Date   

Re: building additional kenrel module in yocto, ERROR: no makefile found

Quentin Schulz
 

On August 18, 2021 5:16:36 PM GMT+02:00, Ivan Riabtsov <ivriabtsov@...> wrote:
Thanks!
Can I ask one more question? My module is need for openssl, I added
DEPENDS = "openssl" in my recipe

$ cat meta-gobinet/recipes-gobinet/gobinet/gobinet_1.bb
SUMMARY = "gobinet module"
LICENSE = "CLOSED"
inherit module
DEPENDS = "openssl" !!!!!!!!!!!!!!!!!!!!!!!!!!!
SRC_URI = "file://gobinet.tar.xz;md5sum=5175806df4c088bd77a4e6b66d20f899"
#SRC_URI += " file://0001_gobinet_makefile.patch;md5sum=1261df573e1b91177954f6190a12c7b1"
S = "${WORKDIR}/gobinet"

but the error appears:

/home/ivr/work/yocto/build/tmp/work-shared/phyboard-segin-imx6ul-6/kernel-source/scripts/extract-cert.c:21:10:
fatal error: openssl/bio.h: No such file or directory
| 21 | #include <openssl/bio.h>
| | ^~~~~~~~~~~~~~~
I suspect this script is to be run on the host, so maybe openssl-native in DEPENDS?

Let us know,
Quentin

$ find -name bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/make-mod-scripts/1.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/depmodwrapper-cross/1.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/linux-mainline/5.4.91-phy1-r0.0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/recipe-sysroot/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libxcrypt/4.4.15-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/ncurses/6.2-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/openssl-1.1.1i/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/openssl-1.1.1i/include/internal/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/packages-split/openssl-dev/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/packages-split/openssl-src/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/packages-split/openssl-src/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/internal/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/image/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/sysroot-destdir/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/package/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/package/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/package/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/internal/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/readline/8.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/gcc-runtime/9.3.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/glibc/2.31+gitAUTOINC+df31c7ca92-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/bash-completion/2.10-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libtirpc/1.2.6-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/zlib/1.2.11-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libffi/3.2.1-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libgcc/9.3.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libcap-ng/0.7.10-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/linux-libc-headers/5.4-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/linux-libc-headers/5.4-r0/linux-5.4/include/linux/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/opkg-utils/0.4.2-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/sysroots-components/cortexa7t2hf-neon-vfpv4/openssl/usr/include/openssl/bio.h
./build/tmp/sysroots-components/x86_64/openssl-native/usr/include/openssl/bio.h
./build/tmp/work-shared/phyboard-segin-imx6ul-6/kernel-source/include/linux/bio.h

the file is found in many places, please tell me how to fix it?

ср, 18 авг. 2021 г. в 17:00, Quentin Schulz <foss@...>:

Hi Ivan,

On August 18, 2021 3:36:58 PM GMT+02:00, Ivan Riabtsov <ivriabtsov@...> wrote:
help please, I meet with a problem with assembling the kernel module,
created a new layer:

$ ll ~/work/yocto/sources/meta-gobinet
total 28K
drwxr-xr-x 5 ivr ivr 4.0K Aug 18 11:27 .
drwxr-xr-x 12 ivr ivr 4.0K Aug 18 11:26 ..
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 11:26 conf
-rw-r--r-- 1 ivr ivr 1.1K Aug 18 11:26 COPYING.MIT
-rw-r--r-- 1 ivr ivr 801 Aug 18 11:26 README
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:26 recipes-example
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:28 recipes-gobinet

and i was create recipe:

$ cat ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet_1.bb
SUMMARY = "gobinet module"
LICENSE = "CLOSED"
inherit module
SRC_URI = "file://gobinet.tar.xz;md5sum=13b5f20214a3925eb4be3b831b62612f"
#SRC_URI += " file://0001_gobinet_makefile.patch;md5sum=1261df573e1b91177954f6190a12c7b1"

and i put gobinet.tar.xz in:

$ ll ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet/
total 44K
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 15:28 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:31 ..
-rw-r--r-- 1 ivr ivr 30K Aug 18 15:31 gobinet.tar.xz

content of gobinet.tar.xz is:

tar -xf gobinet.tar.xz
ivr@home-machine:~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet
$ ll gobinet
total 244K
drwxr-xr-x 2 ivr ivr 4.0K Aug 17 21:32 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:39 ..
-rw-r--r-- 1 ivr ivr 3.1K Aug 17 21:32 GobiNetworkManager.h
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 GobiUSBNet.c
-rw-r--r-- 1 ivr ivr 131 Aug 17 21:32 Kconfig
-rw-r--r-- 1 ivr ivr 324 Aug 17 21:32 kernel-deploy-guide
-rw-r--r-- 1 ivr ivr 326 Aug 17 21:32 Makefile
-rwxr-xr-x 1 ivr ivr 127 Aug 17 21:32 Makefile.kernel
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 QMI.c
-rw-r--r-- 1 ivr ivr 97K Aug 17 21:32 QMIDevice.c
-rw-r--r-- 1 ivr ivr 9.8K Aug 17 21:32 QMIDevice.h
-rw-r--r-- 1 ivr ivr 8.7K Aug 17 21:32 QMI.h
-rw-r--r-- 1 ivr ivr 2.9K Aug 17 21:32 Readme.txt
-rw-r--r-- 1 ivr ivr 13K Aug 17 21:32 Structs.h

but i have error:

ERROR: gobinet-1-r0 do_compile: oe_runmake failed
ERROR: gobinet-1-r0 do_compile: Execution of
'/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/run.do_compile.1734076'
failed with exit code 1:
make: *** No targets specified and no makefile found. Stop.
WARNING: exit code 1 from a shell command.

ERROR: Logfile of failure stored in:
/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/log.do_compile.1734076

that there is no Makefile but Makefile is present. tell me what is the
problem? Please
Because do_compile runs from ${S} which by default is set to ${WORKDIR}/${PN}-${PV} (might be BPN instead of PN but does not matter). Basically it expects to be run from ${WORKDIR}/gobinet-1/.

However the content of the tar.xz is extracted directly within ${WORKDIR}. So it's looking for a Makefile in ${WORKDIR}/gobinet-1/ but it's in ${WORKDIR}.

Two possible ways to do it:
1. Set S to ${WORKDIR}
2. Put all your files in a directory named gobinet-1 and make a tarball of that directory.

Cheers,
Quentin


Re: building additional kenrel module in yocto, ERROR: no makefile found

Ivan Riabtsov <ivriabtsov@...>
 

Thanks!
Can I ask one more question? My module is need for openssl, I added
DEPENDS = "openssl" in my recipe

$ cat meta-gobinet/recipes-gobinet/gobinet/gobinet_1.bb
SUMMARY = "gobinet module"
LICENSE = "CLOSED"
inherit module
DEPENDS = "openssl" !!!!!!!!!!!!!!!!!!!!!!!!!!!
SRC_URI = "file://gobinet.tar.xz;md5sum=5175806df4c088bd77a4e6b66d20f899"
#SRC_URI += " file://0001_gobinet_makefile.patch;md5sum=1261df573e1b91177954f6190a12c7b1"
S = "${WORKDIR}/gobinet"

but the error appears:

/home/ivr/work/yocto/build/tmp/work-shared/phyboard-segin-imx6ul-6/kernel-source/scripts/extract-cert.c:21:10:
fatal error: openssl/bio.h: No such file or directory
| 21 | #include <openssl/bio.h>
| | ^~~~~~~~~~~~~~~

$ find -name bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/make-mod-scripts/1.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/depmodwrapper-cross/1.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/linux-mainline/5.4.91-phy1-r0.0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/recipe-sysroot/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libxcrypt/4.4.15-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/ncurses/6.2-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/openssl-1.1.1i/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/openssl-1.1.1i/include/internal/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/packages-split/openssl-dev/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/packages-split/openssl-src/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/packages-split/openssl-src/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/internal/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/image/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/sysroot-destdir/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/package/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/package/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/openssl/1.1.1i-r0/package/usr/src/debug/openssl/1.1.1i-r0/openssl-1.1.1i/include/internal/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/readline/8.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/gcc-runtime/9.3.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/glibc/2.31+gitAUTOINC+df31c7ca92-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/bash-completion/2.10-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libtirpc/1.2.6-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/zlib/1.2.11-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libffi/3.2.1-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libgcc/9.3.0-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/libcap-ng/0.7.10-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/linux-libc-headers/5.4-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/linux-libc-headers/5.4-r0/linux-5.4/include/linux/bio.h
./build/tmp/work/cortexa7t2hf-neon-vfpv4-phytec-linux-gnueabi/opkg-utils/0.4.2-r0/recipe-sysroot-native/usr/include/openssl/bio.h
./build/tmp/sysroots-components/cortexa7t2hf-neon-vfpv4/openssl/usr/include/openssl/bio.h
./build/tmp/sysroots-components/x86_64/openssl-native/usr/include/openssl/bio.h
./build/tmp/work-shared/phyboard-segin-imx6ul-6/kernel-source/include/linux/bio.h

the file is found in many places, please tell me how to fix it?

ср, 18 авг. 2021 г. в 17:00, Quentin Schulz <foss@...>:


Hi Ivan,

On August 18, 2021 3:36:58 PM GMT+02:00, Ivan Riabtsov <ivriabtsov@...> wrote:
help please, I meet with a problem with assembling the kernel module,
created a new layer:

$ ll ~/work/yocto/sources/meta-gobinet
total 28K
drwxr-xr-x 5 ivr ivr 4.0K Aug 18 11:27 .
drwxr-xr-x 12 ivr ivr 4.0K Aug 18 11:26 ..
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 11:26 conf
-rw-r--r-- 1 ivr ivr 1.1K Aug 18 11:26 COPYING.MIT
-rw-r--r-- 1 ivr ivr 801 Aug 18 11:26 README
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:26 recipes-example
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:28 recipes-gobinet

and i was create recipe:

$ cat ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet_1.bb
SUMMARY = "gobinet module"
LICENSE = "CLOSED"
inherit module
SRC_URI = "file://gobinet.tar.xz;md5sum=13b5f20214a3925eb4be3b831b62612f"
#SRC_URI += " file://0001_gobinet_makefile.patch;md5sum=1261df573e1b91177954f6190a12c7b1"

and i put gobinet.tar.xz in:

$ ll ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet/
total 44K
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 15:28 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:31 ..
-rw-r--r-- 1 ivr ivr 30K Aug 18 15:31 gobinet.tar.xz

content of gobinet.tar.xz is:

tar -xf gobinet.tar.xz
ivr@home-machine:~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet
$ ll gobinet
total 244K
drwxr-xr-x 2 ivr ivr 4.0K Aug 17 21:32 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:39 ..
-rw-r--r-- 1 ivr ivr 3.1K Aug 17 21:32 GobiNetworkManager.h
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 GobiUSBNet.c
-rw-r--r-- 1 ivr ivr 131 Aug 17 21:32 Kconfig
-rw-r--r-- 1 ivr ivr 324 Aug 17 21:32 kernel-deploy-guide
-rw-r--r-- 1 ivr ivr 326 Aug 17 21:32 Makefile
-rwxr-xr-x 1 ivr ivr 127 Aug 17 21:32 Makefile.kernel
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 QMI.c
-rw-r--r-- 1 ivr ivr 97K Aug 17 21:32 QMIDevice.c
-rw-r--r-- 1 ivr ivr 9.8K Aug 17 21:32 QMIDevice.h
-rw-r--r-- 1 ivr ivr 8.7K Aug 17 21:32 QMI.h
-rw-r--r-- 1 ivr ivr 2.9K Aug 17 21:32 Readme.txt
-rw-r--r-- 1 ivr ivr 13K Aug 17 21:32 Structs.h

but i have error:

ERROR: gobinet-1-r0 do_compile: oe_runmake failed
ERROR: gobinet-1-r0 do_compile: Execution of
'/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/run.do_compile.1734076'
failed with exit code 1:
make: *** No targets specified and no makefile found. Stop.
WARNING: exit code 1 from a shell command.

ERROR: Logfile of failure stored in:
/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/log.do_compile.1734076

that there is no Makefile but Makefile is present. tell me what is the
problem? Please
Because do_compile runs from ${S} which by default is set to ${WORKDIR}/${PN}-${PV} (might be BPN instead of PN but does not matter). Basically it expects to be run from ${WORKDIR}/gobinet-1/.

However the content of the tar.xz is extracted directly within ${WORKDIR}. So it's looking for a Makefile in ${WORKDIR}/gobinet-1/ but it's in ${WORKDIR}.

Two possible ways to do it:
1. Set S to ${WORKDIR}
2. Put all your files in a directory named gobinet-1 and make a tarball of that directory.

Cheers,
Quentin


Re: building additional kenrel module in yocto, ERROR: no makefile found

Quentin Schulz
 

Hi Ivan,

On August 18, 2021 3:36:58 PM GMT+02:00, Ivan Riabtsov <ivriabtsov@...> wrote:
help please, I meet with a problem with assembling the kernel module,
created a new layer:

$ ll ~/work/yocto/sources/meta-gobinet
total 28K
drwxr-xr-x 5 ivr ivr 4.0K Aug 18 11:27 .
drwxr-xr-x 12 ivr ivr 4.0K Aug 18 11:26 ..
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 11:26 conf
-rw-r--r-- 1 ivr ivr 1.1K Aug 18 11:26 COPYING.MIT
-rw-r--r-- 1 ivr ivr 801 Aug 18 11:26 README
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:26 recipes-example
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:28 recipes-gobinet

and i was create recipe:

$ cat ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet_1.bb
SUMMARY = "gobinet module"
LICENSE = "CLOSED"
inherit module
SRC_URI = "file://gobinet.tar.xz;md5sum=13b5f20214a3925eb4be3b831b62612f"
#SRC_URI += " file://0001_gobinet_makefile.patch;md5sum=1261df573e1b91177954f6190a12c7b1"

and i put gobinet.tar.xz in:

$ ll ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet/
total 44K
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 15:28 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:31 ..
-rw-r--r-- 1 ivr ivr 30K Aug 18 15:31 gobinet.tar.xz

content of gobinet.tar.xz is:

tar -xf gobinet.tar.xz
ivr@home-machine:~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet
$ ll gobinet
total 244K
drwxr-xr-x 2 ivr ivr 4.0K Aug 17 21:32 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:39 ..
-rw-r--r-- 1 ivr ivr 3.1K Aug 17 21:32 GobiNetworkManager.h
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 GobiUSBNet.c
-rw-r--r-- 1 ivr ivr 131 Aug 17 21:32 Kconfig
-rw-r--r-- 1 ivr ivr 324 Aug 17 21:32 kernel-deploy-guide
-rw-r--r-- 1 ivr ivr 326 Aug 17 21:32 Makefile
-rwxr-xr-x 1 ivr ivr 127 Aug 17 21:32 Makefile.kernel
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 QMI.c
-rw-r--r-- 1 ivr ivr 97K Aug 17 21:32 QMIDevice.c
-rw-r--r-- 1 ivr ivr 9.8K Aug 17 21:32 QMIDevice.h
-rw-r--r-- 1 ivr ivr 8.7K Aug 17 21:32 QMI.h
-rw-r--r-- 1 ivr ivr 2.9K Aug 17 21:32 Readme.txt
-rw-r--r-- 1 ivr ivr 13K Aug 17 21:32 Structs.h

but i have error:

ERROR: gobinet-1-r0 do_compile: oe_runmake failed
ERROR: gobinet-1-r0 do_compile: Execution of
'/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/run.do_compile.1734076'
failed with exit code 1:
make: *** No targets specified and no makefile found. Stop.
WARNING: exit code 1 from a shell command.

ERROR: Logfile of failure stored in:
/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/log.do_compile.1734076

that there is no Makefile but Makefile is present. tell me what is the
problem? Please
Because do_compile runs from ${S} which by default is set to ${WORKDIR}/${PN}-${PV} (might be BPN instead of PN but does not matter). Basically it expects to be run from ${WORKDIR}/gobinet-1/.

However the content of the tar.xz is extracted directly within ${WORKDIR}. So it's looking for a Makefile in ${WORKDIR}/gobinet-1/ but it's in ${WORKDIR}.

Two possible ways to do it:
1. Set S to ${WORKDIR}
2. Put all your files in a directory named gobinet-1 and make a tarball of that directory.

Cheers,
Quentin


Re: best way to get feature of systemd v248 in yocto-hardknott (systemd v247)?

Bill Plunkett
 

Thanks Nicolas.

I was able to get what I needed by backporting the relevant changes (DHCP client LinkLocal address fallback) into the systemd v247 source.  It was a little ugly, but is working now.

I was afraid to try the full systemd v249.

Bill

On Tue, Aug 17, 2021 at 1:27 AM Nicolas Jeker <n.jeker@...> wrote:
On Fri, 2021-08-13 at 15:31 -0600, Bill Plunkett wrote:
> I'd like to use a systemd DHCP client feature that became available
> in v248 in my yocto-hardknott system.  Is there any hope of using the
> complete v249.1 recipe from the oe master branch?
>

To backport a newer version, I usually just take the trial and error
route by copying the recipe to a custom layer and then, if necessary,
resolving missing or outdated dependencies on the go. This works most
of the time, but it could get a bit more complicated for systemd if
something fundamentally changed.

> Bill



building additional kenrel module in yocto, ERROR: no makefile found

Ivan Riabtsov <ivriabtsov@...>
 

help please, I meet with a problem with assembling the kernel module,
created a new layer:

$ ll ~/work/yocto/sources/meta-gobinet
total 28K
drwxr-xr-x 5 ivr ivr 4.0K Aug 18 11:27 .
drwxr-xr-x 12 ivr ivr 4.0K Aug 18 11:26 ..
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 11:26 conf
-rw-r--r-- 1 ivr ivr 1.1K Aug 18 11:26 COPYING.MIT
-rw-r--r-- 1 ivr ivr 801 Aug 18 11:26 README
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:26 recipes-example
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 11:28 recipes-gobinet

and i was create recipe:

$ cat ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet_1.bb
SUMMARY = "gobinet module"
LICENSE = "CLOSED"
inherit module
SRC_URI = "file://gobinet.tar.xz;md5sum=13b5f20214a3925eb4be3b831b62612f"
#SRC_URI += " file://0001_gobinet_makefile.patch;md5sum=1261df573e1b91177954f6190a12c7b1"

and i put gobinet.tar.xz in:

$ ll ~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet/
total 44K
drwxr-xr-x 2 ivr ivr 4.0K Aug 18 15:28 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:31 ..
-rw-r--r-- 1 ivr ivr 30K Aug 18 15:31 gobinet.tar.xz

content of gobinet.tar.xz is:

tar -xf gobinet.tar.xz
ivr@home-machine:~/work/yocto/sources/meta-gobinet/recipes-gobinet/gobinet/gobinet
$ ll gobinet
total 244K
drwxr-xr-x 2 ivr ivr 4.0K Aug 17 21:32 .
drwxr-xr-x 3 ivr ivr 4.0K Aug 18 15:39 ..
-rw-r--r-- 1 ivr ivr 3.1K Aug 17 21:32 GobiNetworkManager.h
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 GobiUSBNet.c
-rw-r--r-- 1 ivr ivr 131 Aug 17 21:32 Kconfig
-rw-r--r-- 1 ivr ivr 324 Aug 17 21:32 kernel-deploy-guide
-rw-r--r-- 1 ivr ivr 326 Aug 17 21:32 Makefile
-rwxr-xr-x 1 ivr ivr 127 Aug 17 21:32 Makefile.kernel
-rw-r--r-- 1 ivr ivr 36K Aug 17 21:32 QMI.c
-rw-r--r-- 1 ivr ivr 97K Aug 17 21:32 QMIDevice.c
-rw-r--r-- 1 ivr ivr 9.8K Aug 17 21:32 QMIDevice.h
-rw-r--r-- 1 ivr ivr 8.7K Aug 17 21:32 QMI.h
-rw-r--r-- 1 ivr ivr 2.9K Aug 17 21:32 Readme.txt
-rw-r--r-- 1 ivr ivr 13K Aug 17 21:32 Structs.h

but i have error:

ERROR: gobinet-1-r0 do_compile: oe_runmake failed
ERROR: gobinet-1-r0 do_compile: Execution of
'/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/run.do_compile.1734076'
failed with exit code 1:
make: *** No targets specified and no makefile found. Stop.
WARNING: exit code 1 from a shell command.

ERROR: Logfile of failure stored in:
/home/ivr/work/yocto/build/tmp/work/phyboard_segin_imx6ul_6-phytec-linux-gnueabi/gobinet/1-r0/temp/log.do_compile.1734076

that there is no Makefile but Makefile is present. tell me what is the
problem? Please


Re: hardknott: systemd / agetty: root user environment (sbin not in PATH) when setting password with EXTRA_USERS_PARAMS (solved)

Matthias Klein
 

Hello,

I found it out myself: in the /etc/profile file, the PATH for root is only adjusted if the home directory is /home/root.
That was the cause.
It had nothing to do with setting the password ...

Best regards,
Matthias


Raspberrypi #raspberrypi

yasminebenghozzi6@...
 

Hello everyone,  

Why I can't execute an executable python script in the raspberry? what should I add to the yocto image? 


hardknott: systemd / agetty: root user environment (sbin not in PATH) when setting password with EXTRA_USERS_PARAMS

Matthias Klein
 

Hello,

I tried to assign a password to the root user and added the following to my image file:

inherit extrausers
EXTRA_USERS_PARAMS = "usermod -d / -P root root;"

At the same time in the local.conf exists: EXTRA_IMAGE_FEATURES ?= "debug-tweaks".

Setting the password worked. But in parallel the PATH variable in the environment has changed:

before: PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
after: PATH=/usr/local/bin:/usr/bin:/bin

I would like to understand why this is so. Is this intentional, or is it a bug? The root user can't call ifconfig etc now.
I am not concerned with a production image here, I am aware of the security risks.
I want to better understand the internals of Yocto ...

Best regards,
Matthias


Re: raspberrypi GPIO #raspberrypi

Nicolas Jeker
 

On Wed, 2021-08-18 at 03:59 -0700, yasminebenghozzi6@... wrote:
Hello, 

I have a problem importing python RPi.GPIO in yocto, not found, while
they should be there only by cloning the meta-raspberry right? 
There is a recipe for RPi.GPIO available in meta-raspberrypi [1]. I
doubt that it's installed in any of the default images. You should add
it to your image by appending to the IMAGE_INSTALL variable. See the
Customizing Images section in the manual [2] for more information.

[1]: https://layers.openembedded.org/layerindex/recipe/5769/
[2]:
https://www.yoctoproject.org/docs/current/mega-manual/mega-manual.html#usingpoky-extend-customimage

Any answer please on how to get them? 
thank you


raspberrypi GPIO #raspberrypi

yasminebenghozzi6@...
 

Hello, 

I have a problem importing python RPi.GPIO in yocto, not found, while they should be there only by cloning the meta-raspberry right? 
Any answer please on how to get them? 
thank you


Re: Weird bitbake generation behavior

Richard Purdie
 

On Wed, 2021-08-18 at 06:23 +0000, Frans Meulenbroeks via lists.yoctoproject.org wrote:
Hi,

I share an sstate-cache with my fellow developers and I was assessing why sometimes things got rebuild even
though I did not expect this.
One of the things I discovered was that we had two versions of of glog/0.3.5-r0 in sstate.
The difference was caused run.do_configure where one user had this in run.do_configure

do_configure() {
    cmake_do_configure
    # remove WORKDIR info to improve reproducibility
    if [ -f  "/workdir/build-nano/tmp/work/aarch64-sorama-linux/glog/0.3.5-r0/build/config.h" ] ; then
        sed -i 's/'$(echo /workdir/build-nano/tmp/work/aarch64-sorama-linux/glog/0.3.5-r0 | sed
's_/_\\/_g')'/../g' /workdir/build-nano/tmp/work/aarch64-sorama-linux/glog/0.3.5-r0/build/config.h
    fi
}

whereas the other just had:

do_configure() {
    cmake_do_configure
}


The weird thing is that these two builds were about a day apart, they were build on the same system with as
far as I know the same metadata, the same distro, the same image etc etc
User settings should also be the same (we build under docker and I checked, we used the same version of ubuntu
in the container (18.04). (Actually the containers were generated from the same Docker file and docker inspect
tells me the images are identical).

Anyone an idea how this happens and where that extra snippet comes from? (I grepped for the string
"reproducibility" in the bitbake folder, but that did not help)
BTW we're using dunfell
Google shows:

https://patchwork.openembedded.org/patch/176924/

so I'd check the glog recipe.

https://git.openembedded.org/meta-openembedded/commit/?id=be95549f2ea5c59c6da6ace852b918cdba3c7822

https://git.openembedded.org/meta-openembedded/commit/?h=dunfell&id=a51c0d9b3a0d7dc5986ce46e7de65ef26cd06373

Cheers,

Richard


Build multiple drivers wit one recipe #kernel #linux

davidgnisbet@...
 

I am developing a pair of driver modules that share some functionality. Thus it would be convenient for the source files of the drivers to share a directory with the source files of the shared functionality and for both to be built at the same time. Is this feasible using one recipe under Yocto or do I need to separate the drivers and create a library? Any other suggestions would be welcome.


[meta-security][PATCH 2/2] image-with-hardened-binaries: Add selftest

Maximilian Blenk <Maximilian.Blenk@...>
 

Add selftest that executes binary analysis on small rootfs

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
.../cases/hardened_binaries_checker.py | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 lib/oeqa/selftest/cases/hardened_binaries_checker.py

diff --git a/lib/oeqa/selftest/cases/hardened_binaries_checker.py b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
new file mode 100644
index 0000000..6385757
--- /dev/null
+++ b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
@@ -0,0 +1,42 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class HardenTests(OESelftestTestCase):
+ def test_hardened_binaries(self):
+
+ self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+
+CORE_IMAGE_EXTRA_INSTALL ?= ""
+
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit image-with-hardened-binaries
+
+HARDENED_BINARIES_CONFIG_FILE = "${WORKDIR}/check-config.toml"
+
+do_write_config_file() {
+ echo "[rpath]\nenabled = true\nwhitelist = []\n" > "${WORKDIR}/check-config.toml"
+ echo "[runpath]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[relro]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[pie]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[nx]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+}
+
+addtask do_write_config_file before do_image_qa
+
+ """)
+
+ result = bitbake("-c image_qa emptytest", ignore_status=True)
+ if result.status != 0:
+ self.logger.warn(result.output)
+ raise self.failureException("build failed, something went wrong...")
--
2.31.1


[meta-security][PATCH 1/2] image-with-hardened-binaries: add class

Maximilian Blenk <Maximilian.Blenk@...>
 

Add class to analyze binaries with checksec.py. checksec.py is a tool
that checks if security features of a compiler have been used. To do
so, it analyses the resulting binaries:
* NX Proctection is enabled
* Full RELRO is enabled
* RPATH and RUNPATH are not set
* Executables are compiled to be position independent
* FORTIFY_SOURCE is set (false-positives possible)
* Stack Canaries are enabled (false-positives possible)

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
Hi guys,

we are currently working on adding automatically checking the binaries
we put into an image for the presence of certain recommended compiler
features. To achieve this, we created a bbclass that wraps around the
existing project checksec.py (https://github.com/Wenzel/checksec.py). In
particular, checksec.py is used to check if
* relro is enabled
* executables are compiled to be position indipendet code
* rpath and runpath are not set
* stack canaries are enabled
* fortify source is enabled
I must however admit that the last two checks can suffer from
false-positives which need manual analysis and whitelisting (check can
also be completely disabled).

Motivation:
We've decided that such checks would be a nice thing to have because
people might overwrite important compiler flags in their local recipe.
Additionally there is always the possibility that components are shipped
as binaries instead of code (so they are actually build outside the
current build environment). Overall we've detected several cases where
required compiler flags have not been applied to shipped components.
After internal discussion we came to the conclusion that you guys would
maybe also be interested in this kind of checks, so I'm offering this
patch to you as well.

I would really appreciate your feedback :-)

BR Max

classes/image-with-hardened-binaries.bbclass | 338 ++++++++++++++++++
...1-main-Add-option-to-ignore-symlinks.patch | 81 +++++
.../0002-Elf-Fix-relro-detection.patch | 51 +++
...heck-Treat-binaries-with-0-fortifiab.patch | 33 ++
...o-use-pre-compiled-version-of-spdlog.patch | 154 ++++++++
.../python/python3-asttokens_2.0.5.bb | 15 +
.../python3-checksec.py-native_0.6.1.bb | 31 ++
.../python/python3-colorama_%.bbappend | 1 +
.../python/python3-commonmark_0.9.1.bb | 14 +
.../python/python3-docopt_0.6.2.bb | 18 +
.../python/python3-icontract_2.5.3.bb | 14 +
.../python/python3-lief_0.11.5.bb | 36 ++
.../python/python3-pylddwrap_1.0.1.bb | 21 ++
recipes-devtools/python/python3-rich_7.1.0.bb | 16 +
.../python/python3-setuptools-scm_6.0.1.bb | 17 +
.../python/python3-toml_%.bbappend | 1 +
16 files changed, 841 insertions(+)
create mode 100644 classes/image-with-hardened-binaries.bbclass
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
create mode 100644 recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
create mode 100644 recipes-devtools/python/python3-asttokens_2.0.5.bb
create mode 100644 recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
create mode 100644 recipes-devtools/python/python3-colorama_%.bbappend
create mode 100644 recipes-devtools/python/python3-commonmark_0.9.1.bb
create mode 100644 recipes-devtools/python/python3-docopt_0.6.2.bb
create mode 100644 recipes-devtools/python/python3-icontract_2.5.3.bb
create mode 100644 recipes-devtools/python/python3-lief_0.11.5.bb
create mode 100644 recipes-devtools/python/python3-pylddwrap_1.0.1.bb
create mode 100644 recipes-devtools/python/python3-rich_7.1.0.bb
create mode 100644 recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
create mode 100644 recipes-devtools/python/python3-toml_%.bbappend

diff --git a/classes/image-with-hardened-binaries.bbclass b/classes/image-with-hardened-binaries.bbclass
new file mode 100644
index 0000000..d7d3908
--- /dev/null
+++ b/classes/image-with-hardened-binaries.bbclass
@@ -0,0 +1,338 @@
+# Provide qa checks to ensure all applications and libraries shipped with the image
+# have common compiler security features enabled. In particular there are checks that:
+# * nx protection is enabled
+# * relro is enabled
+# * executables (except for static linked ones) are position independent
+# * rpath and runpath are not set
+
+IMAGE_QA_COMMANDS += "image_check_binary_hardening"
+
+DEPENDS += "python3-checksec.py-native"
+
+inherit python3native
+
+# Add mappings to the path mappers (which determines if a binary is a application or
+# shared library). To add a mapping append " /path/from/the/root/to/bin:{application,library,ignore}"
+# to the list
+HARDENED_BINARIES_EXTRA_MAPPING ?= ""
+
+# Config file in TOML format:
+# [check]
+# enabled = true
+# whitelist = [
+# "path to some binary",
+# "path to some other binary"
+# ]
+# supported checks are: nx, relro, pie, rpath, runpath
+HARDENED_BINARIES_CONFIG_FILE ?= ""
+
+# Custom message to show in case of a detected violation
+# For instace if you want to add whom to contact for support
+HARDENED_BINARIES_CUSTOM_ERROR_MESSAGE ?= ""
+
+# Path to libc used for foritfy source analysis. If fortify_source check is
+# not enabled, this variable can be ignored.
+HARDENED_BINARIES_LIBC_PATH ?= "${IMAGE_ROOTFS}${baselib}/libc.so.6"
+
+python image_check_binary_hardening () {
+ import fnmatch
+ import json
+ import os
+ import subprocess
+ import toml
+ from collections import defaultdict, OrderedDict
+ from enum import Enum, auto
+
+ from oe.utils import ImageQAFailed
+
+ rootfs = d.getVar("IMAGE_ROOTFS")
+
+ #################################
+ ## Data about supported checks ##
+ #################################
+
+ class BinType(Enum):
+ IGNORE = "ignore"
+ APPLICATION = "application"
+ LIBRARY = "library"
+
+ # Dict of checks to perform on the analysis result of checksec.py
+ # Each entry needs to contain the following attributes:
+ # - allowed_value: Value in the analysis result that should be accepted
+ # - bintypes: List of types on which the check shall be enforced (e.g. PIE check on libraries
+ # doesn't make much sense because PIE is only for executables)
+ # - errormsg: Message that should be prompted in case violators have been found
+ # - ignore_static: Indicates if statically linked applications should be ignored for that check
+ # Notes specific checks:
+ # - NX: Needs to be enforced on applications and libraries. This is because if only a single shared
+ # library doesn't use that, the whole process needs to have a executable stack.
+ # - RELRO: Statically linked applications do not make use of relocation, so this check would always
+ # fail for statically linked applications.
+ # - PIE: This check is only valid for applications (as in "position independent executable" for
+ # applications vs. "position independent code" (PIC) for shared libraries)
+ CHECK_DATA = {
+ "nx" : {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries do not use nx (not executable) protection. This mechanism is used " \
+ "to separate data from executable code. Disabling this mechanism is a security issue because " \
+ "this enables attackers to put code onto the stack. Please also note, if the nx protection is " \
+ "disabled in a shared library, all binary objects that link against this library will not be " \
+ "protected. This message usually appears if your binary is linked using the \"-z execstack\" " \
+ "flag.",
+ "ignore_static": False,
+ },
+ "relro": {
+ "allowed_value": "Full",
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries do not make use of the relro (relocation read-only). This feature " \
+ "prevents attackers from modifying addresses of functions that are located in shared libraries " \
+ "(which is a common technique to exploit vulnerabilities). Due to this, not making use of this " \
+ "feature is a security issue. Please make sure your application is linked using " \
+ "\"-Wl,-z,relro,-z,now\". ",
+ "ignore_static": True,
+ },
+ "rpath": {
+ "allowed_value": False,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries are making use of the rpath feature. This can easily enable an attacker " \
+ "to get malicious code executed if there is some issue with the file permissions at the specified " \
+ "location. Due to this, the usage of this feature is generally discouraged and needs approval " \
+ "by the security team.",
+ "ignore_static": False,
+ },
+ "runpath": {
+ "allowed_value": False,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries are making use of the runpath feature. This can easily enable an attacker" \
+ " to get malicious code executed if there is some issue with the file permissions at the specified " \
+ "location. Due to this, the usage of this feature is generally discouraged and needs approval " \
+ "by the security team.",
+ "ignore_static": False,
+ },
+ "pie": {
+ "allowed_value": "PIE",
+ "bintypes": [BinType.APPLICATION],
+ "errormsg":
+ "The following {} applications are not compiled to be position independent executables (pie). This " \
+ "compiler feature compiles the code in a way that it can be mapped to any location in the virtual " \
+ "memory. Compiling the application this way is required to make use of the Address Space Layout " \
+ "Randomization (ASLR). This feature maps executable code to a random location, which means an " \
+ "attacker can not rely on the fact that a specific portion of code is mapped to a specific address. " \
+ "Please ensure that you application is compiled using \"-fPIE\".",
+ "ignore_static": True,
+ },
+ "canary": {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries seem to be not using stack canaries. These canaries are used to mitigate " \
+ "stack buffer overflows attacks. To do so the compiler adds checks to the end of a function to " \
+ "ensure that this function did not overwrite the stack frames of another function. Not using " \
+ "canaries may allow an attacker to exploit stack based buffer overflows by modifying the stack frame " \
+ "of other function calls (which simplifies exploiting such vulnerabilities a lot). Please make sure " \
+ "your components are compiled with the \"-fstack-protector-strong\" compile flag. Please note that " \
+ "there is a slight possibility for false-positives in this check: The compiler checks if a function " \
+ "needs canary protection or not. If there is no function that needs proctedtion in your binary, this " \
+ "check will fail anyway and the binary needs to be whitelisted.",
+ "ignore_static": False,
+ },
+ "fortify_source": {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries seem to be not using the fortify source feature. This feature protects " \
+ "(some, not all) calls to memory manipulations function like memcpy, strcpy or strcat by adding " \
+ "checks that prevent buffer overflows. These checks can prevent attackers from exploiting such a " \
+ "buffer overflow. Please make sure your component is compiled with \"-D_FORTIFY_SOURCE=2\". In " \
+ "addition the compiler optimizations need to be enabled with \"-O1\" or higher. Please note that " \
+ "there is a slight possibility for false positives here: Not all occurences of these mentioned " \
+ "memory calls that can not be protected they will appear as if_FORTIFY_SOURCE has not been set. " \
+ "In such a case the binary needs to be whitelisted.",
+ "ignore_static": False,
+ }
+ }
+
+ #################################
+ ## Parse data from config file ##
+ #################################
+
+ config_file = d.getVar("HARDENED_BINARIES_CONFIG_FILE", True)
+ if not config_file:
+ msg = "Hardend Binary Check: No config file specifed. Please create a config file and set " \
+ "the variable \"HARDENED_BINARIES_CONFIG_FILE\" accordingly"
+ raise ImageQAFailed(msg, image_check_binary_hardening)
+
+ CHECK_CONFIG_DATA = defaultdict(lambda: {"enabled": False})
+ CHECK_CONFIG_DATA.update(toml.load(config_file))
+
+ # Expand whitelisted paths with rootfs
+ for check, values in CHECK_CONFIG_DATA.items():
+ values["whitelist"] = [rootfs + x for x in values["whitelist"]]
+
+ ###############################################
+ ## Classes and functions to perform analysis ##
+ ###############################################
+
+ class PathMapping:
+ """ Class to map paths to BinTypes """
+ def __init__(self, rootfs):
+ self.rootfs = rootfs
+ self.mapping = OrderedDict()
+
+ self.add("/bin/*", BinType.APPLICATION)
+ self.add("/lib/firmware/*", BinType.IGNORE)
+ self.add("/lib/modules/*", BinType.IGNORE)
+ self.add("/lib/systemd/*.so", BinType.LIBRARY)
+ self.add("/lib/systemd/*", BinType.APPLICATION)
+ self.add("/lib/*", BinType.LIBRARY)
+ self.add("/sbin/*", BinType.APPLICATION)
+ self.add("/usr/bin/*", BinType.APPLICATION)
+ self.add("/usr/libexec/*", BinType.APPLICATION)
+ self.add("/usr/lib/firmware/*", BinType.IGNORE)
+ self.add("/usr/lib/modules/*", BinType.IGNORE)
+ self.add("/usr/lib/systemd/*.so", BinType.LIBRARY)
+ self.add("/usr/lib/systemd/*", BinType.APPLICATION)
+ self.add("/usr/lib/*", BinType.LIBRARY)
+ self.add("/usr/sbin/*", BinType.APPLICATION)
+
+
+ def add(self, path, bin_type):
+ """ Add mapping of a path to a FileyType """
+ self.mapping[self.rootfs + path] = bin_type
+
+ def map(self, path):
+ """ Map a path to a FilesType. Returns None if path can not be mapped. """
+ for match_path, bin_type in self.mapping.items():
+ if fnmatch.fnmatch(path, match_path):
+ return bin_type
+ else:
+ return None
+
+ def call_checksec(rootfs):
+ """ Wrapper to call the checksec.py script
+
+ This function returns a list of result dicts, e.g.:
+ [
+ ...,
+ "/bin/systemd-hwdb": {
+ "relro": "No",
+ "canary": true,
+ "nx": true,
+ "pie": "PIE",
+ "rpath": false,
+ "runpath": false,
+ "symbols": false,
+ "fortify_source": true,
+ "fortified": 5,
+ "fortify-able": 16,
+ "fortify_score": 31
+ }
+ ]
+
+ """
+ parallel_make = d.getVar("PARALLEL_MAKE")
+
+ cmd = ["python3", "-m", "checksec", "--json", "--recursive", "--ignore-symlinks"]
+ if parallel_make:
+ cmd.append(parallel_make.replace("-j", "--workers="))
+ if CHECK_CONFIG_DATA["foritfy_source"]["enabled"]:
+ libc_path = d.getVar("HARDENED_BINARIES_LIBC_PATH", True)
+ cmd.append("--set-libc={}".format(libc_path))
+ cmd.append(rootfs)
+
+ return json.loads(subprocess.check_output(cmd).decode('utf-8'))
+
+
+ class ResultAnalyzer:
+ """ Class to evaluate the results produced by checksec.py """
+ def __init__(self, rootfs):
+ self.rootfs = rootfs
+ self.violators = defaultdict(list)
+
+ @staticmethod
+ def __is_static(path):
+ """ Checks if binary at given path is statically linked """
+ return "statically linked" in subprocess.check_output(["file", path], stderr=subprocess.STDOUT).decode('utf-8')
+
+ def check_result(self, path, result, bintype):
+ """ Perfom checks specified in CHECK_DATA on the given analysis result (of a specific binary) """
+
+ for check, values in CHECK_DATA.items():
+ if CHECK_CONFIG_DATA[check]["enabled"] and bintype in values["bintypes"]:
+ for whitelisted in CHECK_CONFIG_DATA[check]["whitelist"]:
+ if fnmatch.fnmatch(path, whitelisted):
+ break
+ else:
+ if result[check] != values["allowed_value"] and \
+ (not values["ignore_static"] or not self.__is_static(path)):
+ self.violators[check].append(path)
+
+
+ def perform_analysis(rootfs):
+ """ Analyze all binaries in a given rootfs. In case a container shall be analyzed the absolute path to the container_path
+ rootfs needs to be passed.
+ """
+
+ # Add custom path mapping (for bins in non-standard locations)
+ path_mapping = PathMapping(rootfs)
+ extra_mapping = d.getVar("HARDENED_BINARIES_EXTRA_MAPPING")
+ if extra_mapping:
+ for mapping in extra_mapping.split():
+ try:
+ path, type = mapping.split(':')
+ except:
+ bb.error("Hardened Binary Checks: Got misformated extra mapping {}. Mapping needs to be " \
+ "in form: \"<path regex>:{application,library,ignore}\"".format(mapping))
+ raise
+ path_mapping.add(path, BinType(type))
+
+ # Perform analysis of complete rootfs
+ analysis_result = call_checksec(rootfs)
+
+ # Check analysis results and ensure that all we can actually map all binaries to a BinType
+ result_analyzer = ResultAnalyzer(rootfs)
+ unmapped_binaries = []
+ for path, result in analysis_result.items():
+ bintype = path_mapping.map(path)
+ if bintype in [BinType.APPLICATION, BinType.LIBRARY]:
+ result_analyzer.check_result(path, result, bintype)
+ elif bintype != BinType.IGNORE:
+ unmapped_binaries.append(path)
+
+ # To ensure that we analyze all the binaries lets break the build if we can not map binaries
+ if unmapped_binaries:
+ msg = "Hardend Binary Check: Couldn't figure out if the following files are applications " \
+ "or libraries. This is probably due to a non standard location for applications or " \
+ "libraries. If you think this is required add the mapping to " \
+ "HARDENED_BINARIES_EXTRA_MAPPING and/or contact mgu-security-frontdesk@..." \
+ "\nUnmapped:\n{}".format("\n".join(unmapped_binaries),
+ image_check_binary_hardening)
+ raise ImageQAFailed(msg, image_check_binary_hardening)
+
+ custom_error_message = d.getVar('HARDENED_BINARIES_CUSTOM_ERROR_MESSAGE')
+
+ # Break the build and show error message if we detected violators that are not whitelisted
+ errors = []
+ for check, violators in result_analyzer.violators.items():
+ if violators:
+ errormsg = CHECK_DATA[check]["errormsg"].format(len(violators))
+ errormsg += "\n{}".format("\n".join(violators))
+ if custom_error_message:
+ errormsg += "\n" + custom_error_message
+ errors.append(errormsg)
+
+ if errors:
+ raise ImageQAFailed("\n".join(errors), image_check_binary_hardening)
+
+ ##############################
+ ## Start analysis on rootfs ##
+ ##############################
+
+ perform_analysis(rootfs)
+
+}
diff --git a/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch b/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
new file mode 100644
index 0000000..ae434bc
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
@@ -0,0 +1,81 @@
+From 182268203951750dcfb2c134354e801dea472e4c Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Fri, 2 Jul 2021 14:42:25 +0200
+Subject: [PATCH 1/2] main: Add option to ignore symlinks
+
+When analyzing a complete rootfs (which might not be the rootfs of the
+analyzing system) symlinks within that rootfs might be broken. In
+particular absolute symlinks. However, if by chance such a symlink
+currently points to a valid binary in your system, this binary pointed
+to is analyzed. This commit adds the possibility to ignore symlinks to
+files (symlinks to dirs are already ignored by default). This allows to
+solve the issue described above, and if the whole rootfs is analyzed
+there shouldn't be a loss of information (because all the binaries will
+be analyzed anyway). Additionally, this also saves some time when
+performing the analysis.
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/106
+---
+ checksec/__main__.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/checksec/__main__.py b/checksec/__main__.py
+index 856d0b3..f1a3445 100644
+--- a/checksec/__main__.py
++++ b/checksec/__main__.py
+@@ -8,6 +8,7 @@ Options:
+ -w WORKERS --workers=WORKERS Specify the number of process pool workers [default: 4]
+ -j --json Display results as JSON
+ -s LIBC --set-libc=LIBC Specify LIBC library to use to check for fortify scores (ELF)
++ -i --ignore-symlinks Ignore symlinks to files
+ -d --debug Enable debug output
+ -h --help Display this message
+ """
+@@ -27,15 +28,15 @@ from .pe import PEChecksecData, PESecurity, is_pe
+ from .utils import lief_set_logging
+
+
+-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]:
++def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]:
+ for path in filepath_list:
+ if path.is_dir() and not path.is_symlink():
+ if recursive:
+ for f in os.scandir(path):
+- yield from walk_filepath_list([Path(f)], recursive)
++ yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks)
+ else:
+ yield from (Path(f) for f in os.scandir(path))
+- elif path.is_file():
++ elif path.is_file() and (not ignore_symlinks or not path.is_symlink()):
+ yield path
+
+
+@@ -72,6 +73,7 @@ def main(args):
+ json = args["--json"]
+ recursive = args["--recursive"]
+ libc_path = args["--set-libc"]
++ ignore_symlinks = args["--ignore-symlinks"]
+
+ # logging
+ formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s"
+@@ -107,7 +109,7 @@ def main(args):
+ # we need to consume the iterator once to get the total
+ # for the progress bar
+ check_output.enumerating_tasks_start()
+- count = sum(1 for i in walk_filepath_list(filepath_list, recursive))
++ count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks))
+ check_output.enumerating_tasks_stop(count)
+ with ProcessPoolExecutor(
+ max_workers=workers, initializer=worker_initializer, initargs=(libc_path,)
+@@ -116,7 +118,7 @@ def main(args):
+ check_output.processing_tasks_start()
+ future_to_checksec = {
+ pool.submit(checksec_file, filepath): filepath
+- for filepath in walk_filepath_list(filepath_list, recursive)
++ for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks)
+ }
+ for future in as_completed(future_to_checksec):
+ filepath = future_to_checksec[future]
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch b/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
new file mode 100644
index 0000000..a891c2b
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
@@ -0,0 +1,51 @@
+From f550777f35e178bc16a2ec612b2b39aa2c3946f2 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Fri, 2 Jul 2021 16:16:47 +0200
+Subject: [PATCH 2/2] Elf: Fix relro detection
+
+Currently, relro is only detected when the BIND_NOW is set. If however
+the NOW flag in the FLAGS_1 section is set, relro is not detected (it
+does not even tell that relro is enabled partially). With this commit
+relro is detected correctly.
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/107
+---
+ checksec/elf.py | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/checksec/elf.py b/checksec/elf.py
+index 78ecacc..ef1850c 100644
+--- a/checksec/elf.py
++++ b/checksec/elf.py
+@@ -118,13 +118,24 @@ class ELFSecurity(BinarySecurity):
+ def relro(self) -> RelroType:
+ try:
+ self.bin.get(lief.ELF.SEGMENT_TYPES.GNU_RELRO)
+- if lief.ELF.DYNAMIC_FLAGS.BIND_NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS):
+- return RelroType.Full
+- else:
+- return RelroType.Partial
+ except lief.not_found:
+ return RelroType.No
+
++ try:
++ bind_now = lief.ELF.DYNAMIC_FLAGS.BIND_NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS)
++ except lief.not_found:
++ bind_now = False
++
++ try:
++ now = lief.ELF.DYNAMIC_FLAGS_1.NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS_1)
++ except lief.not_found:
++ now = False
++
++ if bind_now or now:
++ return RelroType.Full
++ else:
++ return RelroType.Partial
++
+ @property
+ def has_canary(self) -> bool:
+ canary_sections = ["__stack_chk_fail", "__intel_security_cookie"]
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch b/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
new file mode 100644
index 0000000..0351f84
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
@@ -0,0 +1,33 @@
+From 8de048c0065f8c5890d9e04ef2b32306e2ac4f8c Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Thu, 5 Aug 2021 15:21:58 +0200
+Subject: [PATCH] fortify source check: Treat binaries with 0 fortifiable as
+ fortified
+
+Currently, if checksec.py detects 0 fortifiable instances it still
+treats the binary as not fortified. Semtically it would make sense to
+treat these binaries as fortified (because there is no evidence that it
+is not)
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/109
+---
+ checksec/elf.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/checksec/elf.py b/checksec/elf.py
+index ef1850c..5914135 100644
+--- a/checksec/elf.py
++++ b/checksec/elf.py
+@@ -229,8 +229,7 @@ class ELFSecurity(BinarySecurity):
+ else:
+ score = (fortified_count * 100) / fortifiable_count
+ score = round(score)
+-
+- fortify_source = True if fortified_count != 0 else False
++ fortify_source = True if fortified_count != 0 or fortifiable_count == 0 else False
+ return ELFChecksecData(
+ relro=self.relro,
+ canary=self.has_canary,
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch b/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
new file mode 100644
index 0000000..af94cfa
--- /dev/null
+++ b/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
@@ -0,0 +1,154 @@
+From d2ad8f6108c750c3dbd33ee6d4e4c94ada748b8a Mon Sep 17 00:00:00 2001
+From: Romain Thomas <me@...>
+Date: Mon, 3 May 2021 11:25:49 +0200
+Subject: [PATCH] Enable to use pre-compiled version of spdlog
+
+---
+ CMakeLists.txt | 8 ++++----
+ cmake/LIEFDependencies.cmake | 36 +++++++++++++++++++++++-------------
+ cmake/LIEFOptions.cmake | 4 ++++
+ setup.py | 17 +++++++++++++++++
+ 4 files changed, 48 insertions(+), 17 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index d1665cd..b92519a 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -307,8 +307,7 @@ source_group("mbedtls\\tls" FILES ${mbedtls_src_tls})
+ # Library definition
+ # ==================
+ target_include_directories(
+- LIB_LIEF SYSTEM PRIVATE "${SPDLOG_SOURCE_DIR}/include"
+- "${MBEDTLS_INCLUDE_DIRS}")
++ LIB_LIEF SYSTEM PRIVATE "${MBEDTLS_INCLUDE_DIRS}")
+
+ target_include_directories(
+ LIB_LIEF
+@@ -355,7 +354,8 @@ target_sources(LIB_LIEF PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}/include/LIEF/third-party/utfcpp/utf8.h)
+
+
+-add_dependencies(LIB_LIEF lief_spdlog lief_mbed_tls)
++add_dependencies(LIB_LIEF lief_mbed_tls)
++target_link_libraries(LIB_LIEF PRIVATE lief_spdlog)
+
+ # Flags definition
+ # ----------------
+@@ -626,7 +626,7 @@ install(
+ DESTINATION lib/pkgconfig
+ COMPONENT libraries)
+
+-export(TARGETS LIB_LIEF FILE LIEFExport.cmake)
++export(TARGETS LIB_LIEF lief_spdlog FILE LIEFExport.cmake)
+
+ # Package
+ # ======================
+diff --git a/cmake/LIEFDependencies.cmake b/cmake/LIEFDependencies.cmake
+index e75326f..37e6987 100644
+--- a/cmake/LIEFDependencies.cmake
++++ b/cmake/LIEFDependencies.cmake
+@@ -144,21 +144,31 @@ set(mbedtls_src_tls
+ "${MBEDTLS_SOURCE_DIR}/library/ssl_tls13_keys.c"
+ )
+
+-#set_source_files_properties("${MBEDTLS_SOURCE_DIR}/library/bignum.c" PROPERTIES COMPILE_FLAGS -Wno-overlength-strings)
++add_library(lief_spdlog INTERFACE)
+
+-set(SPDLOG_VERSION 1.8.2)
+-set(SPDLOG_SHA256 SHA256=f0410b12b526065802b40db01304783550d3d20b4b6fe2f8da55f9d08ed2035d)
+-set(SPDLOG_URL "${THIRD_PARTY_DIRECTORY}/spdlog-${SPDLOG_VERSION}.zip" CACHE STRING "URL to the spdlog lib repo")
+-ExternalProject_Add(lief_spdlog
+- URL ${SPDLOG_URL}
+- URL_HASH ${SPDLOG_SHA256}
+- CONFIGURE_COMMAND ""
+- BUILD_COMMAND ""
+- UPDATE_COMMAND ""
+- INSTALL_COMMAND "")
++if(LIEF_EXTERNAL_SPDLOG)
++ find_package(spdlog REQUIRED)
++ list(APPEND CMAKE_MODULE_PATH "${SPDLOG_DIR}/cmake")
++ target_link_libraries(lief_spdlog INTERFACE spdlog::spdlog)
++ get_target_property(SPDLOG_INC_DIR spdlog::spdlog INTERFACE_INCLUDE_DIRECTORIES)
++ target_include_directories(lief_spdlog SYSTEM INTERFACE ${SPDLOG_INC_DIR})
++else()
++ set(SPDLOG_VERSION 1.8.2)
++ set(SPDLOG_SHA256 SHA256=f0410b12b526065802b40db01304783550d3d20b4b6fe2f8da55f9d08ed2035d)
++ set(SPDLOG_URL "${THIRD_PARTY_DIRECTORY}/spdlog-${SPDLOG_VERSION}.zip" CACHE STRING "URL to the spdlog source")
++ ExternalProject_Add(lief_spdlog_project
++ URL ${SPDLOG_URL}
++ URL_HASH ${SPDLOG_SHA256}
++ CONFIGURE_COMMAND ""
++ BUILD_COMMAND ""
++ UPDATE_COMMAND ""
++ INSTALL_COMMAND "")
+
+-ExternalProject_get_property(lief_spdlog SOURCE_DIR)
+-set(SPDLOG_SOURCE_DIR "${SOURCE_DIR}")
++ ExternalProject_get_property(lief_spdlog_project SOURCE_DIR)
++ set(SPDLOG_SOURCE_DIR "${SOURCE_DIR}")
++ add_dependencies(lief_spdlog lief_spdlog_project)
++ target_include_directories(lief_spdlog SYSTEM INTERFACE ${SPDLOG_SOURCE_DIR}/include)
++endif()
+
+ # Fuzzing
+ # ~~~~~~~
+diff --git a/cmake/LIEFOptions.cmake b/cmake/LIEFOptions.cmake
+index fd6df6c..3bb92c3 100644
+--- a/cmake/LIEFOptions.cmake
++++ b/cmake/LIEFOptions.cmake
+@@ -45,6 +45,10 @@ option(LIEF_PROFILING "Enable performance profiling" OFF)
+ cmake_dependent_option(LIEF_INSTALL_COMPILED_EXAMPLES "Install LIEF Compiled examples" OFF
+ "LIEF_EXAMPLES" OFF)
+
++# Use a user-provided version of spdlog
++# It can be useful to reduce compile time
++option(LIEF_EXTERNAL_SPDLOG OFF)
++
+ set(LIEF_ELF_SUPPORT 0)
+ set(LIEF_PE_SUPPORT 0)
+ set(LIEF_MACHO_SUPPORT 0)
+diff --git a/setup.py b/setup.py
+index b915180..ad70bd8 100644
+--- a/setup.py
++++ b/setup.py
+@@ -45,6 +45,10 @@ class LiefDistribution(setuptools.Distribution):
+ ('lief-no-vdex', None, 'Disable VDEX module'),
+ ('lief-no-oat', None, 'Disable OAT module'),
+ ('lief-no-dex', None, 'Disable DEX module'),
++
++ ('lief-no-cache', None, 'Do not use compiler cache (ccache)'),
++
++ ('spdlog-dir=', None, 'Path to the directory that contains spdlogConfig.cmake'),
+ ]
+
+ def __init__(self, attrs=None):
+@@ -66,6 +70,10 @@ class LiefDistribution(setuptools.Distribution):
+
+ self.lief_no_android = False
+ self.doc = False
++
++ self.lief_no_cache = False
++
++ self.spdlog_dir = None
+ super().__init__(attrs)
+
+
+@@ -154,6 +162,15 @@ class BuildLibrary(build_ext):
+ else:
+ cmake_args += ["-DLIEF_LOGGING_DEBUG=off"]
+
++ if self.distribution.lief_no_cache:
++ cmake_args += ["-DLIEF_USE_CCACHE=off"]
++
++ # Setup spdlog configuration flags if
++ # the user provides --spdlog-dir
++ if self.distribution.spdlog_dir is not None:
++ cmake_args.append("-DLIEF_EXTERNAL_SPDLOG=ON")
++ cmake_args.append("-Dspdlog_DIR={}".format(self.distribution.spdlog_dir))
++
+ # Main formats
+ # ============
+ if self.distribution.lief_no_elf:
+--
+2.31.1
+
diff --git a/recipes-devtools/python/python3-asttokens_2.0.5.bb b/recipes-devtools/python/python3-asttokens_2.0.5.bb
new file mode 100644
index 0000000..7ac2052
--- /dev/null
+++ b/recipes-devtools/python/python3-asttokens_2.0.5.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Annotate AST trees with source code positions"
+HOMEPAGE = "https://github.com/gristlabs/asttokens"
+AUTHOR = "Dmitry Sagalovskiy, Grist Labs <dmitry@...>"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e3fc50a88d0a364313df4b21ef20c29e"
+
+SRC_URI[md5sum] = "0a2a057b9c9a220bffdb3e7512062f17"
+SRC_URI[sha256sum] = "9a54c114f02c7a9480d56550932546a3f1fe71d8a02f1bc7ccd0ee3ee35cf4d5"
+
+RDEPENDS_${PN} = "python3-six"
+DEPENDS += "python3-setuptools-scm python3-toml"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb b/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
new file mode 100644
index 0000000..edce0a6
--- /dev/null
+++ b/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
@@ -0,0 +1,31 @@
+SUMMARY = "Tool to verify the security properties of binaries"
+DESCRIPTION = "checksec.py is a tool verify if certain compiler flags \
+ have been enabled on compield applications and libraries."
+HOMEPAGE = "https://github.com/Wenzel/checksec.py"
+BUGTRACKER = "https://github.com/Wenzel/checksec.py/issues"
+SECTION = "devel/python"
+
+LICENSE = "GPL-3.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464"
+
+RDEPENDS_${PN} += " \
+ python3-docopt-native \
+ python3-lief-native \
+ python3-pylddwrap-native \
+ python3-rich-native \
+ "
+
+# Needs to be pulled from github becuase pypi package is currently broken
+SRC_URI = " \
+ git://github.com/Wenzel/checksec.py.git;protocol=https;branch=master \
+ file://python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch \
+ file://python3-checksec.py/0002-Elf-Fix-relro-detection.patch \
+ file://python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch \
+ "
+
+SRCREV = "4335ecd08f6ee13ff4ca9b01e83857ae6a8074e9"
+
+S="${WORKDIR}/git"
+
+inherit setuptools3 native
+
diff --git a/recipes-devtools/python/python3-colorama_%.bbappend b/recipes-devtools/python/python3-colorama_%.bbappend
new file mode 100644
index 0000000..d6f5869
--- /dev/null
+++ b/recipes-devtools/python/python3-colorama_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-commonmark_0.9.1.bb b/recipes-devtools/python/python3-commonmark_0.9.1.bb
new file mode 100644
index 0000000..a35abc3
--- /dev/null
+++ b/recipes-devtools/python/python3-commonmark_0.9.1.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Python parser for the CommonMark Markdown spec"
+HOMEPAGE = "https://github.com/rtfd/commonmark.py"
+AUTHOR = "Bibek Kafle <bkafle662@...>, Roland Shoemaker <rolandshoemaker@...>"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=37e127eb75a030780aefcfc584e78523"
+
+SRC_URI[md5sum] = "cd1dc70c4714d9ed4117a40490c25e00"
+SRC_URI[sha256sum] = "452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60"
+
+S = "${WORKDIR}/commonmark-0.9.1"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-docopt_0.6.2.bb b/recipes-devtools/python/python3-docopt_0.6.2.bb
new file mode 100644
index 0000000..c1b111a
--- /dev/null
+++ b/recipes-devtools/python/python3-docopt_0.6.2.bb
@@ -0,0 +1,18 @@
+
+SUMMARY = "Pythonic argument parser, that will make you smile"
+HOMEPAGE = "http://docopt.org"
+AUTHOR = "Vladimir Keleshev <vladimir@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=09b77fb74986791a3d4a0e746a37d88f"
+
+SRC_URI = "https://github.com/docopt/docopt/archive/refs/tags/${PV}.tar.gz"
+SRC_URI[md5sum] = "a6c44155426fd0f7def8b2551d02fef6"
+SRC_URI[sha256sum] = "2113eed1e7fbbcd43fb7ee6a977fb02d0b482753586c9dc1a8e3b7d541426e99"
+
+S = "${WORKDIR}/docopt-0.6.2"
+
+RDEPENDS_${PN} = ""
+
+inherit setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-icontract_2.5.3.bb b/recipes-devtools/python/python3-icontract_2.5.3.bb
new file mode 100644
index 0000000..88ac2ef
--- /dev/null
+++ b/recipes-devtools/python/python3-icontract_2.5.3.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Provide design-by-contract with informative violation messages."
+HOMEPAGE = "https://github.com/Parquery/icontract"
+AUTHOR = "Marko Ristin <marko.ristin@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57"
+
+SRC_URI[md5sum] = "6f41b9b84e4405374c160836587b3235"
+SRC_URI[sha256sum] = "b790101c8cc0d9df0105d852a645373c4d90d5049391b6e54db32a0acb4bccd7"
+
+inherit pypi setuptools3
+
+RDEPENDS_${PN} += "python3-asttokens"
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-lief_0.11.5.bb b/recipes-devtools/python/python3-lief_0.11.5.bb
new file mode 100644
index 0000000..5e4b422
--- /dev/null
+++ b/recipes-devtools/python/python3-lief_0.11.5.bb
@@ -0,0 +1,36 @@
+SUMMARY = "Library to instrument executable formats"
+DESCRIPTION = " \
+ This project provides a cross platform library which can parse, modify \
+ and abstract ELF, PE and MachO formats. \
+ "
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/lief-project/LIEF"
+LICENSE = "APACHE-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1809bd489c3dae63aa0cb70070dc308e"
+
+SRC_URI = " \
+ https://github.com/lief-project/LIEF/releases/download/${PV}/lief-${PV}.zip \
+ file://python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch \
+ "
+SRC_URI[sha256sum] = "947825134d5dab91df218bb201fa4551814f1da0a47e4a890283716b800c8e8f"
+
+S = "${WORKDIR}/lief-${PV}"
+
+inherit setuptools3
+
+DEPENDS += "cmake-native"
+
+BBCLASSEXTEND += "native"
+
+DISTUTILS_BUILD_ARGS += " ${PARALLEL_MAKE} "
+
+do_compile() {
+ # From distutils3.bbclass (needs to be modified here to avoid usage of ccache)
+ cd ${DISTUTILS_SETUP_PATH}
+ NO_FETCH_BUILD=1 \
+ STAGING_INCDIR=${STAGING_INCDIR} \
+ STAGING_LIBDIR=${STAGING_LIBDIR} \
+ ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py \
+ --lief-no-cache build --build-base=${B} ${DISTUTILS_BUILD_ARGS} || \
+ bbfatal_log "'${PYTHON_PN} setup.py --lief-no-cache build ${DISTUTILS_BUILD_ARGS}' execution failed."
+}
diff --git a/recipes-devtools/python/python3-pylddwrap_1.0.1.bb b/recipes-devtools/python/python3-pylddwrap_1.0.1.bb
new file mode 100644
index 0000000..985c424
--- /dev/null
+++ b/recipes-devtools/python/python3-pylddwrap_1.0.1.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Python wrapper for ldd"
+DESCRIPTION = " \
+ Pylddwrap wraps ldd *nix utility to determine shared libraries required by a program. \
+ "
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/Parquery/pylddwrap"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa"
+
+SRC_URI[sha256sum] = "171a39fc7feb33e607706c57c08373ceb2f6fd4362af9241ccc65e80c948ccdf"
+
+inherit pypi setuptools3
+
+RDEPENDS_${PN} += "python3-icontract"
+
+do_install_append() {
+ rm -f "${D}/${datadir}/requirements.txt"
+ rm -f "${D}/${datadir}/README.rst"
+}
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-rich_7.1.0.bb b/recipes-devtools/python/python3-rich_7.1.0.bb
new file mode 100644
index 0000000..59c26a4
--- /dev/null
+++ b/recipes-devtools/python/python3-rich_7.1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
+HOMEPAGE = "https://github.com/willmcgugan/rich"
+AUTHOR = "Will McGugan <willmcgugan@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d0d35d5357392e5bfeb0d0a7e6ba4d83"
+
+SRC_URI[md5sum] = "25daeefa226770a84b98c591069b419c"
+SRC_URI[sha256sum] = "ff701be541be32bcf46e821487c00bf4fa560aa814fc3cc9b3d514fd9b19a6f6"
+
+S = "${WORKDIR}/rich-7.1.0"
+
+RDEPENDS_${PN} = "python3-typing-extensions python3-pygments python3-commonmark python3-colorama"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb b/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
new file mode 100644
index 0000000..234694e
--- /dev/null
+++ b/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
@@ -0,0 +1,17 @@
+SUMMARY = "the blessed package to manage your versions by scm tags"
+HOMEPAGE = "https://github.com/pypa/setuptools_scm/"
+AUTHOR = "Ronny Pfannschmidt <opensource@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=838c366f69b72c5df05c96dff79b35f2"
+
+SRC_URI = "git://github.com/pypa/setuptools_scm.git;protocol=https;branch=main;tag=v${PV}"
+
+SRC_URI[sha256sum] = "8f85bfc7272fb5c04df28f00bde9db8f862c586d25fa155eea90fe62ea6a3302"
+
+RDEPENDS_${PN} = "python3-setuptools"
+
+inherit setuptools3
+
+S = "${WORKDIR}/git"
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-toml_%.bbappend b/recipes-devtools/python/python3-toml_%.bbappend
new file mode 100644
index 0000000..d6f5869
--- /dev/null
+++ b/recipes-devtools/python/python3-toml_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"
--
2.31.1


[PATCH 2/2] image-with-hardened-binaries: Add selftest

Maximilian Blenk <Maximilian.Blenk@...>
 

Hi guys,

we are currenlty working on adding automatically checking the binaries we put into an image for the presence of certain recommended compiler features. To achieve this, we created a bbclass that wraps around the existing project checksec.py (https://github.com/Wenzel/checksec.py). In particular, checksec.py is used to check if
* relro is enabled
* exectuables are compiled to be position independet code
* rpath and runpath are not set
* stack canaries are enabled
* foritfy source is enabled
I must however admit that the last two checks can suffer from false-positives which need manual analysis and whitelisting (check can also be completely disabled).

Motivation:
We've decided that such checks would be a nice thing to have because people might overwrite important compiler flags in their local recipe. Additionally there is always the possibility that components are shipped as binaries instead of code (so they are actually build outside the current build environment). Overall we've detected several cases where required compiler flags have not been applied to shipped components. After internal discussion we came to the conclusion that you guys would maybe also be interested in this kind of checks, so I'm offering this patch to you as well.

I would really appreciate your feedback :-)

BR Max

--

BMW Car IT GmbH
Maximilian Blenk
Security Engineer

Lise-Meitner-Str. 14
89081 Ulm
Tel.: +49 731 378041-11

Mail: maximilian.blenk@...
Web: http://www.bmw-carit.de
------------------------------------------------------
BMW Car IT GmbH
Geschäftsführer: Kai-Uwe Balszuweit und Michael Böttrich
Sitz und Registergericht: München HRB 134810
------------------------------------------------------

________________________________________
Von: Blenk Maximilian, JC-4
Gesendet: Donnerstag, 12. August 2021 00:36
An: yocto@...
Cc: Blenk Maximilian, JC-4
Betreff: [PATCH 2/2] image-with-hardened-binaries: Add selftest

Add selftest that executes binary analysis on small rootfs

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
.../cases/hardened_binaries_checker.py | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 lib/oeqa/selftest/cases/hardened_binaries_checker.py

diff --git a/lib/oeqa/selftest/cases/hardened_binaries_checker.py b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
new file mode 100644
index 0000000..6385757
--- /dev/null
+++ b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
@@ -0,0 +1,42 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class HardenTests(OESelftestTestCase):
+ def test_hardened_binaries(self):
+
+ self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+
+CORE_IMAGE_EXTRA_INSTALL ?= ""
+
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit image-with-hardened-binaries
+
+HARDENED_BINARIES_CONFIG_FILE = "${WORKDIR}/check-config.toml"
+
+do_write_config_file() {
+ echo "[rpath]\nenabled = true\nwhitelist = []\n" > "${WORKDIR}/check-config.toml"
+ echo "[runpath]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[relro]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[pie]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[nx]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+}
+
+addtask do_write_config_file before do_image_qa
+
+ """)
+
+ result = bitbake("-c image_qa emptytest", ignore_status=True)
+ if result.status != 0:
+ self.logger.warn(result.output)
+ raise self.failureException("build failed, something went wrong...")
--
2.31.1


[PATCH 1/2] image-with-hardened-binaries: add class

Maximilian Blenk <Maximilian.Blenk@...>
 

Add class to analyze binaries with checksec.py. checksec.py is a tool
that checks if security features of a compiler have been used. To do
so, it analyses the resulting binaries:
* NX Proctection is enabled
* Full RELRO is enabled
* RPATH and RUNPATH are not set
* Executables are compiled to be position independent
* FORTIFY_SOURCE is set (false-positives possible)
* Stack Canaries are enabled (false-positives possible)

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
classes/image-with-hardened-binaries.bbclass | 338 ++++++++++++++++++
...1-main-Add-option-to-ignore-symlinks.patch | 81 +++++
.../0002-Elf-Fix-relro-detection.patch | 51 +++
...heck-Treat-binaries-with-0-fortifiab.patch | 33 ++
...o-use-pre-compiled-version-of-spdlog.patch | 154 ++++++++
.../python/python3-asttokens_2.0.5.bb | 15 +
.../python3-checksec.py-native_0.6.1.bb | 31 ++
.../python/python3-colorama_%.bbappend | 1 +
.../python/python3-commonmark_0.9.1.bb | 14 +
.../python/python3-docopt_0.6.2.bb | 18 +
.../python/python3-icontract_2.5.3.bb | 14 +
.../python/python3-lief_0.11.5.bb | 36 ++
.../python/python3-pylddwrap_1.0.1.bb | 21 ++
recipes-devtools/python/python3-rich_7.1.0.bb | 16 +
.../python/python3-setuptools-scm_6.0.1.bb | 17 +
.../python/python3-toml_%.bbappend | 1 +
16 files changed, 841 insertions(+)
create mode 100644 classes/image-with-hardened-binaries.bbclass
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
create mode 100644 recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
create mode 100644 recipes-devtools/python/python3-asttokens_2.0.5.bb
create mode 100644 recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
create mode 100644 recipes-devtools/python/python3-colorama_%.bbappend
create mode 100644 recipes-devtools/python/python3-commonmark_0.9.1.bb
create mode 100644 recipes-devtools/python/python3-docopt_0.6.2.bb
create mode 100644 recipes-devtools/python/python3-icontract_2.5.3.bb
create mode 100644 recipes-devtools/python/python3-lief_0.11.5.bb
create mode 100644 recipes-devtools/python/python3-pylddwrap_1.0.1.bb
create mode 100644 recipes-devtools/python/python3-rich_7.1.0.bb
create mode 100644 recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
create mode 100644 recipes-devtools/python/python3-toml_%.bbappend

diff --git a/classes/image-with-hardened-binaries.bbclass b/classes/image-with-hardened-binaries.bbclass
new file mode 100644
index 0000000..d7d3908
--- /dev/null
+++ b/classes/image-with-hardened-binaries.bbclass
@@ -0,0 +1,338 @@
+# Provide qa checks to ensure all applications and libraries shipped with the image
+# have common compiler security features enabled. In particular there are checks that:
+# * nx protection is enabled
+# * relro is enabled
+# * executables (except for static linked ones) are position independent
+# * rpath and runpath are not set
+
+IMAGE_QA_COMMANDS += "image_check_binary_hardening"
+
+DEPENDS += "python3-checksec.py-native"
+
+inherit python3native
+
+# Add mappings to the path mappers (which determines if a binary is a application or
+# shared library). To add a mapping append " /path/from/the/root/to/bin:{application,library,ignore}"
+# to the list
+HARDENED_BINARIES_EXTRA_MAPPING ?= ""
+
+# Config file in TOML format:
+# [check]
+# enabled = true
+# whitelist = [
+# "path to some binary",
+# "path to some other binary"
+# ]
+# supported checks are: nx, relro, pie, rpath, runpath
+HARDENED_BINARIES_CONFIG_FILE ?= ""
+
+# Custom message to show in case of a detected violation
+# For instace if you want to add whom to contact for support
+HARDENED_BINARIES_CUSTOM_ERROR_MESSAGE ?= ""
+
+# Path to libc used for foritfy source analysis. If fortify_source check is
+# not enabled, this variable can be ignored.
+HARDENED_BINARIES_LIBC_PATH ?= "${IMAGE_ROOTFS}${baselib}/libc.so.6"
+
+python image_check_binary_hardening () {
+ import fnmatch
+ import json
+ import os
+ import subprocess
+ import toml
+ from collections import defaultdict, OrderedDict
+ from enum import Enum, auto
+
+ from oe.utils import ImageQAFailed
+
+ rootfs = d.getVar("IMAGE_ROOTFS")
+
+ #################################
+ ## Data about supported checks ##
+ #################################
+
+ class BinType(Enum):
+ IGNORE = "ignore"
+ APPLICATION = "application"
+ LIBRARY = "library"
+
+ # Dict of checks to perform on the analysis result of checksec.py
+ # Each entry needs to contain the following attributes:
+ # - allowed_value: Value in the analysis result that should be accepted
+ # - bintypes: List of types on which the check shall be enforced (e.g. PIE check on libraries
+ # doesn't make much sense because PIE is only for executables)
+ # - errormsg: Message that should be prompted in case violators have been found
+ # - ignore_static: Indicates if statically linked applications should be ignored for that check
+ # Notes specific checks:
+ # - NX: Needs to be enforced on applications and libraries. This is because if only a single shared
+ # library doesn't use that, the whole process needs to have a executable stack.
+ # - RELRO: Statically linked applications do not make use of relocation, so this check would always
+ # fail for statically linked applications.
+ # - PIE: This check is only valid for applications (as in "position independent executable" for
+ # applications vs. "position independent code" (PIC) for shared libraries)
+ CHECK_DATA = {
+ "nx" : {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries do not use nx (not executable) protection. This mechanism is used " \
+ "to separate data from executable code. Disabling this mechanism is a security issue because " \
+ "this enables attackers to put code onto the stack. Please also note, if the nx protection is " \
+ "disabled in a shared library, all binary objects that link against this library will not be " \
+ "protected. This message usually appears if your binary is linked using the \"-z execstack\" " \
+ "flag.",
+ "ignore_static": False,
+ },
+ "relro": {
+ "allowed_value": "Full",
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries do not make use of the relro (relocation read-only). This feature " \
+ "prevents attackers from modifying addresses of functions that are located in shared libraries " \
+ "(which is a common technique to exploit vulnerabilities). Due to this, not making use of this " \
+ "feature is a security issue. Please make sure your application is linked using " \
+ "\"-Wl,-z,relro,-z,now\". ",
+ "ignore_static": True,
+ },
+ "rpath": {
+ "allowed_value": False,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries are making use of the rpath feature. This can easily enable an attacker " \
+ "to get malicious code executed if there is some issue with the file permissions at the specified " \
+ "location. Due to this, the usage of this feature is generally discouraged and needs approval " \
+ "by the security team.",
+ "ignore_static": False,
+ },
+ "runpath": {
+ "allowed_value": False,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries are making use of the runpath feature. This can easily enable an attacker" \
+ " to get malicious code executed if there is some issue with the file permissions at the specified " \
+ "location. Due to this, the usage of this feature is generally discouraged and needs approval " \
+ "by the security team.",
+ "ignore_static": False,
+ },
+ "pie": {
+ "allowed_value": "PIE",
+ "bintypes": [BinType.APPLICATION],
+ "errormsg":
+ "The following {} applications are not compiled to be position independent executables (pie). This " \
+ "compiler feature compiles the code in a way that it can be mapped to any location in the virtual " \
+ "memory. Compiling the application this way is required to make use of the Address Space Layout " \
+ "Randomization (ASLR). This feature maps executable code to a random location, which means an " \
+ "attacker can not rely on the fact that a specific portion of code is mapped to a specific address. " \
+ "Please ensure that you application is compiled using \"-fPIE\".",
+ "ignore_static": True,
+ },
+ "canary": {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries seem to be not using stack canaries. These canaries are used to mitigate " \
+ "stack buffer overflows attacks. To do so the compiler adds checks to the end of a function to " \
+ "ensure that this function did not overwrite the stack frames of another function. Not using " \
+ "canaries may allow an attacker to exploit stack based buffer overflows by modifying the stack frame " \
+ "of other function calls (which simplifies exploiting such vulnerabilities a lot). Please make sure " \
+ "your components are compiled with the \"-fstack-protector-strong\" compile flag. Please note that " \
+ "there is a slight possibility for false-positives in this check: The compiler checks if a function " \
+ "needs canary protection or not. If there is no function that needs proctedtion in your binary, this " \
+ "check will fail anyway and the binary needs to be whitelisted.",
+ "ignore_static": False,
+ },
+ "fortify_source": {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries seem to be not using the fortify source feature. This feature protects " \
+ "(some, not all) calls to memory manipulations function like memcpy, strcpy or strcat by adding " \
+ "checks that prevent buffer overflows. These checks can prevent attackers from exploiting such a " \
+ "buffer overflow. Please make sure your component is compiled with \"-D_FORTIFY_SOURCE=2\". In " \
+ "addition the compiler optimizations need to be enabled with \"-O1\" or higher. Please note that " \
+ "there is a slight possibility for false positives here: Not all occurences of these mentioned " \
+ "memory calls that can not be protected they will appear as if_FORTIFY_SOURCE has not been set. " \
+ "In such a case the binary needs to be whitelisted.",
+ "ignore_static": False,
+ }
+ }
+
+ #################################
+ ## Parse data from config file ##
+ #################################
+
+ config_file = d.getVar("HARDENED_BINARIES_CONFIG_FILE", True)
+ if not config_file:
+ msg = "Hardend Binary Check: No config file specifed. Please create a config file and set " \
+ "the variable \"HARDENED_BINARIES_CONFIG_FILE\" accordingly"
+ raise ImageQAFailed(msg, image_check_binary_hardening)
+
+ CHECK_CONFIG_DATA = defaultdict(lambda: {"enabled": False})
+ CHECK_CONFIG_DATA.update(toml.load(config_file))
+
+ # Expand whitelisted paths with rootfs
+ for check, values in CHECK_CONFIG_DATA.items():
+ values["whitelist"] = [rootfs + x for x in values["whitelist"]]
+
+ ###############################################
+ ## Classes and functions to perform analysis ##
+ ###############################################
+
+ class PathMapping:
+ """ Class to map paths to BinTypes """
+ def __init__(self, rootfs):
+ self.rootfs = rootfs
+ self.mapping = OrderedDict()
+
+ self.add("/bin/*", BinType.APPLICATION)
+ self.add("/lib/firmware/*", BinType.IGNORE)
+ self.add("/lib/modules/*", BinType.IGNORE)
+ self.add("/lib/systemd/*.so", BinType.LIBRARY)
+ self.add("/lib/systemd/*", BinType.APPLICATION)
+ self.add("/lib/*", BinType.LIBRARY)
+ self.add("/sbin/*", BinType.APPLICATION)
+ self.add("/usr/bin/*", BinType.APPLICATION)
+ self.add("/usr/libexec/*", BinType.APPLICATION)
+ self.add("/usr/lib/firmware/*", BinType.IGNORE)
+ self.add("/usr/lib/modules/*", BinType.IGNORE)
+ self.add("/usr/lib/systemd/*.so", BinType.LIBRARY)
+ self.add("/usr/lib/systemd/*", BinType.APPLICATION)
+ self.add("/usr/lib/*", BinType.LIBRARY)
+ self.add("/usr/sbin/*", BinType.APPLICATION)
+
+
+ def add(self, path, bin_type):
+ """ Add mapping of a path to a FileyType """
+ self.mapping[self.rootfs + path] = bin_type
+
+ def map(self, path):
+ """ Map a path to a FilesType. Returns None if path can not be mapped. """
+ for match_path, bin_type in self.mapping.items():
+ if fnmatch.fnmatch(path, match_path):
+ return bin_type
+ else:
+ return None
+
+ def call_checksec(rootfs):
+ """ Wrapper to call the checksec.py script
+
+ This function returns a list of result dicts, e.g.:
+ [
+ ...,
+ "/bin/systemd-hwdb": {
+ "relro": "No",
+ "canary": true,
+ "nx": true,
+ "pie": "PIE",
+ "rpath": false,
+ "runpath": false,
+ "symbols": false,
+ "fortify_source": true,
+ "fortified": 5,
+ "fortify-able": 16,
+ "fortify_score": 31
+ }
+ ]
+
+ """
+ parallel_make = d.getVar("PARALLEL_MAKE")
+
+ cmd = ["python3", "-m", "checksec", "--json", "--recursive", "--ignore-symlinks"]
+ if parallel_make:
+ cmd.append(parallel_make.replace("-j", "--workers="))
+ if CHECK_CONFIG_DATA["foritfy_source"]["enabled"]:
+ libc_path = d.getVar("HARDENED_BINARIES_LIBC_PATH", True)
+ cmd.append("--set-libc={}".format(libc_path))
+ cmd.append(rootfs)
+
+ return json.loads(subprocess.check_output(cmd).decode('utf-8'))
+
+
+ class ResultAnalyzer:
+ """ Class to evaluate the results produced by checksec.py """
+ def __init__(self, rootfs):
+ self.rootfs = rootfs
+ self.violators = defaultdict(list)
+
+ @staticmethod
+ def __is_static(path):
+ """ Checks if binary at given path is statically linked """
+ return "statically linked" in subprocess.check_output(["file", path], stderr=subprocess.STDOUT).decode('utf-8')
+
+ def check_result(self, path, result, bintype):
+ """ Perfom checks specified in CHECK_DATA on the given analysis result (of a specific binary) """
+
+ for check, values in CHECK_DATA.items():
+ if CHECK_CONFIG_DATA[check]["enabled"] and bintype in values["bintypes"]:
+ for whitelisted in CHECK_CONFIG_DATA[check]["whitelist"]:
+ if fnmatch.fnmatch(path, whitelisted):
+ break
+ else:
+ if result[check] != values["allowed_value"] and \
+ (not values["ignore_static"] or not self.__is_static(path)):
+ self.violators[check].append(path)
+
+
+ def perform_analysis(rootfs):
+ """ Analyze all binaries in a given rootfs. In case a container shall be analyzed the absolute path to the container_path
+ rootfs needs to be passed.
+ """
+
+ # Add custom path mapping (for bins in non-standard locations)
+ path_mapping = PathMapping(rootfs)
+ extra_mapping = d.getVar("HARDENED_BINARIES_EXTRA_MAPPING")
+ if extra_mapping:
+ for mapping in extra_mapping.split():
+ try:
+ path, type = mapping.split(':')
+ except:
+ bb.error("Hardened Binary Checks: Got misformated extra mapping {}. Mapping needs to be " \
+ "in form: \"<path regex>:{application,library,ignore}\"".format(mapping))
+ raise
+ path_mapping.add(path, BinType(type))
+
+ # Perform analysis of complete rootfs
+ analysis_result = call_checksec(rootfs)
+
+ # Check analysis results and ensure that all we can actually map all binaries to a BinType
+ result_analyzer = ResultAnalyzer(rootfs)
+ unmapped_binaries = []
+ for path, result in analysis_result.items():
+ bintype = path_mapping.map(path)
+ if bintype in [BinType.APPLICATION, BinType.LIBRARY]:
+ result_analyzer.check_result(path, result, bintype)
+ elif bintype != BinType.IGNORE:
+ unmapped_binaries.append(path)
+
+ # To ensure that we analyze all the binaries lets break the build if we can not map binaries
+ if unmapped_binaries:
+ msg = "Hardend Binary Check: Couldn't figure out if the following files are applications " \
+ "or libraries. This is probably due to a non standard location for applications or " \
+ "libraries. If you think this is required add the mapping to " \
+ "HARDENED_BINARIES_EXTRA_MAPPING and/or contact mgu-security-frontdesk@..." \
+ "\nUnmapped:\n{}".format("\n".join(unmapped_binaries),
+ image_check_binary_hardening)
+ raise ImageQAFailed(msg, image_check_binary_hardening)
+
+ custom_error_message = d.getVar('HARDENED_BINARIES_CUSTOM_ERROR_MESSAGE')
+
+ # Break the build and show error message if we detected violators that are not whitelisted
+ errors = []
+ for check, violators in result_analyzer.violators.items():
+ if violators:
+ errormsg = CHECK_DATA[check]["errormsg"].format(len(violators))
+ errormsg += "\n{}".format("\n".join(violators))
+ if custom_error_message:
+ errormsg += "\n" + custom_error_message
+ errors.append(errormsg)
+
+ if errors:
+ raise ImageQAFailed("\n".join(errors), image_check_binary_hardening)
+
+ ##############################
+ ## Start analysis on rootfs ##
+ ##############################
+
+ perform_analysis(rootfs)
+
+}
diff --git a/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch b/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
new file mode 100644
index 0000000..ae434bc
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
@@ -0,0 +1,81 @@
+From 182268203951750dcfb2c134354e801dea472e4c Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Fri, 2 Jul 2021 14:42:25 +0200
+Subject: [PATCH 1/2] main: Add option to ignore symlinks
+
+When analyzing a complete rootfs (which might not be the rootfs of the
+analyzing system) symlinks within that rootfs might be broken. In
+particular absolute symlinks. However, if by chance such a symlink
+currently points to a valid binary in your system, this binary pointed
+to is analyzed. This commit adds the possibility to ignore symlinks to
+files (symlinks to dirs are already ignored by default). This allows to
+solve the issue described above, and if the whole rootfs is analyzed
+there shouldn't be a loss of information (because all the binaries will
+be analyzed anyway). Additionally, this also saves some time when
+performing the analysis.
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/106
+---
+ checksec/__main__.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/checksec/__main__.py b/checksec/__main__.py
+index 856d0b3..f1a3445 100644
+--- a/checksec/__main__.py
++++ b/checksec/__main__.py
+@@ -8,6 +8,7 @@ Options:
+ -w WORKERS --workers=WORKERS Specify the number of process pool workers [default: 4]
+ -j --json Display results as JSON
+ -s LIBC --set-libc=LIBC Specify LIBC library to use to check for fortify scores (ELF)
++ -i --ignore-symlinks Ignore symlinks to files
+ -d --debug Enable debug output
+ -h --help Display this message
+ """
+@@ -27,15 +28,15 @@ from .pe import PEChecksecData, PESecurity, is_pe
+ from .utils import lief_set_logging
+
+
+-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]:
++def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]:
+ for path in filepath_list:
+ if path.is_dir() and not path.is_symlink():
+ if recursive:
+ for f in os.scandir(path):
+- yield from walk_filepath_list([Path(f)], recursive)
++ yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks)
+ else:
+ yield from (Path(f) for f in os.scandir(path))
+- elif path.is_file():
++ elif path.is_file() and (not ignore_symlinks or not path.is_symlink()):
+ yield path
+
+
+@@ -72,6 +73,7 @@ def main(args):
+ json = args["--json"]
+ recursive = args["--recursive"]
+ libc_path = args["--set-libc"]
++ ignore_symlinks = args["--ignore-symlinks"]
+
+ # logging
+ formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s"
+@@ -107,7 +109,7 @@ def main(args):
+ # we need to consume the iterator once to get the total
+ # for the progress bar
+ check_output.enumerating_tasks_start()
+- count = sum(1 for i in walk_filepath_list(filepath_list, recursive))
++ count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks))
+ check_output.enumerating_tasks_stop(count)
+ with ProcessPoolExecutor(
+ max_workers=workers, initializer=worker_initializer, initargs=(libc_path,)
+@@ -116,7 +118,7 @@ def main(args):
+ check_output.processing_tasks_start()
+ future_to_checksec = {
+ pool.submit(checksec_file, filepath): filepath
+- for filepath in walk_filepath_list(filepath_list, recursive)
++ for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks)
+ }
+ for future in as_completed(future_to_checksec):
+ filepath = future_to_checksec[future]
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch b/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
new file mode 100644
index 0000000..a891c2b
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
@@ -0,0 +1,51 @@
+From f550777f35e178bc16a2ec612b2b39aa2c3946f2 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Fri, 2 Jul 2021 16:16:47 +0200
+Subject: [PATCH 2/2] Elf: Fix relro detection
+
+Currently, relro is only detected when the BIND_NOW is set. If however
+the NOW flag in the FLAGS_1 section is set, relro is not detected (it
+does not even tell that relro is enabled partially). With this commit
+relro is detected correctly.
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/107
+---
+ checksec/elf.py | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/checksec/elf.py b/checksec/elf.py
+index 78ecacc..ef1850c 100644
+--- a/checksec/elf.py
++++ b/checksec/elf.py
+@@ -118,13 +118,24 @@ class ELFSecurity(BinarySecurity):
+ def relro(self) -> RelroType:
+ try:
+ self.bin.get(lief.ELF.SEGMENT_TYPES.GNU_RELRO)
+- if lief.ELF.DYNAMIC_FLAGS.BIND_NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS):
+- return RelroType.Full
+- else:
+- return RelroType.Partial
+ except lief.not_found:
+ return RelroType.No
+
++ try:
++ bind_now = lief.ELF.DYNAMIC_FLAGS.BIND_NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS)
++ except lief.not_found:
++ bind_now = False
++
++ try:
++ now = lief.ELF.DYNAMIC_FLAGS_1.NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS_1)
++ except lief.not_found:
++ now = False
++
++ if bind_now or now:
++ return RelroType.Full
++ else:
++ return RelroType.Partial
++
+ @property
+ def has_canary(self) -> bool:
+ canary_sections = ["__stack_chk_fail", "__intel_security_cookie"]
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch b/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
new file mode 100644
index 0000000..0351f84
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
@@ -0,0 +1,33 @@
+From 8de048c0065f8c5890d9e04ef2b32306e2ac4f8c Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Thu, 5 Aug 2021 15:21:58 +0200
+Subject: [PATCH] fortify source check: Treat binaries with 0 fortifiable as
+ fortified
+
+Currently, if checksec.py detects 0 fortifiable instances it still
+treats the binary as not fortified. Semtically it would make sense to
+treat these binaries as fortified (because there is no evidence that it
+is not)
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/109
+---
+ checksec/elf.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/checksec/elf.py b/checksec/elf.py
+index ef1850c..5914135 100644
+--- a/checksec/elf.py
++++ b/checksec/elf.py
+@@ -229,8 +229,7 @@ class ELFSecurity(BinarySecurity):
+ else:
+ score = (fortified_count * 100) / fortifiable_count
+ score = round(score)
+-
+- fortify_source = True if fortified_count != 0 else False
++ fortify_source = True if fortified_count != 0 or fortifiable_count == 0 else False
+ return ELFChecksecData(
+ relro=self.relro,
+ canary=self.has_canary,
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch b/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
new file mode 100644
index 0000000..af94cfa
--- /dev/null
+++ b/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
@@ -0,0 +1,154 @@
+From d2ad8f6108c750c3dbd33ee6d4e4c94ada748b8a Mon Sep 17 00:00:00 2001
+From: Romain Thomas <me@...>
+Date: Mon, 3 May 2021 11:25:49 +0200
+Subject: [PATCH] Enable to use pre-compiled version of spdlog
+
+---
+ CMakeLists.txt | 8 ++++----
+ cmake/LIEFDependencies.cmake | 36 +++++++++++++++++++++++-------------
+ cmake/LIEFOptions.cmake | 4 ++++
+ setup.py | 17 +++++++++++++++++
+ 4 files changed, 48 insertions(+), 17 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index d1665cd..b92519a 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -307,8 +307,7 @@ source_group("mbedtls\\tls" FILES ${mbedtls_src_tls})
+ # Library definition
+ # ==================
+ target_include_directories(
+- LIB_LIEF SYSTEM PRIVATE "${SPDLOG_SOURCE_DIR}/include"
+- "${MBEDTLS_INCLUDE_DIRS}")
++ LIB_LIEF SYSTEM PRIVATE "${MBEDTLS_INCLUDE_DIRS}")
+
+ target_include_directories(
+ LIB_LIEF
+@@ -355,7 +354,8 @@ target_sources(LIB_LIEF PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}/include/LIEF/third-party/utfcpp/utf8.h)
+
+
+-add_dependencies(LIB_LIEF lief_spdlog lief_mbed_tls)
++add_dependencies(LIB_LIEF lief_mbed_tls)
++target_link_libraries(LIB_LIEF PRIVATE lief_spdlog)
+
+ # Flags definition
+ # ----------------
+@@ -626,7 +626,7 @@ install(
+ DESTINATION lib/pkgconfig
+ COMPONENT libraries)
+
+-export(TARGETS LIB_LIEF FILE LIEFExport.cmake)
++export(TARGETS LIB_LIEF lief_spdlog FILE LIEFExport.cmake)
+
+ # Package
+ # ======================
+diff --git a/cmake/LIEFDependencies.cmake b/cmake/LIEFDependencies.cmake
+index e75326f..37e6987 100644
+--- a/cmake/LIEFDependencies.cmake
++++ b/cmake/LIEFDependencies.cmake
+@@ -144,21 +144,31 @@ set(mbedtls_src_tls
+ "${MBEDTLS_SOURCE_DIR}/library/ssl_tls13_keys.c"
+ )
+
+-#set_source_files_properties("${MBEDTLS_SOURCE_DIR}/library/bignum.c" PROPERTIES COMPILE_FLAGS -Wno-overlength-strings)
++add_library(lief_spdlog INTERFACE)
+
+-set(SPDLOG_VERSION 1.8.2)
+-set(SPDLOG_SHA256 SHA256=f0410b12b526065802b40db01304783550d3d20b4b6fe2f8da55f9d08ed2035d)
+-set(SPDLOG_URL "${THIRD_PARTY_DIRECTORY}/spdlog-${SPDLOG_VERSION}.zip" CACHE STRING "URL to the spdlog lib repo")
+-ExternalProject_Add(lief_spdlog
+- URL ${SPDLOG_URL}
+- URL_HASH ${SPDLOG_SHA256}
+- CONFIGURE_COMMAND ""
+- BUILD_COMMAND ""
+- UPDATE_COMMAND ""
+- INSTALL_COMMAND "")
++if(LIEF_EXTERNAL_SPDLOG)
++ find_package(spdlog REQUIRED)
++ list(APPEND CMAKE_MODULE_PATH "${SPDLOG_DIR}/cmake")
++ target_link_libraries(lief_spdlog INTERFACE spdlog::spdlog)
++ get_target_property(SPDLOG_INC_DIR spdlog::spdlog INTERFACE_INCLUDE_DIRECTORIES)
++ target_include_directories(lief_spdlog SYSTEM INTERFACE ${SPDLOG_INC_DIR})
++else()
++ set(SPDLOG_VERSION 1.8.2)
++ set(SPDLOG_SHA256 SHA256=f0410b12b526065802b40db01304783550d3d20b4b6fe2f8da55f9d08ed2035d)
++ set(SPDLOG_URL "${THIRD_PARTY_DIRECTORY}/spdlog-${SPDLOG_VERSION}.zip" CACHE STRING "URL to the spdlog source")
++ ExternalProject_Add(lief_spdlog_project
++ URL ${SPDLOG_URL}
++ URL_HASH ${SPDLOG_SHA256}
++ CONFIGURE_COMMAND ""
++ BUILD_COMMAND ""
++ UPDATE_COMMAND ""
++ INSTALL_COMMAND "")
+
+-ExternalProject_get_property(lief_spdlog SOURCE_DIR)
+-set(SPDLOG_SOURCE_DIR "${SOURCE_DIR}")
++ ExternalProject_get_property(lief_spdlog_project SOURCE_DIR)
++ set(SPDLOG_SOURCE_DIR "${SOURCE_DIR}")
++ add_dependencies(lief_spdlog lief_spdlog_project)
++ target_include_directories(lief_spdlog SYSTEM INTERFACE ${SPDLOG_SOURCE_DIR}/include)
++endif()
+
+ # Fuzzing
+ # ~~~~~~~
+diff --git a/cmake/LIEFOptions.cmake b/cmake/LIEFOptions.cmake
+index fd6df6c..3bb92c3 100644
+--- a/cmake/LIEFOptions.cmake
++++ b/cmake/LIEFOptions.cmake
+@@ -45,6 +45,10 @@ option(LIEF_PROFILING "Enable performance profiling" OFF)
+ cmake_dependent_option(LIEF_INSTALL_COMPILED_EXAMPLES "Install LIEF Compiled examples" OFF
+ "LIEF_EXAMPLES" OFF)
+
++# Use a user-provided version of spdlog
++# It can be useful to reduce compile time
++option(LIEF_EXTERNAL_SPDLOG OFF)
++
+ set(LIEF_ELF_SUPPORT 0)
+ set(LIEF_PE_SUPPORT 0)
+ set(LIEF_MACHO_SUPPORT 0)
+diff --git a/setup.py b/setup.py
+index b915180..ad70bd8 100644
+--- a/setup.py
++++ b/setup.py
+@@ -45,6 +45,10 @@ class LiefDistribution(setuptools.Distribution):
+ ('lief-no-vdex', None, 'Disable VDEX module'),
+ ('lief-no-oat', None, 'Disable OAT module'),
+ ('lief-no-dex', None, 'Disable DEX module'),
++
++ ('lief-no-cache', None, 'Do not use compiler cache (ccache)'),
++
++ ('spdlog-dir=', None, 'Path to the directory that contains spdlogConfig.cmake'),
+ ]
+
+ def __init__(self, attrs=None):
+@@ -66,6 +70,10 @@ class LiefDistribution(setuptools.Distribution):
+
+ self.lief_no_android = False
+ self.doc = False
++
++ self.lief_no_cache = False
++
++ self.spdlog_dir = None
+ super().__init__(attrs)
+
+
+@@ -154,6 +162,15 @@ class BuildLibrary(build_ext):
+ else:
+ cmake_args += ["-DLIEF_LOGGING_DEBUG=off"]
+
++ if self.distribution.lief_no_cache:
++ cmake_args += ["-DLIEF_USE_CCACHE=off"]
++
++ # Setup spdlog configuration flags if
++ # the user provides --spdlog-dir
++ if self.distribution.spdlog_dir is not None:
++ cmake_args.append("-DLIEF_EXTERNAL_SPDLOG=ON")
++ cmake_args.append("-Dspdlog_DIR={}".format(self.distribution.spdlog_dir))
++
+ # Main formats
+ # ============
+ if self.distribution.lief_no_elf:
+--
+2.31.1
+
diff --git a/recipes-devtools/python/python3-asttokens_2.0.5.bb b/recipes-devtools/python/python3-asttokens_2.0.5.bb
new file mode 100644
index 0000000..7ac2052
--- /dev/null
+++ b/recipes-devtools/python/python3-asttokens_2.0.5.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Annotate AST trees with source code positions"
+HOMEPAGE = "https://github.com/gristlabs/asttokens"
+AUTHOR = "Dmitry Sagalovskiy, Grist Labs <dmitry@...>"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e3fc50a88d0a364313df4b21ef20c29e"
+
+SRC_URI[md5sum] = "0a2a057b9c9a220bffdb3e7512062f17"
+SRC_URI[sha256sum] = "9a54c114f02c7a9480d56550932546a3f1fe71d8a02f1bc7ccd0ee3ee35cf4d5"
+
+RDEPENDS_${PN} = "python3-six"
+DEPENDS += "python3-setuptools-scm python3-toml"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb b/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
new file mode 100644
index 0000000..edce0a6
--- /dev/null
+++ b/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
@@ -0,0 +1,31 @@
+SUMMARY = "Tool to verify the security properties of binaries"
+DESCRIPTION = "checksec.py is a tool verify if certain compiler flags \
+ have been enabled on compield applications and libraries."
+HOMEPAGE = "https://github.com/Wenzel/checksec.py"
+BUGTRACKER = "https://github.com/Wenzel/checksec.py/issues"
+SECTION = "devel/python"
+
+LICENSE = "GPL-3.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464"
+
+RDEPENDS_${PN} += " \
+ python3-docopt-native \
+ python3-lief-native \
+ python3-pylddwrap-native \
+ python3-rich-native \
+ "
+
+# Needs to be pulled from github becuase pypi package is currently broken
+SRC_URI = " \
+ git://github.com/Wenzel/checksec.py.git;protocol=https;branch=master \
+ file://python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch \
+ file://python3-checksec.py/0002-Elf-Fix-relro-detection.patch \
+ file://python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch \
+ "
+
+SRCREV = "4335ecd08f6ee13ff4ca9b01e83857ae6a8074e9"
+
+S="${WORKDIR}/git"
+
+inherit setuptools3 native
+
diff --git a/recipes-devtools/python/python3-colorama_%.bbappend b/recipes-devtools/python/python3-colorama_%.bbappend
new file mode 100644
index 0000000..d6f5869
--- /dev/null
+++ b/recipes-devtools/python/python3-colorama_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-commonmark_0.9.1.bb b/recipes-devtools/python/python3-commonmark_0.9.1.bb
new file mode 100644
index 0000000..a35abc3
--- /dev/null
+++ b/recipes-devtools/python/python3-commonmark_0.9.1.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Python parser for the CommonMark Markdown spec"
+HOMEPAGE = "https://github.com/rtfd/commonmark.py"
+AUTHOR = "Bibek Kafle <bkafle662@...>, Roland Shoemaker <rolandshoemaker@...>"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=37e127eb75a030780aefcfc584e78523"
+
+SRC_URI[md5sum] = "cd1dc70c4714d9ed4117a40490c25e00"
+SRC_URI[sha256sum] = "452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60"
+
+S = "${WORKDIR}/commonmark-0.9.1"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-docopt_0.6.2.bb b/recipes-devtools/python/python3-docopt_0.6.2.bb
new file mode 100644
index 0000000..c1b111a
--- /dev/null
+++ b/recipes-devtools/python/python3-docopt_0.6.2.bb
@@ -0,0 +1,18 @@
+
+SUMMARY = "Pythonic argument parser, that will make you smile"
+HOMEPAGE = "http://docopt.org"
+AUTHOR = "Vladimir Keleshev <vladimir@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=09b77fb74986791a3d4a0e746a37d88f"
+
+SRC_URI = "https://github.com/docopt/docopt/archive/refs/tags/${PV}.tar.gz"
+SRC_URI[md5sum] = "a6c44155426fd0f7def8b2551d02fef6"
+SRC_URI[sha256sum] = "2113eed1e7fbbcd43fb7ee6a977fb02d0b482753586c9dc1a8e3b7d541426e99"
+
+S = "${WORKDIR}/docopt-0.6.2"
+
+RDEPENDS_${PN} = ""
+
+inherit setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-icontract_2.5.3.bb b/recipes-devtools/python/python3-icontract_2.5.3.bb
new file mode 100644
index 0000000..88ac2ef
--- /dev/null
+++ b/recipes-devtools/python/python3-icontract_2.5.3.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Provide design-by-contract with informative violation messages."
+HOMEPAGE = "https://github.com/Parquery/icontract"
+AUTHOR = "Marko Ristin <marko.ristin@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57"
+
+SRC_URI[md5sum] = "6f41b9b84e4405374c160836587b3235"
+SRC_URI[sha256sum] = "b790101c8cc0d9df0105d852a645373c4d90d5049391b6e54db32a0acb4bccd7"
+
+inherit pypi setuptools3
+
+RDEPENDS_${PN} += "python3-asttokens"
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-lief_0.11.5.bb b/recipes-devtools/python/python3-lief_0.11.5.bb
new file mode 100644
index 0000000..5e4b422
--- /dev/null
+++ b/recipes-devtools/python/python3-lief_0.11.5.bb
@@ -0,0 +1,36 @@
+SUMMARY = "Library to instrument executable formats"
+DESCRIPTION = " \
+ This project provides a cross platform library which can parse, modify \
+ and abstract ELF, PE and MachO formats. \
+ "
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/lief-project/LIEF"
+LICENSE = "APACHE-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1809bd489c3dae63aa0cb70070dc308e"
+
+SRC_URI = " \
+ https://github.com/lief-project/LIEF/releases/download/${PV}/lief-${PV}.zip \
+ file://python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch \
+ "
+SRC_URI[sha256sum] = "947825134d5dab91df218bb201fa4551814f1da0a47e4a890283716b800c8e8f"
+
+S = "${WORKDIR}/lief-${PV}"
+
+inherit setuptools3
+
+DEPENDS += "cmake-native"
+
+BBCLASSEXTEND += "native"
+
+DISTUTILS_BUILD_ARGS += " ${PARALLEL_MAKE} "
+
+do_compile() {
+ # From distutils3.bbclass (needs to be modified here to avoid usage of ccache)
+ cd ${DISTUTILS_SETUP_PATH}
+ NO_FETCH_BUILD=1 \
+ STAGING_INCDIR=${STAGING_INCDIR} \
+ STAGING_LIBDIR=${STAGING_LIBDIR} \
+ ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py \
+ --lief-no-cache build --build-base=${B} ${DISTUTILS_BUILD_ARGS} || \
+ bbfatal_log "'${PYTHON_PN} setup.py --lief-no-cache build ${DISTUTILS_BUILD_ARGS}' execution failed."
+}
diff --git a/recipes-devtools/python/python3-pylddwrap_1.0.1.bb b/recipes-devtools/python/python3-pylddwrap_1.0.1.bb
new file mode 100644
index 0000000..985c424
--- /dev/null
+++ b/recipes-devtools/python/python3-pylddwrap_1.0.1.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Python wrapper for ldd"
+DESCRIPTION = " \
+ Pylddwrap wraps ldd *nix utility to determine shared libraries required by a program. \
+ "
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/Parquery/pylddwrap"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa"
+
+SRC_URI[sha256sum] = "171a39fc7feb33e607706c57c08373ceb2f6fd4362af9241ccc65e80c948ccdf"
+
+inherit pypi setuptools3
+
+RDEPENDS_${PN} += "python3-icontract"
+
+do_install_append() {
+ rm -f "${D}/${datadir}/requirements.txt"
+ rm -f "${D}/${datadir}/README.rst"
+}
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-rich_7.1.0.bb b/recipes-devtools/python/python3-rich_7.1.0.bb
new file mode 100644
index 0000000..59c26a4
--- /dev/null
+++ b/recipes-devtools/python/python3-rich_7.1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
+HOMEPAGE = "https://github.com/willmcgugan/rich"
+AUTHOR = "Will McGugan <willmcgugan@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d0d35d5357392e5bfeb0d0a7e6ba4d83"
+
+SRC_URI[md5sum] = "25daeefa226770a84b98c591069b419c"
+SRC_URI[sha256sum] = "ff701be541be32bcf46e821487c00bf4fa560aa814fc3cc9b3d514fd9b19a6f6"
+
+S = "${WORKDIR}/rich-7.1.0"
+
+RDEPENDS_${PN} = "python3-typing-extensions python3-pygments python3-commonmark python3-colorama"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb b/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
new file mode 100644
index 0000000..234694e
--- /dev/null
+++ b/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
@@ -0,0 +1,17 @@
+SUMMARY = "the blessed package to manage your versions by scm tags"
+HOMEPAGE = "https://github.com/pypa/setuptools_scm/"
+AUTHOR = "Ronny Pfannschmidt <opensource@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=838c366f69b72c5df05c96dff79b35f2"
+
+SRC_URI = "git://github.com/pypa/setuptools_scm.git;protocol=https;branch=main;tag=v${PV}"
+
+SRC_URI[sha256sum] = "8f85bfc7272fb5c04df28f00bde9db8f862c586d25fa155eea90fe62ea6a3302"
+
+RDEPENDS_${PN} = "python3-setuptools"
+
+inherit setuptools3
+
+S = "${WORKDIR}/git"
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-toml_%.bbappend b/recipes-devtools/python/python3-toml_%.bbappend
new file mode 100644
index 0000000..d6f5869
--- /dev/null
+++ b/recipes-devtools/python/python3-toml_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"
--
2.31.1


[PATCH 2/2] image-with-hardened-binaries: Add selftest

Maximilian Blenk <Maximilian.Blenk@...>
 

Add selftest that executes binary analysis on small rootfs

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
.../cases/hardened_binaries_checker.py | 42 +++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 lib/oeqa/selftest/cases/hardened_binaries_checker.py

diff --git a/lib/oeqa/selftest/cases/hardened_binaries_checker.py b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
new file mode 100644
index 0000000..6385757
--- /dev/null
+++ b/lib/oeqa/selftest/cases/hardened_binaries_checker.py
@@ -0,0 +1,42 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class HardenTests(OESelftestTestCase):
+ def test_hardened_binaries(self):
+
+ self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+
+CORE_IMAGE_EXTRA_INSTALL ?= ""
+
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit image-with-hardened-binaries
+
+HARDENED_BINARIES_CONFIG_FILE = "${WORKDIR}/check-config.toml"
+
+do_write_config_file() {
+ echo "[rpath]\nenabled = true\nwhitelist = []\n" > "${WORKDIR}/check-config.toml"
+ echo "[runpath]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[relro]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[pie]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+ echo "[nx]\nenabled = true\nwhitelist = []\n" >> "${WORKDIR}/check-config.toml"
+}
+
+addtask do_write_config_file before do_image_qa
+
+ """)
+
+ result = bitbake("-c image_qa emptytest", ignore_status=True)
+ if result.status != 0:
+ self.logger.warn(result.output)
+ raise self.failureException("build failed, something went wrong...")
--
2.31.1


Weird bitbake generation behavior

Frans Meulenbroeks <fransmeulenbroeks@...>
 

Hi,

I share an sstate-cache with my fellow developers and I was assessing why sometimes things got rebuild even though I did not expect this.
One of the things I discovered was that we had two versions of of glog/0.3.5-r0 in sstate.
The difference was caused run.do_configure where one user had this in run.do_configure

do_configure() {
    cmake_do_configure
    # remove WORKDIR info to improve reproducibility
    if [ -f  "/workdir/build-nano/tmp/work/aarch64-sorama-linux/glog/0.3.5-r0/build/config.h" ] ; then
        sed -i 's/'$(echo /workdir/build-nano/tmp/work/aarch64-sorama-linux/glog/0.3.5-r0 | sed 's_/_\\/_g')'/../g' /workdir/build-nano/tmp/work/aarch64-sorama-linux/glog/0.3.5-r0/build/config.h
    fi
}

whereas the other just had:

do_configure() {
    cmake_do_configure
}


The weird thing is that these two builds were about a day apart, they were build on the same system with as far as I know the same metadata, the same distro, the same image etc etc
User settings should also be the same (we build under docker and I checked, we used the same version of ubuntu in the container (18.04). (Actually the containers were generated from the same Docker file and docker inspect tells me the images are identical).

Anyone an idea how this happens and where that extra snippet comes from? (I grepped for the string "reproducibility" in the bitbake folder, but that did not help)
BTW we're using dunfell

Thanks a lot, Frans


creating tarball for storing downloads; issue inheriting own-mirrors.bbclass

scott.threet@...
 

Hello,

 

I am trying to create tarballs to store yocto downloads. This is primarily to avoid old commits breaking when some random git repository changes their master branch name or something like that. I have been using this: http://embeddedguruji.blogspot.com/2019/01/storing-yocto-downloads-on-private.html, though I have seen other sources giving similar instructions.

I am having the following error (after putting the two lines at top of local.conf for my target and fixing the missing "):

ERROR: ParseError in configuration INHERITs: Could not inherit file classes/own‐mirrors.bbclass
 
 
I have pokey with path sources/poky; and in bblayers.conf I have this:
${BSPDIR}/sources/poky/meta \
We are on an old commit of poky, but that file is identical in the old commit and current head of poky. If it matters we are on zeus.
 
So from this I'm not understanding why bitbake can't find the file or if it has another error?
 
There is also supposedly an error logs at /opt/yocto/arkki-cyient-prod/bitbake-cookerdaemon.log; but my /opt folder only has a subfolder containerd.
 
Any ideas about the problem or suggestions for what to check?
 
 
Thanks for any assistance,
Scott Threet


 


Re: multilib32: libtool-cross_2.4.6.bb configure failure

Geller, Nir <nir.geller@...>
 

Hi,

 

Any help on this topic would be much appreciated.

 

Thanks,

 

Nir.

 

From: yocto@... <yocto@...> On Behalf Of Geller, Nir
Sent: Wednesday, August 11, 2021 6:40 PM
To: yocto@...
Subject: Re: [yocto] multilib32: libtool-cross_2.4.6.bb configure failure

 

Executing

bitbake lib32-libtool-cross -e

Yields, among many others,

 

18513 # $TARGET_VENDOR [3 operations]

18514 #   set /home/build/tisdk/sources/oe-core/meta/conf/bitbake.conf:132

18515 #     "-oe"

18516 #   set /home/build/tisdk/sources/meta-arago/meta-arago-distro/conf/distro/include/toolchain-arm.inc:15

18517 #     ""

18518 #   override[virtclass-multilib-lib32]:set multilib_global.bbclass:159 [multilib_virtclass_handler_vendor]

18519 #     "mllib32"

18520 # pre-expansion value:

18521 #   "mllib32"

18522 TARGET_VENDOR="mllib32"

 

Later, HOST_VENDOR  = "${TARGET_VENDOR}",

And HOST_SYS = "${HOST_ARCH}${HOST_VENDOR}-${HOST_OS}"

 

Ok.

 

So either these variables are calculated incorrectly, or the libtool-cross recipe needs to be fixed in order to support multilib properly.

 

Can anyone please assist?

 

Thanks,

 

Nir.

 

From: yocto@... <yocto@...> On Behalf Of Geller, Nir
Sent: Wednesday, August 11, 2021 5:03 PM
To: Geller, Nir <nir.geller@...>; yocto@...
Subject: Re: [yocto] multilib32: libtool-cross_2.4.6.bb configure failure

 

The variable SYS_HOST is expanded to armmllib32-linux-gnueabi

Shouldn’t it be expanded to arm-none-linux-gnueabihf ?

 

Thanks,

 

Nir.

 

From: yocto@... <yocto@...> On Behalf Of Geller, Nir
Sent: Wednesday, August 11, 2021 4:41 PM
To: yocto@...
Subject: Re: [yocto] multilib32: libtool-cross_2.4.6.bb configure failure

 

Investigating run.do_configure suggests that in the configure stage oe_runconf() is set with what seems to be wrong –host and –target values:

 --host=armmllib32-linux-gnueabi   --target=armmllib32-linux-gnueabi

 

How can I influence oe_runconf() generation and set correct values?

 

From: yocto@... <yocto@...> On Behalf Of Geller, Nir
Sent: Wednesday, August 11, 2021 12:42 PM
To: yocto@...
Subject: [yocto] multilib32: libtool-cross_2.4.6.bb configure failure

 

Hi There,

 

Following the instruction from TI

 

https://software-dl.ti.com/processor-sdk-linux-rt/esd/AM64X/latest/exports/docs/linux/Overview_Building_the_SDK.html

 

I’ve setup a yocto project for the AM64x.

 

Toolchain used is 9.2-2019.12

 

Now I need to add support for multilib32 because I have some software that can be compiled only 32 bit.

 

I added the following lines to conf/local.conf

 

# Define multilib target

require conf/multilib.conf

MULTILIBS = "multilib:lib32"

DEFAULTTUNE_virtclass-multilib-lib32 = "armv7athf-neon"

 

And I am able to build a few packges with lib32- successfully, however, lib32-libtool-cross fails at the configure stage:

 

--host is set to the value armmllib32-linux-gnueabi

 

ERROR: lib32-libtool-cross-2.4.6-r0 do_configure: configure failed

ERROR: lib32-libtool-cross-2.4.6-r0 do_configure: Execution of '/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/temp/run.do_configure.29261' failed with exit code 1:

automake (GNU automake) 1.16.1

Copyright (C) 2018 Free Software Foundation, Inc.

License GPLv2+: GNU GPL version 2 or later <https://gnu.org/licenses/gpl-2.0.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

 

Written by Tom Tromey <tromey@...>

       and Alexandre Duret-Lutz <adl@...>.

AUTOV is 1.16

autoreconf: Entering directory `.'

autoreconf: configure.ac: not using Gettext

autoreconf: running: aclocal --system-acdir=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/lib32-recipe-sysroot/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/lib32-recipe-sysroot/usr/share/aclocal/ --automake-acdir=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/share/aclocal-1.16 -I /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/libtool-2.4.6/m4/ -I /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/libtool-2.4.6/tests/ -I /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/share/aclocal/ --force --warnings=cross -I m4

aclocal: warning: unknown warning category 'cross'

autoreconf: configure.ac: tracing

autoreconf: running: /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/bin/autoconf --include=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/libtool-2.4.6/m4/ --include=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/libtool-2.4.6/tests/ --include=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/share/aclocal/ --force --warnings=cross

autoreconf: running: /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/bin/autoheader --include=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/libtool-2.4.6/m4/ --include=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/libtool-2.4.6/tests/ --include=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/share/aclocal/ --force --warnings=cross

autoreconf: running: automake --add-missing --copy --force-missing --warnings=cross

automake: warning: unknown warning category 'cross'

autoreconf: running: gnu-configize

autoreconf: Leaving directory `.'

| NOTE: Running ../libtool-2.4.6/configure  --build=x86_64-linux                                 --host=armmllib32-linux-gnueabi                   --target=armmllib32-linux-gnueabi                         --prefix=/usr           --exec_prefix=/usr                          --bindir=/usr/bin                             --sbindir=/usr/sbin                              --libexecdir=/usr/libexec                             --datadir=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/lib32-recipe-sysroot/usr/share                      --sysconfdir=/etc                            --sharedstatedir=/com                                 --localstatedir=/var                             --libdir=/usr/lib                               --includedir=/usr/include                                 --oldincludedir=/usr/include                      --infodir=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/lib32-recipe-sysroot/usr/share/info                                 --mandir=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/lib32-recipe-sysroot/usr/share/man                   --disable-silent-rules                      --disable-dependency-tracking                                --with-libtool-sysroot=/home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/lib32-recipe-sysroot

configure: loading site script /home/build/tisdk/sources/meta-openembedded/meta-networking/site/endian-little

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/endian-little

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/arm-common

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/arm-32

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/common-linux

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/common-glibc

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/arm-linux

configure: loading site script /home/build/tisdk/sources/oe-core/meta/site/common

## ------------------------- ##

## Configuring libtool 2.4.6 ##

## ------------------------- ##

 

checking for GNU M4 that supports accurate traces... /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/bin/m4

checking whether /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/recipe-sysroot-native/usr/bin/m4 accepts --gnu... yes

checking how m4 supports trace files... --debugfile

checking for a BSD-compatible install... /home/build/tisdk/build/arago-tmp-external-arm-glibc/hosttools/install -c

checking whether build environment is sane... yes

checking for armmllib32-linux-gnueabi-strip... arm-none-linux-gnueabihf-strip

checking for a thread-safe mkdir -p... /home/build/tisdk/build/arago-tmp-external-arm-glibc/hosttools/mkdir -p

checking for gawk... gawk

checking whether make sets $(MAKE)... yes

checking whether make supports nested variables... yes

checking whether make supports nested variables... (cached) yes

checking build system type... x86_64-pc-linux-gnu

checking host system type... Invalid configuration `armmllib32-linux-gnueabi': machine `armmllib32-unknown' not recognized

configure: error: /bin/bash ../libtool-2.4.6/build-aux/config.sub armmllib32-linux-gnueabi failed

WARNING: /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/temp/run.do_configure.29261:1 exit 1 from 'exit 1'

 

ERROR: Logfile of failure stored in: /home/build/tisdk/build/arago-tmp-external-arm-glibc/work/armv7at2hf-neonmllib32-linux-gnueabi/lib32-libtool-cross/2.4.6-r0/temp/log.do_configure.29261

 

 

Manually running the configure command with –host=arm-none-linux-gnueabihf is working properly.

 

How can I fix the recipe to set –host correctly in this case?

 

Thanks a lot,

 

Nir.

 

2941 - 2960 of 57387