Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/images/security-build-image.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-core/images/security-build-image.bb b/recipes-core/images/security-build-image.bb
index a8757f9..411cd20 100644
--- a/recipes-core/images/security-build-image.bb
+++ b/recipes-core/images/security-build-image.bb
@@ -3,6 +3,7 @@ DESCRIPTION = "A small image for building meta-security packages"
IMAGE_FEATURES += "ssh-server-openssh"

IMAGE_INSTALL = "\
+ ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \
packagegroup-base \
packagegroup-core-boot \
packagegroup-core-security \
--
2.25.1

minor recipe cleanup

Signed-off-by: Armin Kuster <akuster808@...>
---
.../{chipsec_git.bb => chipsec_1.8.5.bb} | 21 +++++++++----------
1 file changed, 10 insertions(+), 11 deletions(-)
rename recipes-security/chipsec/{chipsec_git.bb => chipsec_1.8.5.bb} (71%)

diff --git a/recipes-security/chipsec/chipsec_git.bb b/recipes-security/chipsec/chipsec_1.8.5.bb
similarity index 71%
rename from recipes-security/chipsec/chipsec_git.bb
rename to recipes-security/chipsec/chipsec_1.8.5.bb
index d6c3ff2..48dfe45 100644
--- a/recipes-security/chipsec/chipsec_git.bb
+++ b/recipes-security/chipsec/chipsec_1.8.5.bb
@@ -7,21 +7,17 @@ DESCRIPTION = "CHIPSEC is a framework for analyzing the security \
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"

-SRC_URI = "git://github.com/chipsec/chipsec.git;branch=master;protocol=https \
- "
+DEPENDS = "virtual/kernel nasm-native"

-SRCREV = "b2a61684826dc8b9f622a844a40efea579cd7e7d"
-
-COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
+SRCREV = "07a532aac9f6c3d94b8895cf89336b6a2e60c0d9"

S = "${WORKDIR}/git"
-EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
-
-DEPENDS = "virtual/kernel nasm-native python3-setuptools-native"
-RDEPENDS:${PN} += "python3 python3-modules"

inherit module setuptools3

+EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
+
do_compile:append() {
cd ${S}/drivers/linux
oe_runmake KSRC=${STAGING_KERNEL_BUILDDIR}
@@ -31,5 +27,8 @@ do_install:append() {
install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
}

-FILES:${PN} += "${exec_prefix} \
-"
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+FILES:${PN} += "${exec_prefix}"
+
+RDEPENDS:${PN} = "python3 python3-modules"
--
2.25.1

On Wed, 2022-06-22 at 14:50 +0200, Michael Opdenacker wrote:

Hi Quentin

On 3/15/22 17:31, Quentin Schulz wrote:

From: Quentin Schulz <quentin.schulz@...>

The patch was meant as a quick temporary work-around to have the docs
built and published.

Now that releases where -W flag is set (turning warnings into errors)
are appropriately patched to make those warnings disappear (on Sphinx
v3.2.1 which is the one used on the builder), this patch can be reverted
so that next time a warning appears the doc building will fail but will
not destroy the doc website (because of commit
6a4e6ef18d1415c719be51c773d7c57cae5549cf "scripts: run-docs-build: make
the script fail hard ASAP when there's an error", since rsync will not
be run if any error happens before).

This reverts commit 931d409b255a85f2217ca093d8391a678ce00ddb.

Cc: Quentin Schulz <foss+yocto@...>
Signed-off-by: Quentin Schulz <quentin.schulz@...>
---
scripts/run-docs-build | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/run-docs-build b/scripts/run-docs-build
index 73cba3f..b9b331b 100755
--- a/scripts/run-docs-build
+++ b/scripts/run-docs-build
@@ -33,14 +33,14 @@ cd $bbdocs
echo Building bitbake master branch
git checkout master
make clean
-SPHINXOPTS="-j auto" make publish
+make publish
mkdir $outputdir/bitbake
cp -r ./_build/final/* $outputdir/bitbake

We're trying to build the docs with Sphinx 5.0.0 on a special branch,
and we're getting warnings causing the builds to fail:
https://autobuilder.yoctoproject.org/typhoon/#/builders/114/builds/487/steps/5/logs/stdio

If this patch hadn't been reverted, we would probably be fine.

What should we do now? Patch docs for all past Sphinx based releases? If
we tolerated warnings, we would have to do this less often when we want
to upgrade Sphinx.

In my opinion, another more trouble-free solution would be not to
regenerate docs for past releases, but instead only for the latest
commits in the branches we currently support.

What do you think?

We use the ability to regenerate previous releases to update the
switcher lists and potentially other style related changes in future
which keeps the docs looking consistent. We may have to disable the
errors on warnings :(

Cheers,

Richard

Hi Quentin

On 3/15/22 17:31, Quentin Schulz wrote:

From: Quentin Schulz <quentin.schulz@...>

The patch was meant as a quick temporary work-around to have the docs
built and published.

Now that releases where -W flag is set (turning warnings into errors)
are appropriately patched to make those warnings disappear (on Sphinx
v3.2.1 which is the one used on the builder), this patch can be reverted
so that next time a warning appears the doc building will fail but will
not destroy the doc website (because of commit
6a4e6ef18d1415c719be51c773d7c57cae5549cf "scripts: run-docs-build: make
the script fail hard ASAP when there's an error", since rsync will not
be run if any error happens before).

This reverts commit 931d409b255a85f2217ca093d8391a678ce00ddb.

Cc: Quentin Schulz <foss+yocto@...>
Signed-off-by: Quentin Schulz <quentin.schulz@...>
---
scripts/run-docs-build | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/run-docs-build b/scripts/run-docs-build
index 73cba3f..b9b331b 100755
--- a/scripts/run-docs-build
+++ b/scripts/run-docs-build
@@ -33,14 +33,14 @@ cd $bbdocs
echo Building bitbake master branch
git checkout master
make clean
-SPHINXOPTS="-j auto" make publish
+make publish
mkdir $outputdir/bitbake
cp -r ./_build/final/* $outputdir/bitbake

We're trying to build the docs with Sphinx 5.0.0 on a special branch, and we're getting warnings causing the builds to fail: https://autobuilder.yoctoproject.org/typhoon/#/builders/114/builds/487/steps/5/logs/stdio

If this patch hadn't been reverted, we would probably be fine.

What should we do now? Patch docs for all past Sphinx based releases? If we tolerated warnings, we would have to do this less often when we want to upgrade Sphinx.

In my opinion, another more trouble-free solution would be not to regenerate docs for past releases, but instead only for the latest commits in the branches we currently support.

What do you think?
Cheers
Michael.

--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/packagegroup/packagegroup-core-security.bb | 2 ++
recipes-security/Firejail/firejail_0.9.70.bb | 2 ++
2 files changed, 4 insertions(+)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index ef65428..05951da 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -41,6 +41,8 @@ RDEPENDS:packagegroup-security-utils = "\
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
"

+RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail"
+
SUMMARY:packagegroup-security-scanners = "Security scanners"
RDEPENDS:packagegroup-security-scanners = "\
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \
diff --git a/recipes-security/Firejail/firejail_0.9.70.bb b/recipes-security/Firejail/firejail_0.9.70.bb
index fc9066b..35f7b07 100644
--- a/recipes-security/Firejail/firejail_0.9.70.bb
+++ b/recipes-security/Firejail/firejail_0.9.70.bb
@@ -58,4 +58,6 @@ pkg_postinst_ontarget:${PN} () {
${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx
}

+COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
+
RDEPENDS:${PN} = "bash"
--
2.25.1

Hi ,
I have been trying to enable Secureboot to my board having Intel-x86 architecture  and I am following the steps given in this link https://github.com/jiazhang0/meta-secure-core for Yocto Dunfell branch.

Problem: In non Secureboot mode Yocto Boots normally and everything works fine but when Secureboot is enabled till grub it boots and loads grub-menu then after
If I press boot option it will simply throw this error 

verification requested but nobody cares: bzImage

and stucks there.

I am not getting why this error is coming and what fixes to be made.

BTW grub version is grub-efi-2.04.

Below are the local.conf settings for Secureboot.

UEFI_SB = "1"

BUNDLE = "1"

GRUB_SIGN_VERIFY='0'

GRUB_SIGN_VERIFY_STRICT='0'

DEBUG_FLAGS_forcevariable = ""

IMAGE_INSTALL += "kernel-image-bzimage"

USER_CLASSES_remove = "image-prelink"

fyi:
I started to archive some of the test runs at:
https://github.com/akuster/meta-security-testresults
Not sure if I am doing this correctly but is at least a snapshot.

-armin

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-security-compliance/README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-security-compliance/README b/meta-security-compliance/README
index 320f856..3311d05 100644
--- a/meta-security-compliance/README
+++ b/meta-security-compliance/README
@@ -28,7 +28,7 @@ Maintenance
Send pull requests, patches, comments or questions to yocto@...

When sending single patches, please using something like:
-'git send-email -1 --to yocto@... --subject-prefix=meta-security-compliance][PATCH'
+'git send-email -1 --to yocto@... --subject-prefix=meta-security-compliance][PATCH'

Layer Maintainer: Armin Kuster <akuster808@...>

--
2.25.1

See changelog for details: https://cisofy.com/changelog/lynis/#308

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-auditors/lynis/{lynis_3.0.0.bb => lynis_3.0.8.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-security-compliance/recipes-auditors/lynis/{lynis_3.0.0.bb => lynis_3.0.8.bb} (93%)

diff --git a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
similarity index 93%
rename from meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
rename to meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
index f665e29..d38c17a 100644
--- a/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
+++ b/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"

SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"

-SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2"
+SRC_URI[sha256sum] = "98373a4cc9d0471ab9bebb249e442fcf94b6bf6d4e9c6fc0b22bca1506646c63"

S = "${WORKDIR}/${BPN}"

--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
.../ccs-tools/{ccs-tools_1.8.4.bb => ccs-tools_1.8.9.bb} | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
rename recipes-mac/ccs-tools/{ccs-tools_1.8.4.bb => ccs-tools_1.8.9.bb} (88%)

diff --git a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
similarity index 88%
rename from recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
rename to recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 8d148bb..ff800ce 100644
--- a/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
+++ b/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -7,11 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe"

DEPENDS = "ncurses"

-DS = "20150505"
+DS = "20210910"
SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz"

-SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44"
-SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4"
+SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620"

S = "${WORKDIR}/${BPN}"

--
2.25.1

fixes:
swtpm: Could not open TCP socket: Address already in use

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-parsec/lib/oeqa/runtime/cases/parsec.py | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
index d3d3f2e..11e5572 100644
--- a/meta-parsec/lib/oeqa/runtime/cases/parsec.py
+++ b/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -12,8 +12,13 @@ from oeqa.core.decorator.data import skipIfNotFeature
class ParsecTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.toml_file = '/etc/parsec/config.toml'

+ @classmethod
+ def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+
def setUp(self):
super(ParsecTest, self).setUp()
if 'systemd' in self.tc.td['DISTRO_FEATURES']:
--
2.25.1

fixes:
swtpm: Could not open TCP socket: Address already in use

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/lib/oeqa/runtime/cases/swtpm.py | 2 ++
meta-tpm/lib/oeqa/runtime/cases/tpm2.py | 2 ++
2 files changed, 4 insertions(+)

diff --git a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
index df47b35..0be5c59 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -8,11 +8,13 @@ from oeqa.core.decorator.data import skipIfNotFeature
class SwTpmTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('mkdir /tmp/myvtpm2')
cls.tc.target.run('chown tss:root /tmp/myvtpm2')

@classmethod
def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('rm -fr /tmp/myvtpm2')

@skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
diff --git a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index e64d19d..8e90dc9 100644
--- a/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -8,10 +8,12 @@ from oeqa.core.decorator.data import skipIfNotFeature
class Tpm2Test(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('mkdir /tmp/myvtpm2')

@classmethod
def tearDownClass(cls):
+ cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
cls.tc.target.run('rm -fr /tmp/myvtpm2')

def check_endlines(self, results, expected_endlines):
--
2.25.1

Fix download test

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/clamav.py | 21 ++++-----------------
1 file changed, 4 insertions(+), 17 deletions(-)

diff --git a/lib/oeqa/runtime/cases/clamav.py b/lib/oeqa/runtime/cases/clamav.py
index cf83937..e0cad8f 100644
--- a/lib/oeqa/runtime/cases/clamav.py
+++ b/lib/oeqa/runtime/cases/clamav.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@...>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@...>
#
import re
from tempfile import mkstemp
@@ -48,21 +48,8 @@ class ClamavTest(OERuntimeTestCase):
self.assertEqual(status, 0, msg = msg)

@OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
- def test_freshclam_check_mirrors(self):
- status, output = self.target.run('freshclam --list-mirrors')
- match = re.search('Failures: 0', output)
- if not match:
- msg = ('freshclam --list-mirrors: failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
- @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors'])
def test_freshclam_download(self):
status, output = self.target.run('freshclam --show-progress')
- match = re.search('Database updated', output)
- #match = re.search('main.cvd is up to date', output)
- if not match:
- msg = ('freshclam : DB dowbload failed. '
- 'Status and output:%s and %s' % (status, output))
- self.assertEqual(status, 1, msg = msg)
-
+ msg = ('freshclam : DB dowbload failed. '
+ 'Status and output:%s and %s' % (status, output))
+ self.assertEqual(status, 0, msg = msg)
--
2.25.1

Hi,

I experience build failure in the compilation step of the recipe rust-cross-canadian-aarch64. I've used latest master from poky and just changed the MACHINE to qemuarm64. When I execute 'bitbake rust-cross-canadian-aarch64' it ends up in an error with object files in wrong format. I have been trying to bisect this issue but can not get a reproducible result. First thing I would like to get help with is to hear if someone else also experience this issue?

Here is a summary of what I see in log.do_compile:

<snip>
release/deps/std-b23e9faab40803e6.std.1f52b5e3-cgu.0.rcgu.o: Relocations in generic ELF (EM: 62)
/work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/12.1.0/ld: /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/rustc-1.60.0-src/build/x86_64-unknown-linux-gnu/stage2-std/aarch64-poky-linux/release/deps/std-b23e9faab40803e6.std.1f52b5e3-cgu.0.rcgu.o: error adding symbols: file in wrong format
          collect2: error: ld returned 1 exit status
<snip>
RuntimeError: failed to run: /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/rustc-1.60.0-src/build/bootstrap/debug/bootstrap -j 8 build --stage 2 --verbose
WARNING: /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376:177 exit 1 from 'python3 src/bootstrap/bootstrap.py -j 8 "$@" --verbose'
WARNING: Backtrace (BB generated script):
    #1: rust_runx, /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376, line 177
    #2: do_compile, /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376, line 160
    #3: main, /work/yocto/poky/build/tmp/work/x86_64-nativesdk-pokysdk-linux/rust-cross-canadian-aarch64/1.60.0-r0/temp/run.do_compile.1244376, line 200


Here is my build info:

Build Configuration:
BB_VERSION           = "2.0.1"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "universal"
TARGET_SYS           = "aarch64-poky-linux"
MACHINE              = "qemuarm64"
DISTRO               = "poky"
DISTRO_VERSION       = "4.1+snapshot-cf7d8894545b83f55420fa33f7848e1bfc6754ff"
TUNE_FEATURES        = "aarch64 armv8a crc cortexa57"
TARGET_FPU           = ""
meta
meta-poky
meta-yocto-bsp       = "master:cf7d8894545b83f55420fa33f7848e1bfc6754ff"

/Peter

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-core/images/security-test-image.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-core/images/security-test-image.bb b/recipes-core/images/security-test-image.bb
index 133a7a1..81f69dd 100644
--- a/recipes-core/images/security-test-image.bb
+++ b/recipes-core/images/security-test-image.bb
@@ -12,7 +12,7 @@ IMAGE_INSTALL:append = "\
${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
"

-TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata"
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
TEST_SUITES:append = " parsec tpm2 swtpm ima"

INSTALL_CLAMAV_CVD = "1"
--
2.25.1