Date   

Re: meta-egl failure: Nothing RPROVIDES polkit

Joshua Watt
 

On Tue, May 31, 2022 at 7:27 AM <richard.purdie@...> wrote:

On Sat, 2022-05-28 at 07:40 +0300, Marius Vlad wrote:
On Fri, May 27, 2022 at 04:25:00PM -0400, Scott Murray wrote:
On Fri, 27 May 2022, Tim Orling wrote:

On Fri, May 27, 2022 at 9:18 AM Jan Simon Moeller <
jsmoeller@...> wrote:

Hi !

Yes, we need to look into this and likely change the location of the
RDEPENDS.
Thanks for flagging.

polkit needs to be in DISTRO_FEATURES and the recipe needs to have a check
for that (and inherit features_check)
[snip]

For an immediate fix I've moved the polkit addition to a bbappend added
via BBFILES_DYNAMIC, gated on meta-oe presence. The current intent is
that the meta-agl-core test on the autobuilder only need poky, so letting
this slip in was a thinko on our part. We may revisit making meta-oe a
required dependency when binary packagefeed prototyping starts in AGL.
Your comment re features_check is right on, I'll add that when I get a
chance over the weekend. One thing I may bring up on the next dev call
is Weston does need polkit in some situations (hence the addition in
AGL), so maybe shifting it to oe-core starts to make more sense now...
Yes, when using the logind launcher, or the seatd launcher with the
logind back-end, polkit is needed to activate the session. There's no
more a direct launcher, weston-launch has been removed and upstream weston
can for some time now use systemd user sessions to starting-up.

The seatd launcher with daemon or built-in back-end, appears to be doing
the activation on its own, but I reckon systemd-logind back-end will be
the de-facto back-end if changing the launcher in weston to seatd, and
removing systemd-logind launcher (as we're currently working towards
having just a single launcher).

One thing to mention here is that while digging this up I've found a
patch to systemd-logind [1] which supposedely should allow just logind
to activate the session as a non-root user, just that either it wasn't
working or it is no longer present, as I haven't been able to activate
sessions without polkit installed.

[1] https://github.com/openembedded/openembedded-core/commit/e42dd9cff98f2149904e104f08bc3f19ee7b6fc0
Adding Joshua, I'm hoping he might have some ideas here?
That patch in question fixed a regression in systemd behavior that was
introduced at some point that broke the non-polkit behavior. I was
able to get it fixed, but I also suspect that fighting against using
polkit isn't going to be productive in the long run and we should look
at a way to pull it in..... preferably without needing mozjs (why a
policy system decided to rely on javascript is beyond me). Eventually,
we are going to want polkit-only features from systemd and there won't
be grounds (like "This worked before polkit") to get upstream systemd
to change to support it.


Cheers,

Richard


Re: meta-egl failure: Nothing RPROVIDES polkit

Richard Purdie
 

On Sat, 2022-05-28 at 07:40 +0300, Marius Vlad wrote:
On Fri, May 27, 2022 at 04:25:00PM -0400, Scott Murray wrote:
On Fri, 27 May 2022, Tim Orling wrote:

On Fri, May 27, 2022 at 9:18 AM Jan Simon Moeller <
jsmoeller@...> wrote:

Hi !

Yes, we need to look into this and likely change the location of the
RDEPENDS.
Thanks for flagging.

polkit needs to be in DISTRO_FEATURES and the recipe needs to have a check
for that (and inherit features_check)
[snip]

For an immediate fix I've moved the polkit addition to a bbappend added
via BBFILES_DYNAMIC, gated on meta-oe presence. The current intent is
that the meta-agl-core test on the autobuilder only need poky, so letting
this slip in was a thinko on our part. We may revisit making meta-oe a
required dependency when binary packagefeed prototyping starts in AGL.
Your comment re features_check is right on, I'll add that when I get a
chance over the weekend. One thing I may bring up on the next dev call
is Weston does need polkit in some situations (hence the addition in
AGL), so maybe shifting it to oe-core starts to make more sense now...
Yes, when using the logind launcher, or the seatd launcher with the
logind back-end, polkit is needed to activate the session. There's no
more a direct launcher, weston-launch has been removed and upstream weston
can for some time now use systemd user sessions to starting-up.

The seatd launcher with daemon or built-in back-end, appears to be doing
the activation on its own, but I reckon systemd-logind back-end will be
the de-facto back-end if changing the launcher in weston to seatd, and
removing systemd-logind launcher (as we're currently working towards
having just a single launcher).

One thing to mention here is that while digging this up I've found a
patch to systemd-logind [1] which supposedely should allow just logind
to activate the session as a non-root user, just that either it wasn't
working or it is no longer present, as I haven't been able to activate
sessions without polkit installed.

[1] https://github.com/openembedded/openembedded-core/commit/e42dd9cff98f2149904e104f08bc3f19ee7b6fc0
Adding Joshua, I'm hoping he might have some ideas here?

Cheers,

Richard


Re: meta-egl failure: Nothing RPROVIDES polkit

Luca Ceresoli
 

Hi Scott,

Il giorno Fri, 27 May 2022 16:25:00 -0400 (EDT)
Scott Murray <scott.murray@...> ha scritto:

On Fri, 27 May 2022, Tim Orling wrote:

On Fri, May 27, 2022 at 9:18 AM Jan Simon Moeller <
jsmoeller@...> wrote:

Hi !

Yes, we need to look into this and likely change the location of the
RDEPENDS.
Thanks for flagging.

polkit needs to be in DISTRO_FEATURES and the recipe needs to have a check
for that (and inherit features_check)
[snip]

For an immediate fix I've moved the polkit addition to a bbappend added
via BBFILES_DYNAMIC, gated on meta-oe presence.
Thanks for taking care. I confirm my testing build today didn't show up
this failure anymore.

--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


Re: [PATCH yocto-autobuilder-helper] scripts: run-docs-build: do not extract eclipse directories from old docs

Quentin Schulz
 

Hi all,

Any feedback to give on this patch?

Cheers,
Quentin

On 5/12/22 15:02, Quentin Schulz wrote:
From: Quentin Schulz <quentin.schulz@...>
For some reason, the old docs tarball includes many eclipse
subdirectories which are just cluttering the docs website up.
Therefore, let's just not extract eclipse directories from the tarball.
Cc: Quentin Schulz <foss+yocto@...>
Signed-off-by: Quentin Schulz <quentin.schulz@...>
---
scripts/run-docs-build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/run-docs-build b/scripts/run-docs-build
index f6b8ac4..b912ee9 100755
--- a/scripts/run-docs-build
+++ b/scripts/run-docs-build
@@ -35,7 +35,7 @@ docbookarchive=${docbookarchive:-/srv/autobuilder/autobuilder.yocto.io/pub/docbo
mkdir $outputdir
cd $outputdir
echo Extracing old content from archive
-tar -xJf $docbookarchive
+tar --exclude=eclipse -xJf $docbookarchive
cd $bbdocs
mkdir $outputdir/bitbake


M+ & H bugs with Milestone Movements WW22

Stephen Jolley
 

All,

YP M+ or high bugs which moved to a new milestone in WW22 are listed below:

Priority

Bug ID

Short Description

Changer

Owner

Was

Became

High

14065

Automated ptest regression testing

richard.purdie@...

unassigned@...

4.1 M1

4.1 M2

Medium+

4530

gconv data needs virtual providers

richard.purdie@...

newcomer@...

Future

4.99

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Enhancements/Bugs closed WW22!

Stephen Jolley
 

All,

The below were the owners of enhancements or bugs closed during the last week!

Who

Count

richard.purdie@...

3

michael.opdenacker@...

1

pavel@...

1

jon.mason@...

1

Grand Total

6

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Current high bug count owners for Yocto Project 4.1

Stephen Jolley
 

All,

Below is the list as of top 38 bug owners as of the end of WW22 of who have open medium or higher bugs and enhancements against YP 4.1.   There are 105 possible work days left until the final release candidates for YP 4.1 needs to be released.

Who

Count

michael.opdenacker@...

38

ross.burton@...

23

david.reyna@...

22

bruce.ashfield@...

20

randy.macleod@...

17

richard.purdie@...

15

sakib.sajal@...

12

JPEWhacker@...

9

tim.orling@...

8

saul.wold@...

7

jon.mason@...

4

pavel@...

4

kai.kang@...

4

mhalstead@...

3

akuster808@...

3

pgowda.cve@...

2

tvgamblin@...

2

sundeep.kokkonda@...

2

hongxu.jia@...

2

abongwabonalais@...

2

Qi.Chen@...

2

Aryaman.Gupta@...

2

mostthingsweb@...

1

alejandro@...

1

Martin.Jansa@...

1

behanw@...

1

aehs29@...

1

shachar@...

1

nicolas.dechesne@...

1

ola.x.nilsson@...

1

martin.beeger@...

1

raj.khem@...

1

open.source@...

1

thomas.perrot@...

1

kexin.hao@...

1

jay.shen.teoh@...

1

alexandre.belloni@...

1

liezhi.yang@...

1

Grand Total

219

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


Yocto Project Newcomer & Unassigned Bugs - Help Needed

Stephen Jolley
 

All,

 

The triage team is starting to try and collect up and classify bugs which a newcomer to the project would be able to work on in a way which means people can find them. They're being listed on the triage page under the appropriate heading:

https://wiki.yoctoproject.org/wiki/Bug_Triage#Newcomer_Bugs  Also please review: https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded and how to create a bugzilla account at: https://bugzilla.yoctoproject.org/createaccount.cgi

The idea is these bugs should be straight forward for a person to help work on who doesn't have deep experience with the project.  If anyone can help, please take ownership of the bug and send patches!  If anyone needs help/advice there are people on irc who can likely do so, or some of the more experienced contributors will likely be happy to help too.

 

Also, the triage team meets weekly and does its best to handle the bugs reported into the Bugzilla. The number of people attending that meeting has fallen, as have the number of people available to help fix bugs. One of the things we hear users report is they don't know how to help. We (the triage team) are therefore going to start reporting out the currently 423 unassigned or newcomer bugs.

 

We're hoping people may be able to spare some time now and again to help out with these.  Bugs are split into two types, "true bugs" where things don't work as they should and "enhancements" which are features we'd want to add to the system.  There are also roughly four different "priority" classes right now,  “4.1”, “4.2”, "4.99" and "Future", the more pressing/urgent issues being in "4.1" and then “4.2”.

 

Please review this link and if a bug is something you would be able to help with either take ownership of the bug, or send me (sjolley.yp.pm@...) an e-mail with the bug number you would like and I will assign it to you (please make sure you have a Bugzilla account).  The list is at: https://wiki.yoctoproject.org/wiki/Bug_Triage_Archive#Unassigned_or_Newcomer_Bugs

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

(    Cell:                (208) 244-4460

* Email:              sjolley.yp.pm@...

 


[meta-security][PATCH 3/3] oeqa/smack: consolidate classes

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/smack.py | 39 ---------------------------------
1 file changed, 39 deletions(-)

diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py
index 35e87ef..b8255c7 100644
--- a/lib/oeqa/runtime/cases/smack.py
+++ b/lib/oeqa/runtime/cases/smack.py
@@ -29,8 +29,6 @@ class SmackBasicTest(OERuntimeTestCase):
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()

-class SmackAccessLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_access_label(self):
''' Test if chsmack can correctly set a SMACK label '''
@@ -54,8 +52,6 @@ class SmackAccessLabel(SmackBasicTest):
"%s %s" %(LABEL,label_retrieved))


-class SmackExecLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_exec_label(self):
'''Test if chsmack can correctly set a SMACK Exec label'''
@@ -79,8 +75,6 @@ class SmackExecLabel(SmackBasicTest):
"%s %s" %(LABEL,label_retrieved))


-class SmackMmapLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_mmap_label(self):
'''Test if chsmack can correctly set a SMACK mmap label'''
@@ -104,8 +98,6 @@ class SmackMmapLabel(SmackBasicTest):
"%s %s" %(LABEL,label_retrieved))


-class SmackTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_transmutable(self):
'''Test if chsmack can correctly set a SMACK transmutable mode'''
@@ -128,8 +120,6 @@ class SmackTransmutable(SmackBasicTest):
"%s %s" %(LABEL,label_retrieved))


-class SmackChangeSelfLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_privileged_change_self_label(self):
'''Test if privileged process (with CAP_MAC_ADMIN privilege)
@@ -145,8 +135,6 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest):
self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)

-class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_self_label(self):
'''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
@@ -163,8 +151,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
"Unprivileged process should not be able to change its label")


-class SmackChangeFileLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_file_label(self):
'''Test if unprivileged process cannot change file labels'''
@@ -183,8 +169,6 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest):
self.target.run("rm %s" % filename)
self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename)

-class SmackLoadRule(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_load_smack_rule(self):
'''Test if new smack access rules can be loaded'''
@@ -211,8 +195,6 @@ class SmackLoadRule(SmackBasicTest):
self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))


-class SmackOnlycap(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_onlycap(self):
'''Test if smack onlycap label can be set
@@ -223,7 +205,6 @@ class SmackOnlycap(SmackBasicTest):
status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh")
self.assertEqual(status, 0, output)

-class SmackNetlabel(SmackBasicTest):

@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_netlabel(self):
@@ -246,7 +227,6 @@ class SmackNetlabel(SmackBasicTest):
test_label, output,
"Did not find expected label in output: %s" %output)

-class SmackCipso(SmackBasicTest):

@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_cipso(self):
@@ -287,7 +267,6 @@ class SmackCipso(SmackBasicTest):
self.assertEqual(status, 0, "Cipso rule C was not set")
self.assertIn("/17,33", output, "Rule C was not set correctly")

-class SmackDirect(SmackBasicTest):

@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_direct(self):
@@ -308,8 +287,6 @@ class SmackDirect(SmackBasicTest):
"Smack direct label does not match.")


-class SmackAmbient(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_ambient(self):
test_ambient = "test_ambient"
@@ -330,8 +307,6 @@ class SmackAmbient(SmackBasicTest):
"Ambient label does not match")


-class SmackloadBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackload(self):
'''Test if smackload command works'''
@@ -345,8 +320,6 @@ class SmackloadBinary(SmackBasicTest):
self.assertEqual(status, 0, "Smackload rule was loaded correctly")


-class SmackcipsoBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackcipso(self):
'''Test if smackcipso command works'''
@@ -362,8 +335,6 @@ class SmackcipsoBinary(SmackBasicTest):
self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output)


-class SmackEnforceFileAccess(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_enforce_file_access(self):
'''Test if smack file access is enforced (rwx)
@@ -375,8 +346,6 @@ class SmackEnforceFileAccess(SmackBasicTest):
self.assertEqual(status, 0, output)


-class SmackEnforceMmap(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_mmap_enforced(self):
'''Test if smack mmap access is enforced'''
@@ -449,8 +418,6 @@ class SmackEnforceMmap(SmackBasicTest):
"Output: %s" %output)


-class SmackEnforceTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
@@ -473,8 +440,6 @@ class SmackEnforceTransmutable(SmackBasicTest):
"Did not get expected label. Output: %s" % output)


-class SmackTcpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_tcp_sockets(self):
'''Test if smack is enforced on tcp sockets
@@ -485,8 +450,6 @@ class SmackTcpSockets(SmackBasicTest):
self.assertEqual(status, 0, output)


-class SmackUdpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_udp_sockets(self):
'''Test if smack is enforced on udp sockets
@@ -497,8 +460,6 @@ class SmackUdpSockets(SmackBasicTest):
self.assertEqual(status, 0, output)


-class SmackFileLabels(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_labels(self):
'''Check for correct Smack labels.'''
--
2.25.1


[meta-security][PATCH 2/3] smack-test: switch to python3

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/smack/smack-test_1.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb
index d7824ae..3ab57c6 100644
--- a/recipes-mac/smack/smack-test_1.0.bb
+++ b/recipes-mac/smack/smack-test_1.0.bb
@@ -22,4 +22,4 @@ do_install() {
install -m 0755 *.sh ${D}${sbindir}
}

-RDEPENDS:${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test"
+RDEPENDS:${PN} = "smack python3-core mmap-smack-test tcp-smack-test udp-smack-test"
--
2.25.1


[meta-security][PATCH 1/3] tpm2-pkcs11: we really need the symlinks

Armin Kuster
 

MASK dev-so
Drop un-needed install append steps.

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index e8812d0..dd0a0b5 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -25,15 +25,6 @@ do_compile:append() {
}

do_install:append() {
- install -d ${D}${libdir}/pkcs11
- install -d ${D}${datadir}/p11-kit
-
- # remove symlinks
- rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
-
- #install lib
- install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
-
cd ${S}/tools
export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
@@ -53,5 +44,7 @@ FILES:${PN} += "\
${datadir}/p11-kit/* \
"

+INSANE_SKIP:${PN} += "dev-so"
+
RDEPENDS:${PN} = "p11-kit tpm2-tools "
RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
--
2.25.1


[meta-tpm][PATCH 5/5] oeqa/tpm2: fix and cleanup tests

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c2c95e7..e64d19d 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -1,11 +1,19 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@...>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@...>
#
from oeqa.runtime.case import OERuntimeTestCase
from oeqa.core.decorator.depends import OETestDepends
from oeqa.runtime.decorator.package import OEHasPackage
-
+from oeqa.core.decorator.data import skipIfNotFeature

class Tpm2Test(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tc.target.run('mkdir /tmp/myvtpm2')
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
def check_endlines(self, results, expected_endlines):
for line in results.splitlines():
for el in expected_endlines:
@@ -19,20 +27,19 @@ class Tpm2Test(OERuntimeTestCase):
@OEHasPackage(['tpm2-tools'])
@OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['swtpm'])
+ @skipIfNotFeature('tpm2','Test tpm2_startup requires tpm2 to be in DISTRO_FEATURES')
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_tpm2_swtpm_socket(self):
+ def test_tpm2_startup(self):
cmds = [
- 'mkdir /tmp/myvtpm',
- 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &',
- 'export TPM2TOOLS_TCTI="swtpm:port=2321"',
- 'tpm2_startup -c'
+ 'swtpm socket -d --tpmstate dir=/tmp/myvtpm2 --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
+ 'tpm2_startup -c -T "swtpm:port=2321"',
]

for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))

- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_startup'])
def test_tpm2_pcrread(self):
(status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
@@ -49,7 +56,7 @@ class Tpm2Test(OERuntimeTestCase):

@OEHasPackage(['p11-kit'])
@OEHasPackage(['tpm2-pkcs11'])
- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pcrread'])
def test_tpm2_pkcs11(self):
(status, output) = self.target.run('p11-kit list-modules -v')
self.assertEqual(status, 0, msg="Modules missing: %s" % output)
--
2.25.1


[meta-tpm][PATCH 4/5] oeqa/swtpm: add swtpm runtime

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 meta-tpm/lib/oeqa/runtime/cases/swtpm.py

diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
new file mode 100644
index 0000000..df47b35
--- /dev/null
+++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -0,0 +1,24 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@...>
+#
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class SwTpmTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.tc.target.run('mkdir /tmp/myvtpm2')
+ cls.tc.target.run('chown tss:root /tmp/myvtpm2')
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('rm -fr /tmp/myvtpm2')
+
+ @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ @OEHasPackage(['swtpm'])
+ def test_swtpm2_ek_cert(self):
+ cmd = 'swtpm_setup --tpmstate /tmp/myvtpm2 --create-ek-cert --create-platform-cert --tpm2',
+ status, output = self.target.run(cmd)
+ self.assertEqual(status, 0, msg="swtpm create-ek-cert failed: %s" % output)
--
2.25.1


[meta-tpm][PATCH 3/5] swtpm: enable gnutls

Armin Kuster
 

needed for cert support

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
index db6ceee..03899d8 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
@@ -20,7 +20,7 @@ inherit autotools pkgconfig perlnative
TSS_USER="tss"
TSS_GROUP="tss"

-PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG ?= "openssl gnutls"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
@@ -28,7 +28,7 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
# used by swtpm-create-tpmca (the last two is provided by gnutls)
# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
-PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools"
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls-native gnutls, gnutls-bin expect bash tpm2-pkcs11-tools"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
--
2.25.1


[meta-tpm][PATCH 2/5] security-tpm2-image: add swtpm

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-core/images/security-tpm2-image.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta-tpm/recipes-core/images/security-tpm2-image.bb b/meta-tpm/recipes-core/images/security-tpm2-image.bb
index 7e047d1..941a661 100644
--- a/meta-tpm/recipes-core/images/security-tpm2-image.bb
+++ b/meta-tpm/recipes-core/images/security-tpm2-image.bb
@@ -7,6 +7,7 @@ IMAGE_INSTALL = "\
packagegroup-core-boot \
packagegroup-security-tpm2 \
os-release \
+ swtpm \
"

IMAGE_LINGUAS ?= " "
--
2.25.1


[meta-tpm][PATCH 1/5] swtpm: enable seccomp if DISTRO is enabled

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
index 85e4c5d..db6ceee 100644
--- a/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
+++ b/meta-tpm/recipes-tpm/swtpm/swtpm_0.7.1.bb
@@ -22,6 +22,7 @@ TSS_GROUP="tss"

PACKAGECONFIG ?= "openssl"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', 'seccomp', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
--
2.25.1


Re: running application in user mode instead of root #yocto

Anton Antonov
 

Hi,

   You can use start-stop-daemon command with "--chiud" parameter. Here is an example:

https://git.yoctoproject.org/meta-security/tree/meta-parsec/recipes-parsec/parsec-service/files/parsec_init

Cheers,
Anton


Re: How to modify an existing file from an optional recipe?

Cardenas Jose Antonio (JCARDENA)
 

Ok, i will investigate it. Thank you very much!

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...>
Enviado el: lunes, 30 de mayo de 2022 14:41
Para: Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

Then you should look at something like ROOTFS_POSTPROCESS_COMMAND, which runs an extensible set of functions after the rootfs for a target image has been formed through package install in do_rootfs.

Alex

On Mon, 30 May 2022 at 14:31, Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...> wrote:

I can't. The file that i'm trying to modify is a configuration file of a service that is built with its recipe and in my "optional" recipe what i'm trying to do is change a parameter of that configuration file.

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...> Enviado el: lunes, 30
de mayo de 2022 13:59
Para: Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

I'd say it's better to modify the original recipe, can you do that?

Alex

On Mon, 30 May 2022 at 13:39, Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...> wrote:

Yes, indeed. It's a hack to be able to run some tests. Does the "image post processing task" that you comment related with SDK_POSTPROCESS_COMMAND?

Regards.

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...> Enviado el: lunes, 30
de mayo de 2022 13:29
Para: Cardenas Jose Antonio (JCARDENA)
<JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

You can do this with a postinst scriptlet, or with an image post processing task, but generally this looks like a hack regardless of how you do it. What is the file for, and why does it need to be replaced?

Alex

On Mon, 30 May 2022 at 13:23, Cardenas Jose Antonio (JCARDENA) <joseantonio.cardenas@...> wrote:

Hi all,



I have a recipe that is built only with the SDK that modifies the content of an existing file in the rootfs by doing “install -m 644 ${WORKDIR}/my_file ${D}${sysconfdir}/my_file” but this command is returning next error:



Error: Transaction check error:

file /etc/my_file between attempted installs of
my_recipe-1.0-r0.7.armv7ahf_neon and
initial_script-1.0-r155.1.armv7ahf_neon



I have seen that the best practice to modify an existing file is to create a .bbappend but this modification would be done for all builds, not only for the SDK. So what would be the best way to do this?



Regards.

Jose




Re: How to modify an existing file from an optional recipe?

Alexander Kanavin
 

Then you should look at something like ROOTFS_POSTPROCESS_COMMAND,
which runs an extensible set of functions after the rootfs for a
target image has been formed through package install in do_rootfs.

Alex

On Mon, 30 May 2022 at 14:31, Cardenas Jose Antonio (JCARDENA)
<JoseAntonio.Cardenas@...> wrote:

I can't. The file that i'm trying to modify is a configuration file of a service that is built with its recipe and in my "optional" recipe what i'm trying to do is change a parameter of that configuration file.

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...>
Enviado el: lunes, 30 de mayo de 2022 13:59
Para: Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

I'd say it's better to modify the original recipe, can you do that?

Alex

On Mon, 30 May 2022 at 13:39, Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...> wrote:

Yes, indeed. It's a hack to be able to run some tests. Does the "image post processing task" that you comment related with SDK_POSTPROCESS_COMMAND?

Regards.

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...> Enviado el: lunes, 30
de mayo de 2022 13:29
Para: Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

You can do this with a postinst scriptlet, or with an image post processing task, but generally this looks like a hack regardless of how you do it. What is the file for, and why does it need to be replaced?

Alex

On Mon, 30 May 2022 at 13:23, Cardenas Jose Antonio (JCARDENA) <joseantonio.cardenas@...> wrote:

Hi all,



I have a recipe that is built only with the SDK that modifies the content of an existing file in the rootfs by doing “install -m 644 ${WORKDIR}/my_file ${D}${sysconfdir}/my_file” but this command is returning next error:



Error: Transaction check error:

file /etc/my_file between attempted installs of
my_recipe-1.0-r0.7.armv7ahf_neon and
initial_script-1.0-r155.1.armv7ahf_neon



I have seen that the best practice to modify an existing file is to create a .bbappend but this modification would be done for all builds, not only for the SDK. So what would be the best way to do this?



Regards.

Jose




Re: How to modify an existing file from an optional recipe?

Cardenas Jose Antonio (JCARDENA)
 

I can't. The file that i'm trying to modify is a configuration file of a service that is built with its recipe and in my "optional" recipe what i'm trying to do is change a parameter of that configuration file.

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...>
Enviado el: lunes, 30 de mayo de 2022 13:59
Para: Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

I'd say it's better to modify the original recipe, can you do that?

Alex

On Mon, 30 May 2022 at 13:39, Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...> wrote:

Yes, indeed. It's a hack to be able to run some tests. Does the "image post processing task" that you comment related with SDK_POSTPROCESS_COMMAND?

Regards.

-----Mensaje original-----
De: Alexander Kanavin <alex.kanavin@...> Enviado el: lunes, 30
de mayo de 2022 13:29
Para: Cardenas Jose Antonio (JCARDENA) <JoseAntonio.Cardenas@...>
CC: yocto@...
Asunto: Re: [yocto] How to modify an existing file from an optional recipe?

CAUTION: This email originated from outside the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

You can do this with a postinst scriptlet, or with an image post processing task, but generally this looks like a hack regardless of how you do it. What is the file for, and why does it need to be replaced?

Alex

On Mon, 30 May 2022 at 13:23, Cardenas Jose Antonio (JCARDENA) <joseantonio.cardenas@...> wrote:

Hi all,



I have a recipe that is built only with the SDK that modifies the content of an existing file in the rootfs by doing “install -m 644 ${WORKDIR}/my_file ${D}${sysconfdir}/my_file” but this command is returning next error:



Error: Transaction check error:

file /etc/my_file between attempted installs of
my_recipe-1.0-r0.7.armv7ahf_neon and
initial_script-1.0-r155.1.armv7ahf_neon



I have seen that the best practice to modify an existing file is to create a .bbappend but this modification would be done for all builds, not only for the SDK. So what would be the best way to do this?



Regards.

Jose



1401 - 1420 of 58586