-- e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL);
-- assert_non_null(e);
--
-- /* get the modulus */
-- a = get_attr(CKA_MODULUS, attrs, attr_len);
-- assert_non_null(a);
--
-- n = BN_bin2bn(a->pValue, a->ulValueLen,
-- NULL);
-- assert_non_null(n);
--
-- ssl_rsa_key = RSA_new();
-- assert_non_null(ssl_rsa_key);
--
--#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-- ssl_rsa_key->e = e;
-- ssl_rsa_key->n = n;
--#else
-- int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL);
-- assert_int_equal(rc, 1);
--#endif
--
-- return ssl_rsa_key;
--}
--
--static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
--
-- EVP_PKEY *pkey = EVP_PKEY_new();
-- assert_non_null(pkey);
--
-- int rc = EVP_PKEY_set1_RSA(pkey, pub);
-- assert_int_equal(rc, 1);
-+static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
-
- EVP_MD_CTX *ctx = EVP_MD_CTX_create();
- const EVP_MD* md = EVP_get_digestbyname("SHA256");
- assert_non_null(md);
-
-- rc = EVP_DigestInit_ex(ctx, md, NULL);
-+ int rc = EVP_DigestInit_ex(ctx, md, NULL);
- assert_int_equal(rc, 1);
-
- rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
-@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR
- rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
- assert_int_equal(rc, 1);
-
-- EVP_PKEY_free(pkey);
- EVP_MD_CTX_destroy(ctx);
- }
-
-@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void
- assert_int_equal(siglen, 256);
-
- /* build an OSSL RSA key from parts */
-- CK_BYTE _tmp_bufs[2][1024];
-+ CK_BYTE _tmp_bufs[3][1024];
- CK_ATTRIBUTE attrs[] = {
-- { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
-- { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] },
-+ { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
-+ { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] },
-+ { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] },
- };
-
- rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs));
- assert_int_equal(rv, CKR_OK);
-
-- RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs));
-- assert_non_null(r);
-+ CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD;
-+ rv = attr_CK_KEY_TYPE(&attrs[0], &key_type);
-+ assert_int_equal(rv, CKR_OK);
-+
-+ EVP_PKEY *pkey = NULL;
-+ attr_list *l = attr_list_new();
-+
-+ bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type);
-+ assert_true(res);
-
-- verify(r, msg, sizeof(msg) - 1, sig, siglen);
-- RSA_free(r);
-+ res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen);
-+ assert_true(res);
-+
-+ res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen);
-+ assert_true(res);
-+
-+ rv = ssl_util_attrs_to_evp(l, &pkey);
-+ assert_int_equal(rv, CKR_OK);
-+ attr_list_free(l);
-+
-+ verify(pkey, msg, sizeof(msg) - 1, sig, siglen);
-+ EVP_PKEY_free(pkey);
- }
-
- static void test_sign_verify_context_specific_good(void **state) {
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
deleted file mode 100644
index ef0a6dc..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@...>
-Date: Fri, 3 Sep 2021 11:30:50 -0500
-Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
-
-THIS DROPS SUPPORT FOR OSSL 1.0.2.
-
-Signed-off-by: William Roberts <william.c.roberts@...>
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@...>
----
- configure.ac | 2 +-
- src/lib/ssl_util.h | 43 +++++--------------------------------------
- 2 files changed, 6 insertions(+), 39 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index a7aeaf5..94fb5d4 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
- # require sqlite3 and libcrypto
- PKG_CHECK_MODULES([SQLITE3], [sqlite3])
- PKG_CHECK_MODULES([YAML], [yaml-0.1])
--PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])
-+PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
-
- # check for pthread
- AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
-diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
-index 9909fd6..2591728 100644
---- a/src/lib/ssl_util.h
-+++ b/src/lib/ssl_util.h
-@@ -15,51 +15,18 @@
- #include "log.h"
- #include "twist.h"
-
--#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
--#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
--/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
--#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
- #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
- #endif
-
--#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
--#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
-+#include <openssl/evperr.h>
- #endif
-
--/* OpenSSL Backwards Compat APIs */
--#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
--#include <string.h>
--size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-- point_conversion_form_t form,
-- unsigned char **pbuf, BN_CTX *ctx);
--
--const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
--
--int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
--
--int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
--
--EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
--
--static inline void *OPENSSL_memdup(const void *dup, size_t l) {
--
-- void *p = OPENSSL_malloc(l);
-- if (!p) {
-- return NULL;
-- }
--
-- memcpy(p, dup, l);
-- return p;
--}
--
--#endif
--
--#ifndef RSA_PSS_SALTLEN_DIGEST
--#define RSA_PSS_SALTLEN_DIGEST -1
-+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
- #endif
-
--/* Utility APIs */
--
- #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
-
- CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
---
-2.25.1
-
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
deleted file mode 100644
index d38e237..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@...>
-
-Index: git/bootstrap
-===================================================================
---- git.orig/bootstrap
-+++ git/bootstrap
-@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE
- ) > ${VARS_FILE}
-
- mkdir -p m4
--${AUTORECONF} --install --sym $@
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
similarity index 76%
rename from meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
rename to meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index 177c3c3..a9174e6 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -6,21 +6,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"

DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"

-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \
- file://bootstrap_fixup.patch \
- file://0001-remove-local-binary-checkes.patch \
- file://0001-ssl-compile-against-OSSL-3.0.patch \
- file://0002-ossl-require-version-1.1.0-or-greater.patch \
- "
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"

-SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851"
-
-S = "${WORKDIR}/git"
+SRC_URI[sha256sum] = "79f28899047defd6b4b72b7268dd56abf27774954022315f818c239af33e05bd"

inherit autotools-brokensep pkgconfig python3native

-do_configure:prepend () {
- ${S}/bootstrap
+EXTRA_OECONF += "--disable-ptool-checks"
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}

do_compile:append() {
--
2.25.1


[meta-security][PATCH 5/6] tpm2-tss-engine: fix version string and build with openssl 3.0

Petr Gotthard
 

Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.

Since Yocto now uses OpenSSL 3.0, the file packaging need to
be updated.

Signed-off-by: Petr Gotthard <petr.gotthard@...>
---
.../tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
index 4d1f425..efe62a8 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
@@ -8,16 +8,23 @@ SECTION = "security/tpm"

DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"

-SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https"
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/v${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "ea2941695ac221d23a7f3e1321140e75b1495ae6ade876f2f4c2ed807c65e2a5"

inherit autotools-brokensep pkgconfig systemd

-S = "${WORKDIR}/git"
+# It uses the API deprecated since the OpenSSL 3.0
+CFLAGS:append = ' -Wno-deprecated-declarations -Wno-unused-parameter'
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}

PACKAGES += "${PN}-engines ${PN}-engines-staticdev ${PN}-bash-completion"

-FILES:${PN}-dev = "${libdir}/engines-1.1/tpm2tss.so ${includedir}/*"
-FILES:${PN}-engines = "${libdir}/engines-1.1/lib*.so*"
-FILES:${PN}-engines-staticdev = "${libdir}/engines-1.1/libtpm2tss.a"
+FILES:${PN}-dev = "${libdir}/engines-3/tpm2tss.so ${includedir}/*"
+FILES:${PN}-engines = "${libdir}/engines-3/lib*.so*"
+FILES:${PN}-engines-staticdev = "${libdir}/engines-3/libtpm2tss.a"
FILES:${PN}-bash-completion += "${datadir}/bash-completion/completions"
--
2.25.1


[meta-security][PATCH 4/6] tpm2-abrmd: update to 2.4.1

Petr Gotthard
 

The version number is correctly assigned only when the release .tar.gz
is used.

Signed-off-by: Petr Gotthard <petr.gotthard@...>
---
.../tpm2-abrmd/{tpm2-abrmd_2.4.0.bb => tpm2-abrmd_2.4.1.bb} | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
rename meta-tpm/recipes-tpm2/tpm2-abrmd/{tpm2-abrmd_2.4.0.bb => tpm2-abrmd_2.4.1.bb} (90%)

diff --git a/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb
similarity index 90%
rename from meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
rename to meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb
index 1818171..daafae3 100644
--- a/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.1.bb
@@ -13,14 +13,12 @@ DEPENDS = "autoconf-archive dbus glib-2.0 tpm2-tss glib-2.0-native \
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"

SRC_URI = "\
- git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \
+ https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"

-SRCREV = "4f332013a02c422e186c4aaf127ab6a40b996028"
-
-S = "${WORKDIR}/git"
+SRC_URI[sha256sum] = "a7844a257eaf5176f612fe9620018edc0880cca7036465ad2593f83ae0ad6673"

inherit autotools pkgconfig systemd update-rc.d useradd

--
2.25.1


[meta-security][PATCH 3/6] tpm2-tss: update to 3.2.0

Petr Gotthard
 

This deletes the patches that were unused for a long time,
updates the tpm2-tss package and introduces a fix to the version
number problem that got introduced with the 3.2.0 version.

Signed-off-by: Petr Gotthard <petr.gotthard@...>
---
.../tpm2-tss/tpm2-tss/ax_pthread.m4 | 332 ------------------
.../tpm2-tss/fix_musl_select_include.patch | 31 --
.../tpm2-tss/tpm2-tss/fixup_hosttools.patch | 29 +-
.../{tpm2-tss_3.1.0.bb => tpm2-tss_3.2.0.bb} | 7 +-
4 files changed, 22 insertions(+), 377 deletions(-)
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
rename meta-tpm/recipes-tpm2/tpm2-tss/{tpm2-tss_3.1.0.bb => tpm2-tss_3.2.0.bb} (91%)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4 b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
deleted file mode 100644
index d383ad5..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
+++ /dev/null
@@ -1,332 +0,0 @@
-# ===========================================================================
-# http://www.gnu.org/software/autoconf-archive/ax_pthread.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
-#
-# DESCRIPTION
-#
-# This macro figures out how to build C programs using POSIX threads. It
-# sets the PTHREAD_LIBS output variable to the threads library and linker
-# flags, and the PTHREAD_CFLAGS output variable to any special C compiler
-# flags that are needed. (The user can also force certain compiler
-# flags/libs to be tested by setting these environment variables.)
-#
-# Also sets PTHREAD_CC to any special C compiler that is needed for
-# multi-threaded programs (defaults to the value of CC otherwise). (This
-# is necessary on AIX to use the special cc_r compiler alias.)
-#
-# NOTE: You are assumed to not only compile your program with these flags,
-# but also link it with them as well. e.g. you should link with
-# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
-#
-# If you are only building threads programs, you may wish to use these
-# variables in your default LIBS, CFLAGS, and CC:
-#
-# LIBS="$PTHREAD_LIBS $LIBS"
-# CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-# CC="$PTHREAD_CC"
-#
-# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
-# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name
-# (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
-#
-# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
-# PTHREAD_PRIO_INHERIT symbol is defined when compiling with
-# PTHREAD_CFLAGS.
-#
-# ACTION-IF-FOUND is a list of shell commands to run if a threads library
-# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
-# is not found. If ACTION-IF-FOUND is not specified, the default action
-# will define HAVE_PTHREAD.
-#
-# Please let the authors know if this macro fails on any platform, or if
-# you have any other suggestions or comments. This macro was based on work
-# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
-# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
-# Alejandro Forero Cuervo to the autoconf macro repository. We are also
-# grateful for the helpful feedback of numerous users.
-#
-# Updated for Autoconf 2.68 by Daniel Richard G.
-#
-# LICENSE
-#
-# Copyright (c) 2008 Steven G. Johnson <stevenj@...>
-# Copyright (c) 2011 Daniel Richard G. <skunk@...>
-#
-# This program is free software: you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 3 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-# As a special exception, the respective Autoconf Macro's copyright owner
-# gives unlimited permission to copy, distribute and modify the configure
-# scripts that are the output of Autoconf when processing the Macro. You
-# need not follow the terms of the GNU General Public License when using
-# or distributing such scripts, even though portions of the text of the
-# Macro appear in them. The GNU General Public License (GPL) does govern
-# all other use of the material that constitutes the Autoconf Macro.
-#
-# This special exception to the GPL applies to versions of the Autoconf
-# Macro released by the Autoconf Archive. When you make and distribute a
-# modified version of the Autoconf Macro, you may extend this special
-# exception to the GPL to apply to your modified version as well.
-
-#serial 21
-
-AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
-AC_DEFUN([AX_PTHREAD], [
-AC_REQUIRE([AC_CANONICAL_HOST])
-AC_LANG_PUSH([C])
-ax_pthread_ok=no
-
-# We used to check for pthread.h first, but this fails if pthread.h
-# requires special compiler flags (e.g. on True64 or Sequent).
-# It gets checked for in the link test anyway.
-
-# First of all, check if the user has set any of the PTHREAD_LIBS,
-# etcetera environment variables, and if threads linking works using
-# them:
-if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
- save_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
- save_LIBS="$LIBS"
- LIBS="$PTHREAD_LIBS $LIBS"
- AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
- AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
- AC_MSG_RESULT([$ax_pthread_ok])
- if test x"$ax_pthread_ok" = xno; then
- PTHREAD_LIBS=""
- PTHREAD_CFLAGS=""
- fi
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-fi
-
-# We must check for the threads library under a number of different
-# names; the ordering is very important because some systems
-# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
-# libraries is broken (non-POSIX).
-
-# Create a list of thread flags to try. Items starting with a "-" are
-# C compiler flags, and other items are library names, except for "none"
-# which indicates that we try without any flags at all, and "pthread-config"
-# which is a program returning the flags for the Pth emulation library.
-
-ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
-
-# The ordering *is* (sometimes) important. Some notes on the
-# individual items follow:
-
-# pthreads: AIX (must check this before -lpthread)
-# none: in case threads are in libc; should be tried before -Kthread and
-# other compiler flags to prevent continual compiler warnings
-# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
-# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
-# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
-# -pthreads: Solaris/gcc
-# -mthreads: Mingw32/gcc, Lynx/gcc
-# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
-# doesn't hurt to check since this sometimes defines pthreads too;
-# also defines -D_REENTRANT)
-# ... -mt is also the pthreads flag for HP/aCC
-# pthread: Linux, etcetera
-# --thread-safe: KAI C++
-# pthread-config: use pthread-config program (for GNU Pth library)
-
-case ${host_os} in
- solaris*)
-
- # On Solaris (at least, for some versions), libc contains stubbed
- # (non-functional) versions of the pthreads routines, so link-based
- # tests will erroneously succeed. (We need to link with -pthreads/-mt/
- # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather
- # a function called by this macro, so we could check for that, but
- # who knows whether they'll stub that too in a future libc.) So,
- # we'll just look for -pthreads and -lpthread first:
-
- ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
- ;;
-
- darwin*)
- ax_pthread_flags="-pthread $ax_pthread_flags"
- ;;
-esac
-
-# Clang doesn't consider unrecognized options an error unless we specify
-# -Werror. We throw in some extra Clang-specific options to ensure that
-# this doesn't happen for GCC, which also accepts -Werror.
-
-AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
-save_CFLAGS="$CFLAGS"
-ax_pthread_extra_flags="-Werror"
-CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
- [AC_MSG_RESULT([yes])],
- [ax_pthread_extra_flags=
- AC_MSG_RESULT([no])])
-CFLAGS="$save_CFLAGS"
-
-if test x"$ax_pthread_ok" = xno; then
-for flag in $ax_pthread_flags; do
-
- case $flag in
- none)
- AC_MSG_CHECKING([whether pthreads work without any flags])
- ;;
-
- -*)
- AC_MSG_CHECKING([whether pthreads work with $flag])
- PTHREAD_CFLAGS="$flag"
- ;;
-
- pthread-config)
- AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
- if test x"$ax_pthread_config" = xno; then continue; fi
- PTHREAD_CFLAGS="`pthread-config --cflags`"
- PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
- ;;
-
- *)
- AC_MSG_CHECKING([for the pthreads library -l$flag])
- PTHREAD_LIBS="-l$flag"
- ;;
- esac
-
- save_LIBS="$LIBS"
- save_CFLAGS="$CFLAGS"
- LIBS="$PTHREAD_LIBS $LIBS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
-
- # Check for various functions. We must include pthread.h,
- # since some functions may be macros. (On the Sequent, we
- # need a special flag -Kthread to make this header compile.)
- # We check for pthread_join because it is in -lpthread on IRIX
- # while pthread_create is in libc. We check for pthread_attr_init
- # due to DEC craziness with -lpthreads. We check for
- # pthread_cleanup_push because it is one of the few pthread
- # functions on Solaris that doesn't have a non-functional libc stub.
- # We try pthread_create on general principles.
- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
- static void routine(void *a) { a = 0; }
- static void *start_routine(void *a) { return a; }],
- [pthread_t th; pthread_attr_t attr;
- pthread_create(&th, 0, start_routine, 0);
- pthread_join(th, 0);
- pthread_attr_init(&attr);
- pthread_cleanup_push(routine, 0);
- pthread_cleanup_pop(0) /* ; */])],
- [ax_pthread_ok=yes],
- [])
-
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-
- AC_MSG_RESULT([$ax_pthread_ok])
- if test "x$ax_pthread_ok" = xyes; then
- break;
- fi
-
- PTHREAD_LIBS=""
- PTHREAD_CFLAGS=""
-done
-fi
-
-# Various other checks:
-if test "x$ax_pthread_ok" = xyes; then
- save_LIBS="$LIBS"
- LIBS="$PTHREAD_LIBS $LIBS"
- save_CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-
- # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
- AC_MSG_CHECKING([for joinable pthread attribute])
- attr_name=unknown
- for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
- AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
- [int attr = $attr; return attr /* ; */])],
- [attr_name=$attr; break],
- [])
- done
- AC_MSG_RESULT([$attr_name])
- if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
- AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
- [Define to necessary symbol if this constant
- uses a non-standard name on your system.])
- fi
-
- AC_MSG_CHECKING([if more special flags are required for pthreads])
- flag=no
- case ${host_os} in
- aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";;
- osf* | hpux*) flag="-D_REENTRANT";;
- solaris*)
- if test "$GCC" = "yes"; then
- flag="-D_REENTRANT"
- else
- # TODO: What about Clang on Solaris?
- flag="-mt -D_REENTRANT"
- fi
- ;;
- esac
- AC_MSG_RESULT([$flag])
- if test "x$flag" != xno; then
- PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
- fi
-
- AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
- [ax_cv_PTHREAD_PRIO_INHERIT], [
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
- [[int i = PTHREAD_PRIO_INHERIT;]])],
- [ax_cv_PTHREAD_PRIO_INHERIT=yes],
- [ax_cv_PTHREAD_PRIO_INHERIT=no])
- ])
- AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
- [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
-
- LIBS="$save_LIBS"
- CFLAGS="$save_CFLAGS"
-
- # More AIX lossage: compile with *_r variant
- if test "x$GCC" != xyes; then
- case $host_os in
- aix*)
- AS_CASE(["x/$CC"],
- [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
- [#handle absolute path differently from PATH based program lookup
- AS_CASE(["x$CC"],
- [x/*],
- [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
- [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
- ;;
- esac
- fi
-fi
-
-test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
-
-AC_SUBST([PTHREAD_LIBS])
-AC_SUBST([PTHREAD_CFLAGS])
-AC_SUBST([PTHREAD_CC])
-
-# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
-if test x"$ax_pthread_ok" = xyes; then
- ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
- :
-else
- ax_pthread_ok=no
- $2
-fi
-AC_LANG_POP
-])dnl AX_PTHREAD
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
deleted file mode 100644
index ecaca6e..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-This fixes musl build issue do to missing FD_* defines.
-Add sys/select.h
-
-Upstream-Status: Pending
-
-Signed-off-by: Armin Kuster <akuster@...>
-
-Index: TPM2.0-TSS/tcti/tcti_socket.cpp
-===================================================================
---- TPM2.0-TSS.orig/tcti/tcti_socket.cpp
-+++ TPM2.0-TSS/tcti/tcti_socket.cpp
-@@ -28,6 +28,7 @@
- #include <stdio.h>
- #include <stdlib.h> // Needed for _wtoi
-
-+#include "sys/select.h"
- #include <sapi/tpm20.h>
- #include <tcti/tcti_socket.h>
- #include "sysapi_util.h"
-Index: TPM2.0-TSS/resourcemgr/resourcemgr.c
-===================================================================
---- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c
-+++ TPM2.0-TSS/resourcemgr/resourcemgr.c
-@@ -28,6 +28,7 @@
- #include <stdio.h>
- #include <stdlib.h> // Needed for _wtoi
-
-+#include "sys/select.h"
- #include <sapi/tpm20.h>
- #include <tcti/tcti_device.h>
- #include <tcti/tcti_socket.h>
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
index b5579e1..450698f 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
+++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fixup_hosttools.patch
@@ -5,22 +5,25 @@ Not appropriate for cross build env.
Upstream-Status: OE [inappropriate]
Signed-off-by: Armin Kuster <akuster808@...>

-Index: tpm2-tss-3.1.0/configure.ac
+Index: tpm2-tss-3.2.0/configure.ac
===================================================================
---- tpm2-tss-3.1.0.orig/configure.ac
-+++ tpm2-tss-3.1.0/configure.ac
-@@ -471,14 +471,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$sy
+--- tpm2-tss-3.2.0.orig/configure.ac
++++ tpm2-tss-3.2.0/configure.ac
+@@ -488,17 +488,6 @@
AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes)
AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes")
- # Check all tools used by make install
--AS_IF([test "$HOSTOS" = "Linux"],
-- [ERROR_IF_NO_PROG([groupadd])
-- ERROR_IF_NO_PROG([useradd])
-- ERROR_IF_NO_PROG([id])
-- ERROR_IF_NO_PROG([chown])
-- ERROR_IF_NO_PROG([chmod])
-- ERROR_IF_NO_PROG([mkdir])
-- ERROR_IF_NO_PROG([setfacl])])

+-# Check all tools used by make install
+-AS_IF([test "$HOSTOS" = "Linux"],
+- [ AC_CHECK_PROG(useradd, useradd, yes)
+- AC_CHECK_PROG(groupadd, groupadd, yes)
+- AC_CHECK_PROG(adduser, adduser, yes)
+- AC_CHECK_PROG(addgroup, addgroup, yes)
+- AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ],
+- [AC_MSG_ERROR([addgroup or groupadd are needed.])])
+- AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ],
+- [AC_MSG_ERROR([adduser or useradd are needed.])])])
+-
AC_SUBST([PATH])

+ dnl --------- Doxy Gen -----------------------
diff --git a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb
similarity index 91%
rename from meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb
rename to meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb
index ddcfb58..8440bb9 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.1.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.2.0.bb
@@ -10,7 +10,7 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN
file://fixup_hosttools.patch \
"

-SRC_URI[sha256sum] = "8900a6603f74310b749b65f23c3461cde6e2a23a5f61058b21004c25f9cf19e8"
+SRC_URI[sha256sum] = "48305e4144dcf6d10f3b25b7bccf0189fd2d1186feafd8cd68c6b17ecf0d7912"

inherit autotools pkgconfig systemd useradd

@@ -26,6 +26,11 @@ USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system tss"
USERADD_PARAM:${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"

+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
+
do_install:append() {
# Remove /run as it is created on startup
rm -rf ${D}/run
--
2.25.1


[meta-security][PATCH 2/6] tpm2-openssl: update to 1.1.0

Petr Gotthard
 

Also, the recipe is fixed to correctly package the openssl provider.

This new tpm2-openssl:
- Fixed segmentation fault when a signature algorithm is beging initialized
without a private key.
- Fixed RSA/EC key equality checks. Works with OpenSSL 3.0.1.
- Added support for the `TPM2OPENSSL_PARENT_AUTH` environment variable.

Signed-off-by: Petr Gotthard <petr.gotthard@...>
---
.../tpm2-openssl/tpm2-openssl_1.0.bb | 11 -----------
.../tpm2-openssl/tpm2-openssl_1.1.0.bb | 19 +++++++++++++++++++
2 files changed, 19 insertions(+), 11 deletions(-)
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
create mode 100644 meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb

diff --git a/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
deleted file mode 100644
index f6a694c..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
-
-SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master"
-
-SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b"
-
-S = "${WORKDIR}/git"
-
-inherit pkgconfig
diff --git a/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb b/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb
new file mode 100644
index 0000000..55061c9
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb
@@ -0,0 +1,19 @@
+SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
+
+DEPENDS = "autoconf-archive-native tpm2-tss openssl"
+
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+
+SRC_URI[sha256sum] = "eedcc0b72ad6d232e6f9f55a780290c4d33a4d06efca9314f8a36d7384eb1dfc"
+
+inherit autotools pkgconfig
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
+
+FILES:${PN} = "\
+ ${libdir}/ossl-modules/tpm2.so"
--
2.25.1


[meta-security][PATCH 1/6] tpm2-tools: fix missing version number

Petr Gotthard
 

Calling autoreconf outside git repo causes the version number to
be null. This patch makes the version number fixed.

Signed-off-by: Petr Gotthard <petr.gotthard@...>
---
meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index 6e95a0e..f924038 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -11,3 +11,8 @@ SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN
SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"

inherit autotools pkgconfig bash-completion
+
+do_configure:prepend() {
+ # do not extract the version number from git
+ sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
+}
--
2.25.1


[meta-security][PATCH 0/6] upgrade and cleanup tpm2-software

Petr Gotthard
 

Hello. I'd suggest some "house cleaning" of the tpm2-software. (I am
a member of the tpm2-software community and an upstream developer of
the tpm2-openssl provider.)

In general:

Some tpm2-software is not having the latest versions. For the Kirkstone
I suggest upgrading to the latest, which has the best openssl 3.0 support.

Many tpm2-software have null version strings. I suggest fixing the build
procedure so that the tools are aware of the correct version. It is
crucial e.g. for library dependency checking.

There were some unused patches, some very, very old. Few other patches
have been accepted to the upstream or the upstream changed in a way the
patches are no longer needed (e.g. there is a switch to do the same thing).

Petr Gotthard (6):
tpm2-tools: fix missing version number
tpm2-openssl: update to 1.1.0
tpm2-tss: update to 3.2.0
tpm2-abrmd: update to 2.4.1
tpm2-tss-engine: fix version string and build with openssl 3.0
tpm2-pkcs11: update to 1.8.0

...pm2-abrmd_2.4.0.bb => tpm2-abrmd_2.4.1.bb} | 6 +-
.../tpm2-openssl/tpm2-openssl_1.0.bb | 11 -
.../tpm2-openssl/tpm2-openssl_1.1.0.bb | 19 +
.../0001-remove-local-binary-checkes.patch | 77 -
.../0001-ssl-compile-against-OSSL-3.0.patch | 1305 -----------------
...ssl-require-version-1.1.0-or-greater.patch | 93 --
.../tpm2-pkcs11/files/bootstrap_fixup.patch | 12 -
...2-pkcs11_1.7.0.bb => tpm2-pkcs11_1.8.0.bb} | 18 +-
.../recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb | 5 +
.../tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb | 19 +-
.../tpm2-tss/tpm2-tss/ax_pthread.m4 | 332 -----
.../tpm2-tss/fix_musl_select_include.patch | 31 -
.../tpm2-tss/tpm2-tss/fixup_hosttools.patch | 29 +-
.../{tpm2-tss_3.1.0.bb => tpm2-tss_3.2.0.bb} | 7 +-
14 files changed, 68 insertions(+), 1896 deletions(-)
rename meta-tpm/recipes-tpm2/tpm2-abrmd/{tpm2-abrmd_2.4.0.bb => tpm2-abrmd_2.4.1.bb} (90%)
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
create mode 100644 meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.1.0.bb
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
rename meta-tpm/recipes-tpm2/tpm2-pkcs11/{tpm2-pkcs11_1.7.0.bb => tpm2-pkcs11_1.8.0.bb} (76%)
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/ax_pthread.m4
delete mode 100644 meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss/fix_musl_select_include.patch
rename meta-tpm/recipes-tpm2/tpm2-tss/{tpm2-tss_3.1.0.bb => tpm2-tss_3.2.0.bb} (91%)

--
2.25.1


Re: secure boot w/ Mender bzImage fails validation #dunfell

Leo
 

Hi Casey,

I've recently had to activate secureboot on some uefi target.
I was trying to use meta-secure-core/meta-efi-secure-boot aft first, but after digging a bit more into meta-intel, I've discovered that the implementation of meta-intel is cleaner and simpler than in meta-secure-core.
If you are not interested about using microsoft certificates and the complicated shim + grub combo and that would plan to provision your own certificate in the firmware (which was what I wanted), I think meta-intel is a beter approach.
It is a bundle of systemd-boot (a minimal uefi osloader implementation from systemd, previously gummiboot) with the kernel, cmdline and optionally a initramfs, furthermore it provide some clean and simple class to only sign an uefi binary: https://git.yoctoproject.org/meta-intel/tree/classes/uefi-sign.bbclass, if the uefi kernel stub is enough for your use case (which was my case)
I do not know if you really need to keep grub, but if you can replace it with systemd boot and this uefi combo app from meta-intel layer (or more simply only use uefi kernel stub with a bundled initramfs), I think it could simplify a lot your boot process thus it will be simpler to implement an OTA solution with Mender.
This is something that I will eventually try to achieve in the near future, so I will keep you posted about my progress if you are interested.

Hope this will help you.
Regards,
--
Léo


Le sam. 9 avr. 2022 à 16:38, Ballentine, Casey via lists.yoctoproject.org <casey.ballentine=essvote.com@...> a écrit :
Hello,

We have an Intel Elkhart Lake device that we are trying to get Secure Boot (via meta-secure-core/meta-efi-secure-boot SELoader) working on using the Dunfell release. This device uses Mender for updates via USB. We have Secure Boot working successfully on a similar device, but that device does not employ Mender.

On the HDD image, /boot/bzImage and /boot/bzImage.p7b (the detached digital signature) are present, as are the set of GRUB artifacts in /boot/efi/BOOT/EFI. As a side note, we do not use an initramfs.

Grub and grub.cfg validate on boot, but /boot/bzImage does not.

I've read that SELoader can't access anything outside of the /efi partition. If that's correct, how do we work around this issue?

Thanks for any help, and let me know if you need further information.

Best,
Casey




--
Léo


secure boot w/ Mender bzImage fails validation #dunfell

Ballentine, Casey
 

Hello,

We have an Intel Elkhart Lake device that we are trying to get Secure Boot (via meta-secure-core/meta-efi-secure-boot SELoader) working on using the Dunfell release. This device uses Mender for updates via USB. We have Secure Boot working successfully on a similar device, but that device does not employ Mender.

On the HDD image, /boot/bzImage and /boot/bzImage.p7b (the detached digital signature) are present, as are the set of GRUB artifacts in /boot/efi/BOOT/EFI. As a side note, we do not use an initramfs.

Grub and grub.cfg validate on boot, but /boot/bzImage does not.

I've read that SELoader can't access anything outside of the /efi partition. If that's correct, how do we work around this issue?

Thanks for any help, and let me know if you need further information.

Best,
Casey


System is booting to "emergency/rescue mode"

Sourabh Hegde
 

Hello All,

This may not be the issue with Yocto itself but rather related to properly booting up Linux on Avenger96(STM32MP1) board. I am currently working on Avenger96 with Yocto(Dunfell). Aim is to implement SWUpdate OTA update system. For this I am using A/B strategy. Also I am using "systemd" instead of sysVinit. In my conf/local.conf I have set:

DISTRO_FEATURES_append = " systemd"
DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit"
VIRTUAL-RUNTIME_init_manager = "systemd"
VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"

My .wks file looks like:

part fsbl1 --source rawcopy --sourceparams="file=u-boot-spl.stm32" --part-name "fsbl1" --ondisk mmcblk --align 1 --size 256k
part fsbl2 --source rawcopy --sourceparams="file=u-boot-spl.stm32" --part-name "fsbl2" --ondisk mmcblk --align 1 --size 256k
part ssbl --source rawcopy --sourceparams="file=u-boot.itb" --part-name "ssbl" --ondisk mmcblk --align 1 --size 2M
part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root_A --part-name "rootfs_A" --align 4096 --use-uuid --active --size 3G
part / --source rootfs --ondisk mmcblk0 --fstype=ext4 --label root_B --part-name "rootfs_B" --align 4096 --use-uuid --size 3G
 
bootloader --ptable gpt

I am able to create the image and could copy it to SD card. But while booting I am getting below issue/errors:

[  OK  ] Started D-Bus System Message Bus.
         Starting Load/Save RF Kill Switch Status...
You are in rescue mode. After logging in, type "journalctl -xb" to view
system logs, "systemctl reboot" to reboot, "systemctl default" or "exit"
to boot into default mode.
Press Enter for maintenance
(or press Control-D to continue):

On pressing "Ctrl+D", I get :

Reloading system manager configuration
[ 1306.916497] systemd-fstab-generator[202]: Mount point fsbl1 is not a valid path, ignoring.
[ 1306.940236] systemd-fstab-generator[202]: Mount point fsbl2 is not a valid path, ignoring.
[ 1306.947455] systemd-fstab-generator[202]: Mount point ssbl is not a valid path, ignoring.
Starting default target
.
.
Then it asks for login and I could login as "root".

I don't understand why it's going to emergency or resume mode. On googling I found that it is usually related to /etc/fstab. Below is /etc/fstab/ content (copied from board):

# stock fstab - you probably want to override this with a machine specific one
/dev/root            /                    auto       defaults              1  1
proc                  /proc              proc       defaults              0  0
devpts              /dev/pts         devpts    mode=0620,ptmxmode=0666,gid=5      0  0
tmpfs                /run               tmpfs      mode=0755,nodev,nosuid,strictatime 0  0
tmpfs               /var/volatile    tmpfs      defaults              0  0
 
# uncomment this if your device has a SD/MMC/Transflash slot
#/dev/mmcblk0p1       /media/card          auto       defaults,sync,noauto  0  0
 
/dev/mmcblkp1   fsbl1   vfat    defaults            0            0
/dev/mmcblkp2   fsbl2   vfat    defaults            0            0
/dev/mmcblkp3   ssbl    vfat    defaults            0            0

Also one more doubt: what happens when we do software updates from emergency/rescue mode? In my case, I could install updates (using SWUpdate) but after reboot system is again booting from old partition. But I could manually switch to updated partition from u-boot env and verify that new image is installed. So I am assuming this behavior is again related to some issue with u-boot(probably, newly set environment is wiped on next startup). And also I can do other stuffs like accessing fw_printenv/fw_setenv, set bootlimit and change partition from u-boot env..

I found that a "boot.scr" is being used and I have set below in the script. And "rootfspart" in u-boot header file as "rootfspart=4\0" \

setenv bootargs "${bootargs} root=/dev/mmcblk0p${rootfspart} rdinit=/bin/kinit rw rootwait single"

Can anyone please let me know what could be the potential issue here? Any advice on which direction to look into would be helpful.

Your help will be much appreciated.

Thanks in advance.

P.S: Please let me know if any info is missing. Also when I checked with "journalctl -xb" after logging in I could only find "Alternate GPT is invalid, using primary GPT." and "GPT: Use GNU Parted to correct GPT errors.". But may be I missed something here.

Kind Regards,
Sourabh


Re: [Question] How to handle GPLv3 packages?

Alexander Kanavin
 

Thud has been EOL for a long time. You can see when the support been
added here (end of 2019 it seems):
https://git.yoctoproject.org/poky/log/meta/lib/oeqa/selftest/cases/incompatible_lic.py?h=master-next

Alex

On Fri, 8 Apr 2022 at 18:56, Måns <mans.zigher@...> wrote:

I am currently on Thud so I am missing the support from what I can
tell to set INCOMPATIBLE_LICENSE per image. I have tried to find the
commit that adds that support but am having some problems finding it.
Do you maybe know what I should look for to find the commit that adds
this support?

Thanks

Den fre 8 apr. 2022 kl 10:16 skrev Alexander Kanavin <alex.kanavin@...>:

Hello Mans,

please refer to the tests we have for the feature:
https://git.yoctoproject.org/poky/tree/meta/lib/oeqa/selftest/cases/incompatible_lic.py?h=master-next#n95
(line 95 and below)

The key bit is:
INCOMPATIBLE_LICENSE:pn-core-image-minimal = "GPL-3.0* LGPL-3.0*"
e.g. apply the restriction only to core-image-minimal.

Alex

On Fri, 8 Apr 2022 at 08:06, Måns <mans.zigher@...> wrote:

Hi Alex,

Could you maybe clarify what you mean with "setting
INCOMPATIBLE_LICENSE per image"? Do you mean that you have one
specific image that is used when you build an image for release to the
customer and then one image for development?

Thanks

Den ons 6 apr. 2022 kl 11:04 skrev Alexander Kanavin <alex.kanavin@...>:

I'd suggest you start by setting INCOMPATIBLE_LICENSE per image, e.g.
enable gpl3 ban only in the images that ship to the customers and not
across the entire build. Then carefully look at what pulls in bash
into those images and why, and reconfigure those pieces to not do that
(e.g. by reconfiguring the PACKAGECONFIGs), or rewrite the scripts in
posix shell.

Alex

On Wed, 6 Apr 2022 at 10:59, Mans Zigher <mans.zigher@...> wrote:

Hi,

I cannot use GPLv3 packages in our image build. I am no legal expert
but from what I can understand most companies will not be able to
comply with this license without allowing the customer to compile and
deploy a new version of any GPLv3 package to the target. I know it is
possible to comply with this but we are using secure boot and have not
the time and probably no interest in setting up a solution for
allowing customers to be able to deploy GPLv3 packages on the target.
We are trying to make use of INCOMPATIBLE_LICENSE but that results in
several issues. We have made sure that we don't include GPLv3 in the
image build using a manual process but would like to use
INCOMPATIBLE_LICENSE to alert any developer about the issue. It seems
like INCOMPATIBLE_LICENSE is a bit harsh since it will catch any
packages even if it is only part of the SDK and also for native
packages that are not part of the image build.

I cannot be the only one with this problem so how are other companies
solving this issue? Are they just not using the INCOMPATIBLE_LICENSE?
Are you setting up a parallel process for checking for any
incompatible licenses issues?

A more specific issue is that there are so many packages with bash
dependencies which are pulling in bash which is GPLv3 so how have you
solved that? Currently we have done some pretty uggly hacks which I am
not that happy with but we needed to keep it out of the image.

Thanks



Re: [Question] How to handle GPLv3 packages?

Mans Zigher <mans.zigher@...>
 

I am currently on Thud so I am missing the support from what I can
tell to set INCOMPATIBLE_LICENSE per image. I have tried to find the
commit that adds that support but am having some problems finding it.
Do you maybe know what I should look for to find the commit that adds
this support?

Thanks

Den fre 8 apr. 2022 kl 10:16 skrev Alexander Kanavin <alex.kanavin@...>:


Hello Mans,

please refer to the tests we have for the feature:
https://git.yoctoproject.org/poky/tree/meta/lib/oeqa/selftest/cases/incompatible_lic.py?h=master-next#n95
(line 95 and below)

The key bit is:
INCOMPATIBLE_LICENSE:pn-core-image-minimal = "GPL-3.0* LGPL-3.0*"
e.g. apply the restriction only to core-image-minimal.

Alex

On Fri, 8 Apr 2022 at 08:06, Måns <mans.zigher@...> wrote:

Hi Alex,

Could you maybe clarify what you mean with "setting
INCOMPATIBLE_LICENSE per image"? Do you mean that you have one
specific image that is used when you build an image for release to the
customer and then one image for development?

Thanks

Den ons 6 apr. 2022 kl 11:04 skrev Alexander Kanavin <alex.kanavin@...>:

I'd suggest you start by setting INCOMPATIBLE_LICENSE per image, e.g.
enable gpl3 ban only in the images that ship to the customers and not
across the entire build. Then carefully look at what pulls in bash
into those images and why, and reconfigure those pieces to not do that
(e.g. by reconfiguring the PACKAGECONFIGs), or rewrite the scripts in
posix shell.

Alex

On Wed, 6 Apr 2022 at 10:59, Mans Zigher <mans.zigher@...> wrote:

Hi,

I cannot use GPLv3 packages in our image build. I am no legal expert
but from what I can understand most companies will not be able to
comply with this license without allowing the customer to compile and
deploy a new version of any GPLv3 package to the target. I know it is
possible to comply with this but we are using secure boot and have not
the time and probably no interest in setting up a solution for
allowing customers to be able to deploy GPLv3 packages on the target.
We are trying to make use of INCOMPATIBLE_LICENSE but that results in
several issues. We have made sure that we don't include GPLv3 in the
image build using a manual process but would like to use
INCOMPATIBLE_LICENSE to alert any developer about the issue. It seems
like INCOMPATIBLE_LICENSE is a bit harsh since it will catch any
packages even if it is only part of the SDK and also for native
packages that are not part of the image build.

I cannot be the only one with this problem so how are other companies
solving this issue? Are they just not using the INCOMPATIBLE_LICENSE?
Are you setting up a parallel process for checking for any
incompatible licenses issues?

A more specific issue is that there are so many packages with bash
dependencies which are pulling in bash which is GPLv3 so how have you
solved that? Currently we have done some pretty uggly hacks which I am
not that happy with but we needed to keep it out of the image.

Thanks



Re: [Question] How to handle GPLv3 packages?

Robert Berger
 

Hi,

My comments are inline.

On 08/04/2022 13:15, Matthias Schoepfer via lists.yoctoproject.org wrote:
Hi!
To elaborate more on the GPLv3 topic: If you were to use secure boot, signed update images, and all that jazz, how can you make your Firmware GPLv3 compliant? Has *anyone* done it or knows a company / product, that does that?!
I am not a lawyer, but I guess you could mention in your manual that you can dish out a non reversible image which was built with a "dummy" key. This would allow the end customer to replace the xGPLv3 components.

But instead of a "car" you have an expensive eval board afterwards.

Another interesting issue is the "EU Radio Equipment Directive". It seems to be incompatible with GPLv3[1] ;)

[1] https://fsfe.org/activities/radiodirective/radiodirective.en.html

Regards,
    Matthias

--
Robert Berger
Embedded Software Evangelist

Reliable Embedded Systems
Consulting Training Engineering
URL: https://www.reliableembeddedsystems.com

Schedule a web meeting:
https://calendly.com/reliableembeddedsystems/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--


Re: [Question] How to handle GPLv3 packages?

Mans Zigher <mans.zigher@...>
 

Yes I did something similar initially using BBMASK to minimize the
build and in the end requesting them to supply a more minimal build
setup. The end result was not a pure BSP layer because we needed some
other things to be able to use other parts of the HW. We could
probably have done that our self but did not really have the time to
set up our own solution for it.

Mans

Den fre 8 apr. 2022 kl 11:22 skrev Alexander Kanavin <alex.kanavin@...>:


On Fri, 8 Apr 2022 at 10:32, Mikko Rapeli <mikko.rapeli@...> wrote:
Qualcomm, I know that one :( As integrator for a product
you must minimize the impact of the BSP SW delivery and thus allow only
bootloader, kernel and low level libraries to be compiled using the
BSP vendor delivery, e.g. their meta layers. I BBMASK away most of their
high level SW changes, e.g. systemd and other odd patches which I don't need.
At Daimler, I put my foot down, and forced them to cleanly rewrite the
BSP into an actual BSP layer before we would set up official builds
with it. It took several months, but eventually we got there.

Alex


Re: [Question] How to handle GPLv3 packages?

Matthias Schoepfer
 

Hi!

To elaborate more on the GPLv3 topic: If you were to use secure boot, signed update images, and all that jazz, how can you make your Firmware GPLv3 compliant? Has *anyone* done it or knows a company / product, that does that?!

Regards,

    Matthias

On 4/6/22 10:59, Mans Zigher wrote:
Hi,

I cannot use GPLv3 packages in our image build. I am no legal expert
but from what I can understand most companies will not be able to
comply with this license without allowing the customer to compile and
deploy a new version of any GPLv3 package to the target. I know it is
possible to comply with this but we are using secure boot and have not
the time and probably no interest in setting up a solution for
allowing customers to be able to deploy GPLv3 packages on the target.
We are trying to make use of INCOMPATIBLE_LICENSE but that results in
several issues. We have made sure that we don't include GPLv3 in the
image build using a manual process but would like to use
INCOMPATIBLE_LICENSE to alert any developer about the issue. It seems
like INCOMPATIBLE_LICENSE is a bit harsh since it will catch any
packages even if it is only part of the SDK and also for native
packages that are not part of the image build.

I cannot be the only one with this problem so how are other companies
solving this issue? Are they just not using the INCOMPATIBLE_LICENSE?
Are you setting up a parallel process for checking for any
incompatible licenses issues?

A more specific issue is that there are so many packages with bash
dependencies which are pulling in bash which is GPLv3 so how have you
solved that? Currently we have done some pretty uggly hacks which I am
not that happy with but we needed to keep it out of the image.

Thanks


Re: [Question] How to handle GPLv3 packages?

Alexander Kanavin
 

On Fri, 8 Apr 2022 at 10:32, Mikko Rapeli <mikko.rapeli@...> wrote:
Qualcomm, I know that one :( As integrator for a product
you must minimize the impact of the BSP SW delivery and thus allow only
bootloader, kernel and low level libraries to be compiled using the
BSP vendor delivery, e.g. their meta layers. I BBMASK away most of their
high level SW changes, e.g. systemd and other odd patches which I don't need.
At Daimler, I put my foot down, and forced them to cleanly rewrite the
BSP into an actual BSP layer before we would set up official builds
with it. It took several months, but eventually we got there.

Alex


Re: QA notification for completed autobuilder build (yocto-4.0.rc1)

Teoh, Jay Shen
 

Hi all,

Intel and WR YP QA is planning for QA execution for YP build yocto-4.0.rc1. We are planning to execute following tests for this cycle:

OEQA-manual tests for following module:
1. OE-Core
2. BSP-hw

Runtime auto test for following platforms:
1. MinnowTurbot 32-bit
2. Coffee Lake
3. NUC 7
4. NUC 6
5. Edgerouter
6. Beaglebone

ETA for completion next Tuesday, April 12.

Thanks,
Jay

-----Original Message-----
From: yocto@... <yocto@...> On Behalf
Of Pokybuild User
Sent: Wednesday, 6 April, 2022 4:11 PM
To: yocto@...
Cc: qa-build-notification@...
Subject: [yocto] QA notification for completed autobuilder build (yocto-
4.0.rc1)


A build flagged for QA (yocto-4.0.rc1) was completed on the autobuilder and
is available at:


https://autobuilder.yocto.io/pub/releases/yocto-4.0.rc1


Build hash information:

bitbake: 41eeb4f34fb2306303f7688ec5e0ae965a573aa4
meta-agl: fa5152323ad2bd3d433aec72c4fec6614656f06d
meta-arm: 5c83fa83649c522137c96d3c5aab49d660f8807f
meta-aws: 214a5867b3b0d9ba54818aabb1711eadf4ba9eb3
meta-gplv2: d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
meta-intel: 68e00896f2c669044f6ad8cbbc9958332254a4e4
meta-mingw: a90614a6498c3345704e9611f2842eb933dc51c1
meta-openembedded: 173352732d17b3d1fa469b6eea43a2a3c8a670d3
oecore: 62851965fc180f33ed6feb62ff5ac14706e4732a
poky: ed98f1a1ae7e4e2c8e089003a619ae9260a852ad



This is an automated message from the Yocto Project Autobuilder
Git: git://git.yoctoproject.org/yocto-autobuilder2
Email: richard.purdie@...



Re: [Question] How to handle GPLv3 packages?

Mikko Rapeli
 

Hi,

On Fri, Apr 08, 2022 at 10:18:22AM +0200, Mans Zigher wrote:
Hi Ross,

We don't have a ptest set in DISTRO_FEATURE so if that is the only way
to pull in ptest I would say that is the reason for us at least on why
there are so many bash dependencies.
One recipe that I am looking into right now is util-linux which does
have package util-linux-bash-completion but even the package
util-linux seems to depend on bash and bash-completion when
util-linux is a meta package. Install the needed util-linux utilities separately,
e.g. util-linux-mount, util-linux-umount. Also ptest you can build as distro
feature if you don't install ptest packages into images. I do that.
And then during testing, I install the ptest packages and dependencies to
the plain non-GPLv3 target to execute the tests.

checking the dependencies by running bitbake -g util-linux and bitbake
-g <image>. It is not clear why the package util-linux depends on bash
and bash-completion. I have other recipes where it is also
not obvious to me why they have a dependency to bash and
bash-completion. One such recipe is a recipe that we have created and
the only content in the package produced is a script and the script
only has #!/bin/sh so not sure where this bash and bash-completion
comes from it is not something we have added so maybe we have some
underlying issue here that results in so many dependencies to
bash and bash-completion. We have not set up this system ourselves,
instead one of the HW suppliers starting with a Q ending with COMM
which I must say I am not that impressed with has supplied the
base that we are building on.
Qualcomm, I know that one :( As integrator for a product
you must minimize the impact of the BSP SW delivery and thus allow only
bootloader, kernel and low level libraries to be compiled using the
BSP vendor delivery, e.g. their meta layers. I BBMASK away most of their
high level SW changes, e.g. systemd and other odd patches which I don't need.

Cheers,

-Mikko


Re: [Question] How to handle GPLv3 packages?

Alexander Kanavin
 

Qualcomm is notorious for the poor quality of their layers. Just tell
the management that they created this situation, and they should be
held responsible for delaying whatever product you have to ship.

Alex

On Fri, 8 Apr 2022 at 10:18, Mans Zigher <mans.zigher@...> wrote:

Hi Ross,

We don't have a ptest set in DISTRO_FEATURE so if that is the only way
to pull in ptest I would say that is the reason for us at least on why
there are so many bash dependencies.
One recipe that I am looking into right now is util-linux which does
have package util-linux-bash-completion but even the package
util-linux seems to depend on bash and bash-completion when
checking the dependencies by running bitbake -g util-linux and bitbake
-g <image>. It is not clear why the package util-linux depends on bash
and bash-completion. I have other recipes where it is also
not obvious to me why they have a dependency to bash and
bash-completion. One such recipe is a recipe that we have created and
the only content in the package produced is a script and the script
only has #!/bin/sh so not sure where this bash and bash-completion
comes from it is not something we have added so maybe we have some
underlying issue here that results in so many dependencies to
bash and bash-completion. We have not set up this system ourselves,
instead one of the HW suppliers starting with a Q ending with COMM
which I must say I am not that impressed with has supplied the
base that we are building on.

Thanks for your help anyway.


Den ons 6 apr. 2022 kl 11:11 skrev Ross Burton <ross@...>:

On Wed, 6 Apr 2022 at 09:59, Mans Zigher <mans.zigher@...> wrote:
A more specific issue is that there are so many packages with bash
dependencies which are pulling in bash which is GPLv3 so how have you
solved that? Currently we have done some pretty uggly hacks which I am
not that happy with but we needed to keep it out of the image.
As you're not naming recipes it is hard to offer concrete advice, but
I will note that a large percentage of the bash dependencies in
oe-core are specific to the ptest packages. If you don't need those
then you can turn off the ptest DISTRO_FEATURE.

Ross

1101 - 1120 of 57764