The following occurs when pkgs-docs added to image features.

Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64

Signed-off-by: Jeremy A. Puhlman <jpuhlman@...>
---
recipes-perl/perl/lib-perl_0.63.bb | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb
index 4c964d5..25d0890 100644
--- a/recipes-perl/perl/lib-perl_0.63.bb
+++ b/recipes-perl/perl/lib-perl_0.63.bb
@@ -26,3 +26,10 @@ do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}
+
+do_install:append() {
+ # Man pages here conflict wtih the main perl documentation
+ for page in ${D}${mandir}/man*/*; do
+ mv $page $(dirname $page)/${BPN}-$(basename $page)
+ done
+}
--
2.35.3

The following occurs when pkgs-docs added to image features.

Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64

Signed-off-by: Jeremy A. Puhlman <jpuhlman@...>
---
recipes-perl/perl/lib-perl_0.63.bb | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb
index 4c964d5..25d0890 100644
--- a/recipes-perl/perl/lib-perl_0.63.bb
+++ b/recipes-perl/perl/lib-perl_0.63.bb
@@ -26,3 +26,10 @@ do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}
+
+do_install:append() {
+ # Man pages here conflict wtih the main perl documentation
+ for page in ${D}${mandir}/man*/*; do
+ mv $page $(dirname $page)/${BPN}-$(basename $page)
+ done
+}
--
2.35.3

Signed-off-by: Anton Antonov <Anton.Antonov@...>
---
.../parsec-service/files/parsec-tmpfiles.conf | 1 +
.../parsec-service/parsec-service_1.0.0.bb | 16 +++++++++-------
2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
index fe576a2..954bfa3 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
+++ b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
@@ -1,2 +1,3 @@
#Type Path Mode User Group Age Argument
d /run/parsec 755 parsec parsec - -
+d /var/lib/parsec 700 parsec parsec - -
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
index d1d6c07..ad7e560 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -15,8 +15,8 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO"
have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}"
PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}"

-PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts"
-PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss"
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
@@ -25,6 +25,9 @@ PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"

+export BINDGEN_EXTRA_CLANG_ARGS
+BINDGEN_EXTRA_CLANG_ARGS = "--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include"
+
inherit systemd
SYSTEMD_SERVICE:${PN} = "parsec.service"

@@ -35,7 +38,7 @@ INITSCRIPT_NAME = "parsec"
# The file should also be included into SRC_URI then
PARSEC_CONFIG ?= "${S}/config.toml"

-do_install:append () {
+do_install () {
# Binaries
install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec"
install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec
@@ -44,9 +47,6 @@ do_install:append () {
install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec"
install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml

- # Data dir
- install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
-
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${systemd_unitdir}/system
install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system
@@ -58,6 +58,8 @@ do_install:append () {
if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/init.d
install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
+ # Data dir
+ install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
fi
}

@@ -65,12 +67,12 @@ inherit useradd
USERADD_PACKAGES = "${PN}"
USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
GROUPADD_PARAM:${PN} = "-r parsec"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"

FILES:${PN} += " \
${sysconfdir}/parsec/config.toml \
${libexecdir}/parsec/parsec \
${systemd_unitdir}/system/parsec.service \
- ${localstatedir}/lib/parsec \
${libdir}/tmpfiles.d/parsec-tmpfiles.conf \
${sysconfdir}/init.d/parsec \
"
--
2.25.1

		Craig McQueen Embedded Systems Engineer
		t e w	: : :	+61 3 9780 4378 craig.mcqueen@... innerrange.com
Inner Range • 1 Millennium Court • Knoxfield • Victoria • 3180 • Australia

 

 

local.conf
TEST_SUITES = "ssh ping tpm2"
IMAGE_INSTALL:append = " swtpm tpm2-pkcs11"

RESULTS:
RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
RESULTS - ssh.SSHTest.test_ssh: PASSED (2.19s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pcrread: PASSED (1.06s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pkcs11: PASSED (1.17s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_reset: PASSED (0.59s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_socket: PASSED (307.72s)

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 41 +++++++++++++++++--------
1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c6f9d92..c2c95e7 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -16,28 +16,45 @@ class Tpm2Test(OERuntimeTestCase):
if expected_endlines:
self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines))

- @OEHasPackage(['tpm2-tss'])
- @OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['tpm2-tools'])
- @OEHasPackage(['ibmswtpm2'])
+ @OEHasPackage(['tpm2-abrmd'])
+ @OEHasPackage(['swtpm'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_tpm2_sim(self):
+ def test_tpm2_swtpm_socket(self):
cmds = [
- 'tpm_server &',
- 'tpm2-abrmd --allow-root --tcti=mssim &'
+ 'mkdir /tmp/myvtpm',
+ 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &',
+ 'export TPM2TOOLS_TCTI="swtpm:port=2321"',
+ 'tpm2_startup -c'
]

for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))

- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim'])
- def test_tpm2(self):
- (status, output) = self.target.run('tpm2_pcrlist')
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ def test_tpm2_pcrread(self):
+ (status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
- expected_endlines.append('sha1 :')
- expected_endlines.append(' 0 : 0000000000000000000000000000000000000003')
- expected_endlines.append(' 1 : 0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha1:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha256:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+

self.check_endlines(output, expected_endlines)

+
+ @OEHasPackage(['p11-kit'])
+ @OEHasPackage(['tpm2-pkcs11'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ def test_tpm2_pkcs11(self):
+ (status, output) = self.target.run('p11-kit list-modules -v')
+ self.assertEqual(status, 0, msg="Modules missing: %s" % output)
+
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pkcs11'])
+ def test_tpm2_swtpm_reset(self):
+ (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
+ self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index f924038..c20af7e 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -16,3 +16,6 @@ do_configure:prepend() {
# do not extract the version number from git
sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}
+
+# need tss-esys
+RDEPENDS:${PN} = "libtss2 tpm2-abrmd"
--
2.25.1

Correctly fix symlink issue by putting module in -dev pkg.

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index a9174e6..e8812d0 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -27,8 +27,13 @@ do_compile:append() {
do_install:append() {
install -d ${D}${libdir}/pkcs11
install -d ${D}${datadir}/p11-kit
+
+ # remove symlinks
rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so

+ #install lib
+ install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
+
cd ${S}/tools
export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
@@ -48,5 +53,5 @@ FILES:${PN} += "\
${datadir}/p11-kit/* \
"

-RDEPENDS:${PN} = "tpm2-tools"
-RDEPENDS:${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
+RDEPENDS:${PN} = "p11-kit tpm2-tools "
+RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
--
2.25.1

colleague just asked if i had any useful advice (spoiler: no) on how
easy it would be to build a yocto-based image for *some* qcs410-based
eval board. i'm familiar with meta-qcom, and machine definitions for
dragonboards, but this is clearly(?) different, and i see nothing in
the meta-qcom layer for this.

what i see is that qualcomm supplies a linux sdk, and i quote from
https://linuxgizmos.com/module-and-dev-kit-run-linux-on-qcs610-camera-soc/:

"A Linux SDK is built on Yocto Thud with Linux kernel 4.1.4. The SDK
integrates Qualcomm optimizations, GStreamer wth RTSP streaming support,
and AI support for TensorFlow Lite and Qualcomm SNPE. Android 10 support
is coming later."

the more i read in the last half hour, the more it seems that one
needs to bury oneself in qualcomm SDK, and repo-based checkouts from
codeaurora and so on. is this the way to go? or have i missed something?

colleague has some freedom in choice of qcs410-based eval board, if
that makes things easier.

rday

Hello Philip,

when would the time slots be allocated? It doesn't look optimal to
leave this to the last minute, as people need to plan their day.

Alex

Signed-off-by: Lei Maohui <leimaohui@...>
---
conf/layer.conf | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/conf/layer.conf b/conf/layer.conf
index 1f83593..0c532fa 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,13 @@ LAYERSERIES_COMPAT_security = "kirkstone"

LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

+BBFILES_DYNAMIC += " \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bb \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+"
+
# Sanity check for meta-security layer.
# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
INHERIT += "sanity-meta-security"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/samhain/samhain.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-ids/samhain/samhain.inc b/recipes-ids/samhain/samhain.inc
index df9e215..eb8592d 100644
--- a/recipes-ids/samhain/samhain.inc
+++ b/recipes-ids/samhain/samhain.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"

-PV = "4.4.7"
+PV = "4.4.9"

SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://${INITSCRIPT_NAME}.init \
@@ -21,7 +21,7 @@ SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://samhain-fix-initializer-element-is-not-constant.patch \
"

-SRC_URI[sha256sum] = "0aa978accb635000c2d9170f307bff8a95836f8ec01615a53dbd9c2af9564d44"
+SRC_URI[sha256sum] = "dd85bf2f90db3ce616a09608e650f3707a4d69aa1e1fe718f8b359ce0aafc198"

UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
--
2.25.1

libhtp rolls with it
---
recipes-ids/suricata/{libhtp_0.5.39.bb => libhtp_0.5.40.bb} | 2 +-
recipes-ids/suricata/{suricata_6.0.4.bb => suricata_6.0.5.bb} | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename recipes-ids/suricata/{libhtp_0.5.39.bb => libhtp_0.5.40.bb} (91%)
rename recipes-ids/suricata/{suricata_6.0.4.bb => suricata_6.0.5.bb} (98%)

diff --git a/recipes-ids/suricata/libhtp_0.5.39.bb b/recipes-ids/suricata/libhtp_0.5.40.bb
similarity index 91%
rename from recipes-ids/suricata/libhtp_0.5.39.bb
rename to recipes-ids/suricata/libhtp_0.5.40.bb
index 80c9014..08e285e 100644
--- a/recipes-ids/suricata/libhtp_0.5.39.bb
+++ b/recipes-ids/suricata/libhtp_0.5.40.bb
@@ -5,7 +5,7 @@ require suricata.inc
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"

SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "6b70803c45894da7a591b2305498335e6df4f9a3"
+SRCREV = "1733478f7fd09e936fea2e024f1d228d40741df2"

DEPENDS = "zlib"

diff --git a/recipes-ids/suricata/suricata_6.0.4.bb b/recipes-ids/suricata/suricata_6.0.5.bb
similarity index 98%
rename from recipes-ids/suricata/suricata_6.0.4.bb
rename to recipes-ids/suricata/suricata_6.0.5.bb
index 968da21..913e64e 100644
--- a/recipes-ids/suricata/suricata_6.0.4.bb
+++ b/recipes-ids/suricata/suricata_6.0.5.bb
@@ -5,7 +5,7 @@ require suricata.inc
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"

SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
-SRC_URI[sha256sum] = "a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d"
+SRC_URI[sha256sum] = "0d4197047c84ba070dfc6b1d9f9ee92f52a71403bfac0e29b2554bb21fe00754"

DEPENDS = "lz4 libhtp"

--
2.25.1

See https://github.com/ossec/ossec-hids/releases/tag/3.7.0

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/ossec/{ossec-hids_3.6.0.bb => ossec-hids_3.7.0.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-ids/ossec/{ossec-hids_3.6.0.bb => ossec-hids_3.7.0.bb} (98%)

diff --git a/recipes-ids/ossec/ossec-hids_3.6.0.bb b/recipes-ids/ossec/ossec-hids_3.7.0.bb
similarity index 98%
rename from recipes-ids/ossec/ossec-hids_3.6.0.bb
rename to recipes-ids/ossec/ossec-hids_3.7.0.bb
index b0759b1..c211f03 100644
--- a/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -9,7 +9,7 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master;protocol=https \
file://0002-Makefile-don-t-set-uid-gid.patch \
"

-SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
+SRCREV = "1ecffb1b884607cb12e619f9ab3c04f530801083"

UPSTREAM_CHECK_COMMITS = "1"

--
2.25.1

Precalculate buffer size in base64 functions (CVE-2021-45417)

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/aide/{aide_0.17.3.bb => aide_0.17.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-ids/aide/{aide_0.17.3.bb => aide_0.17.4.bb} (94%)

diff --git a/recipes-ids/aide/aide_0.17.3.bb b/recipes-ids/aide/aide_0.17.4.bb
similarity index 94%
rename from recipes-ids/aide/aide_0.17.3.bb
rename to recipes-ids/aide/aide_0.17.4.bb
index fcab504..6bc2bfe 100644
--- a/recipes-ids/aide/aide_0.17.3.bb
+++ b/recipes-ids/aide/aide_0.17.4.bb
@@ -8,7 +8,7 @@ DEPENDS = "bison-native libpcre"
SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
file://aide.conf"

-SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
+SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"

inherit autotools pkgconfig

--
2.25.1

Thanks a lot, this solved my problem.
I didn't have this change

Greetings

Alex

Switch from git to https in SRC_URI
Drop patches not upstreamed.

Passes OEQA:
RESULTS - ima.IMACheck.test_ima_enabled: PASSED (1.05s)
RESULTS - ima.IMACheck.test_ima_hash: PASSED (6.13s)
RESULTS - ima.IMACheck.test_ima_overwrite: PASSED (131.31s)
RESULTS - ima.IMACheck.test_ima_signature: PASSED (69.03s)

Signed-off-by: Armin Kuster <akuster808@...>
---
...nd-line-apply-operation-to-all-paths.patch | 68 -------------------
.../ima-evm-utils/disable-doc-creation.patch | 50 --------------
...t-depend-on-xattr.h-with-IMA-defines.patch | 47 -------------
...-evm-utils_git.bb => ima-evm-utils_1.4.bb} | 18 +----
4 files changed, 2 insertions(+), 181 deletions(-)
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_git.bb => ima-evm-utils_1.4.bb} (52%)

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
deleted file mode 100644
index 35c3162..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@...>
-Date: Fri, 30 Sep 2016 10:22:16 +0200
-Subject: [PATCH] command line: apply operation to all paths
-
-Previously, invocations like "evmctl ima_hash foo bar" silently
-ignored all parameters after the first path name ("foo" in this
-example).
-
-Now evmctl iterates over all specified paths. It aborts with an
-error as soon as the selected operation fails for a path.
-
-Supporting more than one parameter is useful in combination with
-"find" and "xargs" because it is noticably faster than invoking
-evmutil separately for each file, in particular when run under pseudo
-(a fakeroot environment used by the OpenEmbedded build system).
-
-This complements the recursive mode and can be used when more control
-over file selection is needed.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@...>
----
- src/evmctl.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 23cf54c..2072034 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type)
- static int do_cmd(struct command *cmd, find_cb_t func)
- {
- char *path = g_argv[optind++];
-- int err, dts = REG_MASK; /* only regular files by default */
-+ int err = 0, dts = REG_MASK; /* only regular files by default */
-
- if (!path) {
- log_err("Parameters missing\n");
-@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func)
- return -1;
- }
-
-- if (recursive) {
-- if (search_type) {
-- dts = get_file_type(path, search_type);
-- if (dts < 0)
-- return dts;
-+ while (path && !err) {
-+ if (recursive) {
-+ if (search_type) {
-+ dts = get_file_type(path, search_type);
-+ if (dts < 0)
-+ return dts;
-+ }
-+ err = find(path, dts, func);
-+ } else {
-+ err = func(path);
- }
-- err = find(path, dts, func);
-- } else {
-- err = func(path);
-+ path = g_argv[optind++];
- }
-
- return err;
---
-2.1.4
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
deleted file mode 100644
index 75076f5..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@...>
-Date: Wed, 13 May 2015 03:41:02 -0700
-Subject: [PATCH] Makefile.am: disable man page creation
-
-Depends on asciidoc, which is not available.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@...>
----
- Makefile.am | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 06ebf59..4ddd52c 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1,5 +1,5 @@
- SUBDIRS = src
--dist_man_MANS = evmctl.1
-+# dist_man_MANS = evmctl.1
-
- doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
- EXTRA_DIST = autogen.sh $(doc_DATA)
-@@ -39,4 +39,21 @@ rmman:
-
- doc: evmctl.1.html rmman evmctl.1
-
-+# requires asciidoc, xslproc, docbook-xsl
-+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org
-+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
-+#
-+#evmctl.1.html: README
-+# @asciidoc -o $@ $<
-+#
-+#evmctl.1:
-+# asciidoc -d manpage -b docbook -o evmctl.1.xsl README
-+# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
-+# rm -f evmctl.1.xsl
-+#
-+#rmman:
-+# rm -f evmctl.1
-+#
-+#doc: evmctl.1.html rmman evmctl.1
-+
- .PHONY: $(tarname)
---
-1.8.4.5
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
deleted file mode 100644
index ffa65df..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@...>
-Date: Wed, 17 Jun 2015 14:28:18 +0200
-Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines
-
-Compilation on older Linux distros (like Ubuntu 12.04) fails
-because linux/xattr.h does not yet have the IMA defines. Compiling
-there makes sense when only the tools are needed, for example when
-signing an image in cross-compile mode.
-
-To support this, add fallbacks for the two defines which are needed.
-Their value is part of the Linux ABI and thus fixed.
-
-Upstream-status: Submitted [linux-ima-devel@...]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@...>
-
----
- src/evmctl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index c54efbb..23cf54c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -57,6 +57,18 @@
- #include <termios.h>
- #include <assert.h>
-
-+/*
-+ * linux/xattr.h might be old to have this. Allow compilation on older
-+ * Linux distros (like Ubuntu 12.04) by falling back to our own
-+ * definition.
-+ */
-+#ifndef XATTR_IMA_SUFFIX
-+# define XATTR_IMA_SUFFIX "ima"
-+#endif
-+#ifndef XATTR_NAME_IMA
-+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
-+#endif
-+
- #include <openssl/sha.h>
- #include <openssl/pem.h>
- #include <openssl/hmac.h>
---
-2.1.4
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
similarity index 52%
rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
index fc7a2d6..4f1d1a3 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -6,22 +6,8 @@ DEPENDS += "openssl attr keyutils"

DEPENDS:class-native += "openssl-native keyutils-native"

-PV = "1.2.1+git${SRCPV}"
-SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e"
-SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y"
-
-# Documentation depends on asciidoc, which we do not have, so
-# do not build documentation.
-SRC_URI += "file://disable-doc-creation.patch"
-
-# Workaround for upstream incompatibility with older Linux distros.
-# Relevant for us when compiling ima-evm-utils-native.
-SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
-
-# Required for xargs with more than one path as argument (better for performance).
-SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"
-
-S = "${WORKDIR}/git"
+SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
+SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"

inherit pkgconfig autotools features_check

--
2.25.1

On Wed, May 18, 2022 at 12:14 AM Daniel Karlsson
<daniel.karlsson@...> wrote:

This update fixes CVE-2022-1292.

Hi Daniel,

I've already taken a patch for this update and it is in the set sent
out for review yesterday:

https://lists.openembedded.org/g/openembedded-core/message/165788

In the future if you want to check what patches I currently have under
test, you can look at this branch of oe-core:

https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

I appreciate the help with CVEs so don't let this discourage you from
submitting future patches! It's a never ending battle to keep up with
new CVEs :-(

Steve

Signed-off-by: Daniel Karlsson <daniel.karlsson@...>
---
.../openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1o.bb
index 8538bd5a18..c9cfc759c9 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb
@@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"

-SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a"
+SRC_URI[sha256sum] = "9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f"

inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.25.1

On Wed, 2022-05-18 at 11:50 +0000, Duda, Alexander wrote:

Hello yocto users,
 
I keep getting the following error,
Does someone have a hint where I can look to solve this issue?
 
ERROR: linux-fslc-5.15-r0 do_shared_workdir: Execution of
'/zeus/build/tmp/work/ -poky-linux/linux-fslc/5.15-
r0/temp/run.do_shared_workdir.58919' failed with exit code 1:
cp: cannot stat 'Module.symvers': No such file or directory
WARNING: exit code 1 from a shell command.
 
ERROR: Logfile of failure stored in: /zeus/build/tmp/work/ -poky-
linux/linux-fslc/5.15-r0/temp/log.do_shared_workdir.58919
Log data follows:
| DEBUG: Executing shell function do_shared_workdir
| cp: cannot stat 'Module.symvers': No such file or directory
| WARNING: exit code 1 from a shell command.
| ERROR: Execution of '/zeus/build/tmp/work/ -poky-linux/linux-
fslc/5.15-r0/temp/run.do_shared_workdir.58919' failed with exit code
1:
| cp: cannot stat 'Module.symvers': No such file or directory
| WARNING: exit code 1 from a shell command.
 

Do you have this change:

https://git.yoctoproject.org/poky/commit/?h=zeus&id=05043a26cc297ed9834055678ac699e20e2f16d5

Thanks,

Anuj