Date   

[meta-security][kirkstone][PATCH] lib-perl: prefix man pages to avoid conflicting with base perl

Jeremy Puhlman
 

The following occurs when pkgs-docs added to image features.

Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64

Signed-off-by: Jeremy A. Puhlman <jpuhlman@...>
---
recipes-perl/perl/lib-perl_0.63.bb | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb
index 4c964d5..25d0890 100644
--- a/recipes-perl/perl/lib-perl_0.63.bb
+++ b/recipes-perl/perl/lib-perl_0.63.bb
@@ -26,3 +26,10 @@ do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}
+
+do_install:append() {
+ # Man pages here conflict wtih the main perl documentation
+ for page in ${D}${mandir}/man*/*; do
+ mv $page $(dirname $page)/${BPN}-$(basename $page)
+ done
+}
--
2.35.3


[meta-security][PATCH] lib-perl: prefix man pages to avoid conflicting with base perl

Jeremy Puhlman
 

The following occurs when pkgs-docs added to image features.

Error: Transaction test error:
file /usr/share/man/man3/lib.3 conflicts between attempted installs of lib-perl-doc-0.63-r0.corei7_64 and perl-doc-5.34.1-r0.corei7_64

Signed-off-by: Jeremy A. Puhlman <jpuhlman@...>
---
recipes-perl/perl/lib-perl_0.63.bb | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/recipes-perl/perl/lib-perl_0.63.bb b/recipes-perl/perl/lib-perl_0.63.bb
index 4c964d5..25d0890 100644
--- a/recipes-perl/perl/lib-perl_0.63.bb
+++ b/recipes-perl/perl/lib-perl_0.63.bb
@@ -26,3 +26,10 @@ do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}
+
+do_install:append() {
+ # Man pages here conflict wtih the main perl documentation
+ for page in ${D}${mandir}/man*/*; do
+ mv $page $(dirname $page)/${BPN}-$(basename $page)
+ done
+}
--
2.35.3


[meta-security][PATCH] Parsec-service: Update installation procedure

Anton Antonov
 

Signed-off-by: Anton Antonov <Anton.Antonov@...>
---
.../parsec-service/files/parsec-tmpfiles.conf | 1 +
.../parsec-service/parsec-service_1.0.0.bb | 16 +++++++++-------
2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
index fe576a2..954bfa3 100644
--- a/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
+++ b/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
@@ -1,2 +1,3 @@
#Type Path Mode User Group Age Argument
d /run/parsec 755 parsec parsec - -
+d /var/lib/parsec 700 parsec parsec - -
diff --git a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
index d1d6c07..ad7e560 100644
--- a/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
+++ b/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -15,8 +15,8 @@ PACKAGECONFIG ??= "PKCS11 MBED-CRYPTO"
have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}"
PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}"

-PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts"
-PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss"
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
@@ -25,6 +25,9 @@ PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"

+export BINDGEN_EXTRA_CLANG_ARGS
+BINDGEN_EXTRA_CLANG_ARGS = "--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include"
+
inherit systemd
SYSTEMD_SERVICE:${PN} = "parsec.service"

@@ -35,7 +38,7 @@ INITSCRIPT_NAME = "parsec"
# The file should also be included into SRC_URI then
PARSEC_CONFIG ?= "${S}/config.toml"

-do_install:append () {
+do_install () {
# Binaries
install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec"
install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec
@@ -44,9 +47,6 @@ do_install:append () {
install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec"
install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml

- # Data dir
- install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
-
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${systemd_unitdir}/system
install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system
@@ -58,6 +58,8 @@ do_install:append () {
if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/init.d
install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
+ # Data dir
+ install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
fi
}

@@ -65,12 +67,12 @@ inherit useradd
USERADD_PACKAGES = "${PN}"
USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
GROUPADD_PARAM:${PN} = "-r parsec"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"

FILES:${PN} += " \
${sysconfdir}/parsec/config.toml \
${libexecdir}/parsec/parsec \
${systemd_unitdir}/system/parsec.service \
- ${localstatedir}/lib/parsec \
${libdir}/tmpfiles.d/parsec-tmpfiles.conf \
${sysconfdir}/init.d/parsec \
"
--
2.25.1


Re: [qa-build-notification] QA notification for completed autobuilder build (yocto-4.0.1.rc1)

Teoh, Jay Shen
 

Hello Everyone,

 

This is the full report for yocto-4.0.1.rc1: 

https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

 

======= Summary ========

No high milestone defects.

 

No new issue found. Have a good weekend 😊.

 

Thanks,

Jay

 

> -----Original Message-----

> From: qa-build-notification@... <qa-build-

> notification@...> On Behalf Of Richard Purdie

> Sent: Monday, 16 May, 2022 6:46 AM

> To: yocto@...

> Cc: qa-build-notification <qa-build-notification@...>

> Subject: [qa-build-notification] QA notification for completed autobuilder

> build (yocto-4.0.1.rc1)

>

> A build flagged for QA (yocto-4.0.1.rc1) was completed on the autobuilder

> and is available at:

>

>

>     https://autobuilder.yocto.io/pub/releases/yocto-4.0.1.rc1

>

>

> Build hash information:

>

> bitbake: 59c16ae6c55c607c56efd2287537a1b97ba2bf52

> meta-agl: ba35313c0852ebaf924a9b71d87a4e3f5e90ac9b

> meta-arm: b838d40efe06c839d58cf39b785175d0ba7518c6

> meta-aws: b07a769a4347b9f425cf8c6106d3191634791f8c

> meta-gplv2: d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a

> meta-intel: fb23bc3e661685383edd3026e21ca25825c48bc4

> meta-mingw: a90614a6498c3345704e9611f2842eb933dc51c1

> meta-openembedded: 5357c7a40eaf8d1bcf7ff58edbba8e9527e40c7d

> meta-virtualization: c578929ca3910e78a2b5876c70749520791124ee

> oecore: cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee

> poky: 8c489602f218bcf21de0d3c9f8cf620ea5f06430

>

>

>

> This is an automated message from the Yocto Project Autobuilder

> Git: git://git.yoctoproject.org/yocto-autobuilder2

> Email: richard.purdie@...

>

>

>

>

>

>

 


Build with stale kernel modules compared to kernel

Craig McQueen
 

I have an imx8mm based system built with Yocto dunfell and linux-fslc-imx 5.4.119 from meta-freescale.

Recently, I had a Yocto build that didn't run properly. It turns out the kernel modules directory /lib/modules/5.4.119+gccebf7b87951 didn't match the version number of the kernel image (uname -a reported Linux tv937913 5.4.119+gdcbcfe59f884 #1 SMP PREEMPT Fri May 14 21:09:23 UTC 2021 aarch64 GNU/Linux).

The manifest file showed the version of all the kernel-module packages was 5.4.119+gccebf7b87951. I found that the kernel modules directory contents were coming from stale RPMs that evidently came from sstate cache. Looking in the build logs, for linux-fslc-imx, the task do_package_write_rpm_setscene was run early, before do_compile and do_compile_kernelmodules. I would have expected a do_package_write_rpm task to run *after* do_compile_kernelmodules, but that didn't happen.

It looks to me as though the sstate cache mechanism has somehow malfunctioned in this build. I've added SSTATE_SKIP_CREATION="1" to a bbappend file for linux-fslc-imx, in the hope that this will avoid such an issue again.

But, it would be good to figure out the root cause and fix it. What could I do to diagnose this issue?

Regards,
Craig McQueen



 
 

 

Craig McQueen
Embedded Systems Engineer

t
e
w
:
:
:
+61 3 9780 4378
craig.mcqueen@...
innerrange.com
 Inner Range • 1 Millennium Court • Knoxfield • Victoria • 3180 • Australia 

 

 


[meta-security][PATCH 3/3] oeqa/cases/tpm2: fix and enhance test suite

Armin Kuster
 

local.conf
TEST_SUITES = "ssh ping tpm2"
IMAGE_INSTALL:append = " swtpm tpm2-pkcs11"

RESULTS:
RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
RESULTS - ssh.SSHTest.test_ssh: PASSED (2.19s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pcrread: PASSED (1.06s)
RESULTS - tpm2.Tpm2Test.test_tpm2_pkcs11: PASSED (1.17s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_reset: PASSED (0.59s)
RESULTS - tpm2.Tpm2Test.test_tpm2_swtpm_socket: PASSED (307.72s)

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 41 +++++++++++++++++--------
1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c6f9d92..c2c95e7 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -16,28 +16,45 @@ class Tpm2Test(OERuntimeTestCase):
if expected_endlines:
self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines))

- @OEHasPackage(['tpm2-tss'])
- @OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['tpm2-tools'])
- @OEHasPackage(['ibmswtpm2'])
+ @OEHasPackage(['tpm2-abrmd'])
+ @OEHasPackage(['swtpm'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_tpm2_sim(self):
+ def test_tpm2_swtpm_socket(self):
cmds = [
- 'tpm_server &',
- 'tpm2-abrmd --allow-root --tcti=mssim &'
+ 'mkdir /tmp/myvtpm',
+ 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &',
+ 'export TPM2TOOLS_TCTI="swtpm:port=2321"',
+ 'tpm2_startup -c'
]

for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))

- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim'])
- def test_tpm2(self):
- (status, output) = self.target.run('tpm2_pcrlist')
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ def test_tpm2_pcrread(self):
+ (status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
- expected_endlines.append('sha1 :')
- expected_endlines.append(' 0 : 0000000000000000000000000000000000000003')
- expected_endlines.append(' 1 : 0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha1:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha256:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+

self.check_endlines(output, expected_endlines)

+
+ @OEHasPackage(['p11-kit'])
+ @OEHasPackage(['tpm2-pkcs11'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ def test_tpm2_pkcs11(self):
+ (status, output) = self.target.run('p11-kit list-modules -v')
+ self.assertEqual(status, 0, msg="Modules missing: %s" % output)
+
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pkcs11'])
+ def test_tpm2_swtpm_reset(self):
+ (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
+ self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
--
2.25.1


[meta-security][PATCH 2/3] tpm2-tools: Add missing rdepends

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index f924038..c20af7e 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -16,3 +16,6 @@ do_configure:prepend() {
# do not extract the version number from git
sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}
+
+# need tss-esys
+RDEPENDS:${PN} = "libtss2 tpm2-abrmd"
--
2.25.1


[meta-security][PATCH 1/3] tpm2-pkcs11: tpm2-pkcs11 module missing

Armin Kuster
 

Correctly fix symlink issue by putting module in -dev pkg.

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index a9174e6..e8812d0 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -27,8 +27,13 @@ do_compile:append() {
do_install:append() {
install -d ${D}${libdir}/pkcs11
install -d ${D}${datadir}/p11-kit
+
+ # remove symlinks
rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so

+ #install lib
+ install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
+
cd ${S}/tools
export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
@@ -48,5 +53,5 @@ FILES:${PN} += "\
${datadir}/p11-kit/* \
"

-RDEPENDS:${PN} = "tpm2-tools"
-RDEPENDS:${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
+RDEPENDS:${PN} = "p11-kit tpm2-tools "
+RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
--
2.25.1


Re: what's the situation with yocto support for qualcomm qcs{410,610} eval boards?

Nicolas Dechesne
 

hey,

On Thu, May 19, 2022 at 9:31 PM Robert P. J. Day <rpjday@...> wrote:

   colleague just asked if i had any useful advice (spoiler: no) on how
easy it would be to build a yocto-based image for *some* qcs410-based
eval board. i'm familiar with meta-qcom, and machine definitions for
dragonboards, but this is clearly(?) different, and i see nothing in
the meta-qcom layer for this.

the underlying chipset , e.g. the Qualcomm QCS410 (or 610) is not supported upstream. So a 'regular' OE + meta-qcom is not going to be straightforward. meta-qcom typically supports 'machines' and soc which have enough upstream support (mostly the one we, at Linaro, work with). 
 

   what i see is that qualcomm supplies a linux sdk, and i quote from
https://linuxgizmos.com/module-and-dev-kit-run-linux-on-qcs610-camera-soc/:

"A Linux SDK is built on Yocto Thud with Linux kernel 4.1.4. The SDK
integrates Qualcomm optimizations, GStreamer wth RTSP streaming support,
and AI support for TensorFlow Lite and Qualcomm SNPE. Android 10 support
is coming later."

   the more i read in the last half hour, the more it seems that one
needs to bury oneself in qualcomm SDK, and repo-based checkouts from
codeaurora and so on. is this the way to go? or have i missed something?

Yes, you are correct. that is a description of the QCOM/vendor 'SDK'. It's typically built from one version of Yocto + the vendor kernel (they recycled the Android kernel used in similar devices) + some open source user space (sometimes inherited from Android) + some non open source user space, distributed as binary blobs. 


   colleague has some freedom in choice of qcs410-based eval board, if
that makes things easier.

I would be happy to merge new machines in meta-qcom, assuming their BSP is a 'vanilla' BSP which does not require any of the user space components from the vendor SDK.. Depending on the use cases needed it might be very feasible to have enough upstream support for this board.. we (at linaro) provide such services too.. 
 


rday





what's the situation with yocto support for qualcomm qcs{410,610} eval boards?

Robert P. J. Day
 

colleague just asked if i had any useful advice (spoiler: no) on how
easy it would be to build a yocto-based image for *some* qcs410-based
eval board. i'm familiar with meta-qcom, and machine definitions for
dragonboards, but this is clearly(?) different, and i see nothing in
the meta-qcom layer for this.

what i see is that qualcomm supplies a linux sdk, and i quote from
https://linuxgizmos.com/module-and-dev-kit-run-linux-on-qcs610-camera-soc/:

"A Linux SDK is built on Yocto Thud with Linux kernel 4.1.4. The SDK
integrates Qualcomm optimizations, GStreamer wth RTSP streaming support,
and AI support for TensorFlow Lite and Qualcomm SNPE. Android 10 support
is coming later."

the more i read in the last half hour, the more it seems that one
needs to bury oneself in qualcomm SDK, and repo-based checkouts from
codeaurora and so on. is this the way to go? or have i missed something?

colleague has some freedom in choice of qcs410-based eval board, if
that makes things easier.

rday


Re: [Openembedded-architecture] OpenEmbedded Developer meeting reminder

Alexander Kanavin
 

Hello Philip,

when would the time slots be allocated? It doesn't look optimal to
leave this to the last minute, as people need to plan their day.

Alex

On Tue, 17 May 2022 at 03:53, Philip Balister <philip@...> wrote:

We are finalizing the agenda for the developer meeting this Friday (May
20). The agenda has some topics carried from prior meetings and some new
ideas we will cover at the bottom. We would like to get additional
topics that matter to users and developers. Please review:

https://www.openembedded.org/wiki/OEDVM_2022_05

and add your ideas for topics we should discuss. Members of the
OpenEmbedded board and Technical steering committee will be around on
irc in #oe on libera.chat.

Philip



[meta-security][PATCH] layer.conf: Added BBFILES_DYNAMIC for dynamic-layers.

leimaohui
 

Signed-off-by: Lei Maohui <leimaohui@...>
---
conf/layer.conf | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/conf/layer.conf b/conf/layer.conf
index 1f83593..0c532fa 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,13 @@ LAYERSERIES_COMPAT_security = "kirkstone"

LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

+BBFILES_DYNAMIC += " \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bb \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+"
+
# Sanity check for meta-security layer.
# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
INHERIT += "sanity-meta-security"
--
2.25.1


[meta-security][PATCH] samhain: update to 4.4.9

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/samhain/samhain.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-ids/samhain/samhain.inc b/recipes-ids/samhain/samhain.inc
index df9e215..eb8592d 100644
--- a/recipes-ids/samhain/samhain.inc
+++ b/recipes-ids/samhain/samhain.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"

-PV = "4.4.7"
+PV = "4.4.9"

SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://${INITSCRIPT_NAME}.init \
@@ -21,7 +21,7 @@ SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://samhain-fix-initializer-element-is-not-constant.patch \
"

-SRC_URI[sha256sum] = "0aa978accb635000c2d9170f307bff8a95836f8ec01615a53dbd9c2af9564d44"
+SRC_URI[sha256sum] = "dd85bf2f90db3ce616a09608e650f3707a4d69aa1e1fe718f8b359ce0aafc198"

UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
--
2.25.1


[meta-security][PATCH 3/3] suricata: update to 5.0.5

Armin Kuster
 

libhtp rolls with it
---
recipes-ids/suricata/{libhtp_0.5.39.bb => libhtp_0.5.40.bb} | 2 +-
recipes-ids/suricata/{suricata_6.0.4.bb => suricata_6.0.5.bb} | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename recipes-ids/suricata/{libhtp_0.5.39.bb => libhtp_0.5.40.bb} (91%)
rename recipes-ids/suricata/{suricata_6.0.4.bb => suricata_6.0.5.bb} (98%)

diff --git a/recipes-ids/suricata/libhtp_0.5.39.bb b/recipes-ids/suricata/libhtp_0.5.40.bb
similarity index 91%
rename from recipes-ids/suricata/libhtp_0.5.39.bb
rename to recipes-ids/suricata/libhtp_0.5.40.bb
index 80c9014..08e285e 100644
--- a/recipes-ids/suricata/libhtp_0.5.39.bb
+++ b/recipes-ids/suricata/libhtp_0.5.40.bb
@@ -5,7 +5,7 @@ require suricata.inc
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"

SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "6b70803c45894da7a591b2305498335e6df4f9a3"
+SRCREV = "1733478f7fd09e936fea2e024f1d228d40741df2"

DEPENDS = "zlib"

diff --git a/recipes-ids/suricata/suricata_6.0.4.bb b/recipes-ids/suricata/suricata_6.0.5.bb
similarity index 98%
rename from recipes-ids/suricata/suricata_6.0.4.bb
rename to recipes-ids/suricata/suricata_6.0.5.bb
index 968da21..913e64e 100644
--- a/recipes-ids/suricata/suricata_6.0.4.bb
+++ b/recipes-ids/suricata/suricata_6.0.5.bb
@@ -5,7 +5,7 @@ require suricata.inc
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"

SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
-SRC_URI[sha256sum] = "a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d"
+SRC_URI[sha256sum] = "0d4197047c84ba070dfc6b1d9f9ee92f52a71403bfac0e29b2554bb21fe00754"

DEPENDS = "lz4 libhtp"

--
2.25.1


[meta-security][PATCH 2/3] ossec-hids: update to 3.7.0

Armin Kuster
 

See https://github.com/ossec/ossec-hids/releases/tag/3.7.0

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/ossec/{ossec-hids_3.6.0.bb => ossec-hids_3.7.0.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-ids/ossec/{ossec-hids_3.6.0.bb => ossec-hids_3.7.0.bb} (98%)

diff --git a/recipes-ids/ossec/ossec-hids_3.6.0.bb b/recipes-ids/ossec/ossec-hids_3.7.0.bb
similarity index 98%
rename from recipes-ids/ossec/ossec-hids_3.6.0.bb
rename to recipes-ids/ossec/ossec-hids_3.7.0.bb
index b0759b1..c211f03 100644
--- a/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -9,7 +9,7 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master;protocol=https \
file://0002-Makefile-don-t-set-uid-gid.patch \
"

-SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
+SRCREV = "1ecffb1b884607cb12e619f9ab3c04f530801083"

UPSTREAM_CHECK_COMMITS = "1"

--
2.25.1


[meta-security][PATCH 1/3] aide: Update 01.17.4

Armin Kuster
 

Precalculate buffer size in base64 functions (CVE-2021-45417)

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/aide/{aide_0.17.3.bb => aide_0.17.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-ids/aide/{aide_0.17.3.bb => aide_0.17.4.bb} (94%)

diff --git a/recipes-ids/aide/aide_0.17.3.bb b/recipes-ids/aide/aide_0.17.4.bb
similarity index 94%
rename from recipes-ids/aide/aide_0.17.3.bb
rename to recipes-ids/aide/aide_0.17.4.bb
index fcab504..6bc2bfe 100644
--- a/recipes-ids/aide/aide_0.17.3.bb
+++ b/recipes-ids/aide/aide_0.17.4.bb
@@ -8,7 +8,7 @@ DEPENDS = "bison-native libpcre"
SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
file://aide.conf"

-SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
+SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"

inherit autotools pkgconfig

--
2.25.1


Re: ERROR: cp: cannot stat 'Module.symvers': No such file or directory

Duda, Alexander
 

Thanks a lot, this solved my problem.
I didn't have this change

Greetings

Alex

-----Original Message-----
From: Mittal, Anuj <anuj.mittal@...>
Sent: Wednesday, May 18, 2022 3:43 PM
To: yocto@...; Duda, Alexander <Alexander.Duda@...>
Subject: Re: [yocto] ERROR: cp: cannot stat 'Module.symvers': No such file or directory

On Wed, 2022-05-18 at 11:50 +0000, Duda, Alexander wrote:
Hello yocto users,

I keep getting the following error,
Does someone have a hint where I can look to solve this issue?

ERROR: linux-fslc-5.15-r0 do_shared_workdir: Execution of
'/zeus/build/tmp/work/ -poky-linux/linux-fslc/5.15-
r0/temp/run.do_shared_workdir.58919' failed with exit code 1:
cp: cannot stat 'Module.symvers': No such file or directory
WARNING: exit code 1 from a shell command.

ERROR: Logfile of failure stored in: /zeus/build/tmp/work/ -poky-
linux/linux-fslc/5.15-r0/temp/log.do_shared_workdir.58919
Log data follows:
| DEBUG: Executing shell function do_shared_workdir
| cp: cannot stat 'Module.symvers': No such file or directory
| WARNING: exit code 1 from a shell command.
| ERROR: Execution of '/zeus/build/tmp/work/ -poky-linux/linux-
fslc/5.15-r0/temp/run.do_shared_workdir.58919' failed with exit code
1:
| cp: cannot stat 'Module.symvers': No such file or directory
| WARNING: exit code 1 from a shell command.
Do you have this change:

https://git.yoctoproject.org/poky/commit/?h=zeus&id=05043a26cc297ed9834055678ac699e20e2f16d5

Thanks,

Anuj


[meta-security][PATCH] ima-evm-utils: Update to 1.4

Armin Kuster
 

Switch from git to https in SRC_URI
Drop patches not upstreamed.

Passes OEQA:
RESULTS - ima.IMACheck.test_ima_enabled: PASSED (1.05s)
RESULTS - ima.IMACheck.test_ima_hash: PASSED (6.13s)
RESULTS - ima.IMACheck.test_ima_overwrite: PASSED (131.31s)
RESULTS - ima.IMACheck.test_ima_signature: PASSED (69.03s)

Signed-off-by: Armin Kuster <akuster808@...>
---
...nd-line-apply-operation-to-all-paths.patch | 68 -------------------
.../ima-evm-utils/disable-doc-creation.patch | 50 --------------
...t-depend-on-xattr.h-with-IMA-defines.patch | 47 -------------
...-evm-utils_git.bb => ima-evm-utils_1.4.bb} | 18 +----
4 files changed, 2 insertions(+), 181 deletions(-)
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
delete mode 100644 meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
rename meta-integrity/recipes-security/ima-evm-utils/{ima-evm-utils_git.bb => ima-evm-utils_1.4.bb} (52%)

diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
deleted file mode 100644
index 35c3162..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@...>
-Date: Fri, 30 Sep 2016 10:22:16 +0200
-Subject: [PATCH] command line: apply operation to all paths
-
-Previously, invocations like "evmctl ima_hash foo bar" silently
-ignored all parameters after the first path name ("foo" in this
-example).
-
-Now evmctl iterates over all specified paths. It aborts with an
-error as soon as the selected operation fails for a path.
-
-Supporting more than one parameter is useful in combination with
-"find" and "xargs" because it is noticably faster than invoking
-evmutil separately for each file, in particular when run under pseudo
-(a fakeroot environment used by the OpenEmbedded build system).
-
-This complements the recursive mode and can be used when more control
-over file selection is needed.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@...>
----
- src/evmctl.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 23cf54c..2072034 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type)
- static int do_cmd(struct command *cmd, find_cb_t func)
- {
- char *path = g_argv[optind++];
-- int err, dts = REG_MASK; /* only regular files by default */
-+ int err = 0, dts = REG_MASK; /* only regular files by default */
-
- if (!path) {
- log_err("Parameters missing\n");
-@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func)
- return -1;
- }
-
-- if (recursive) {
-- if (search_type) {
-- dts = get_file_type(path, search_type);
-- if (dts < 0)
-- return dts;
-+ while (path && !err) {
-+ if (recursive) {
-+ if (search_type) {
-+ dts = get_file_type(path, search_type);
-+ if (dts < 0)
-+ return dts;
-+ }
-+ err = find(path, dts, func);
-+ } else {
-+ err = func(path);
- }
-- err = find(path, dts, func);
-- } else {
-- err = func(path);
-+ path = g_argv[optind++];
- }
-
- return err;
---
-2.1.4
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
deleted file mode 100644
index 75076f5..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@...>
-Date: Wed, 13 May 2015 03:41:02 -0700
-Subject: [PATCH] Makefile.am: disable man page creation
-
-Depends on asciidoc, which is not available.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@...>
----
- Makefile.am | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 06ebf59..4ddd52c 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1,5 +1,5 @@
- SUBDIRS = src
--dist_man_MANS = evmctl.1
-+# dist_man_MANS = evmctl.1
-
- doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
- EXTRA_DIST = autogen.sh $(doc_DATA)
-@@ -39,4 +39,21 @@ rmman:
-
- doc: evmctl.1.html rmman evmctl.1
-
-+# requires asciidoc, xslproc, docbook-xsl
-+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org
-+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
-+#
-+#evmctl.1.html: README
-+# @asciidoc -o $@ $<
-+#
-+#evmctl.1:
-+# asciidoc -d manpage -b docbook -o evmctl.1.xsl README
-+# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
-+# rm -f evmctl.1.xsl
-+#
-+#rmman:
-+# rm -f evmctl.1
-+#
-+#doc: evmctl.1.html rmman evmctl.1
-+
- .PHONY: $(tarname)
---
-1.8.4.5
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
deleted file mode 100644
index ffa65df..0000000
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@...>
-Date: Wed, 17 Jun 2015 14:28:18 +0200
-Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines
-
-Compilation on older Linux distros (like Ubuntu 12.04) fails
-because linux/xattr.h does not yet have the IMA defines. Compiling
-there makes sense when only the tools are needed, for example when
-signing an image in cross-compile mode.
-
-To support this, add fallbacks for the two defines which are needed.
-Their value is part of the Linux ABI and thus fixed.
-
-Upstream-status: Submitted [linux-ima-devel@...]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@...>
-
----
- src/evmctl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index c54efbb..23cf54c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -57,6 +57,18 @@
- #include <termios.h>
- #include <assert.h>
-
-+/*
-+ * linux/xattr.h might be old to have this. Allow compilation on older
-+ * Linux distros (like Ubuntu 12.04) by falling back to our own
-+ * definition.
-+ */
-+#ifndef XATTR_IMA_SUFFIX
-+# define XATTR_IMA_SUFFIX "ima"
-+#endif
-+#ifndef XATTR_NAME_IMA
-+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
-+#endif
-+
- #include <openssl/sha.h>
- #include <openssl/pem.h>
- #include <openssl/hmac.h>
---
-2.1.4
-
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
similarity index 52%
rename from meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
rename to meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
index fc7a2d6..4f1d1a3 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -6,22 +6,8 @@ DEPENDS += "openssl attr keyutils"

DEPENDS:class-native += "openssl-native keyutils-native"

-PV = "1.2.1+git${SRCPV}"
-SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e"
-SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y"
-
-# Documentation depends on asciidoc, which we do not have, so
-# do not build documentation.
-SRC_URI += "file://disable-doc-creation.patch"
-
-# Workaround for upstream incompatibility with older Linux distros.
-# Relevant for us when compiling ima-evm-utils-native.
-SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
-
-# Required for xargs with more than one path as argument (better for performance).
-SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"
-
-S = "${WORKDIR}/git"
+SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
+SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"

inherit pkgconfig autotools features_check

--
2.25.1


Re: [dunfell][PATCH] openssl: update from 1.1.1n to 1.1.1o

Steve Sakoman
 

On Wed, May 18, 2022 at 12:14 AM Daniel Karlsson
<daniel.karlsson@...> wrote:

This update fixes CVE-2022-1292.
Hi Daniel,

I've already taken a patch for this update and it is in the set sent
out for review yesterday:

https://lists.openembedded.org/g/openembedded-core/message/165788

In the future if you want to check what patches I currently have under
test, you can look at this branch of oe-core:

https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

I appreciate the help with CVEs so don't let this discourage you from
submitting future patches! It's a never ending battle to keep up with
new CVEs :-(

Steve


Signed-off-by: Daniel Karlsson <daniel.karlsson@...>
---
.../openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1o.bb
index 8538bd5a18..c9cfc759c9 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb
@@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"

-SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a"
+SRC_URI[sha256sum] = "9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f"

inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.25.1




Re: ERROR: cp: cannot stat 'Module.symvers': No such file or directory

Anuj Mittal
 

On Wed, 2022-05-18 at 11:50 +0000, Duda, Alexander wrote:
Hello yocto users,
 
I keep getting the following error,
Does someone have a hint where I can look to solve this issue?
 
ERROR: linux-fslc-5.15-r0 do_shared_workdir: Execution of
'/zeus/build/tmp/work/ -poky-linux/linux-fslc/5.15-
r0/temp/run.do_shared_workdir.58919' failed with exit code 1:
cp: cannot stat 'Module.symvers': No such file or directory
WARNING: exit code 1 from a shell command.
 
ERROR: Logfile of failure stored in: /zeus/build/tmp/work/ -poky-
linux/linux-fslc/5.15-r0/temp/log.do_shared_workdir.58919
Log data follows:
| DEBUG: Executing shell function do_shared_workdir
| cp: cannot stat 'Module.symvers': No such file or directory
| WARNING: exit code 1 from a shell command.
| ERROR: Execution of '/zeus/build/tmp/work/ -poky-linux/linux-
fslc/5.15-r0/temp/run.do_shared_workdir.58919' failed with exit code
1:
| cp: cannot stat 'Module.symvers': No such file or directory
| WARNING: exit code 1 from a shell command.
 
Do you have this change:

https://git.yoctoproject.org/poky/commit/?h=zeus&id=05043a26cc297ed9834055678ac699e20e2f16d5

Thanks,

Anuj