From: Amit Kucheria <amit.kucheria.ext@...>

This sample application provides an example of using the the MBEDTLS library.

Signed-off-by: Amit Kucheria <amit.kucheria.ext@...>
---
recipes-kernel/zephyr-kernel/zephyr-echo-client.bb | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 recipes-kernel/zephyr-kernel/zephyr-echo-client.bb

diff --git a/recipes-kernel/zephyr-kernel/zephyr-echo-client.bb b/recipes-kernel/zephyr-kernel/zephyr-echo-client.bb
new file mode 100644
index 000000000000..c17e1e78f6b5
--- /dev/null
+++ b/recipes-kernel/zephyr-kernel/zephyr-echo-client.bb
@@ -0,0 +1,5 @@
+include zephyr-sample.inc
+
+ZEPHYR_SRC_DIR = "${S}/samples/net/sockets/echo_client"
+
+ZEPHYR_MODULES_append = "\;${S}/modules/lib/mbedtls"
--
2.25.1

From: Amit Kucheria <amit.kucheria.ext@...>

MBed TLS is a library that implements cryptographic primitives and
SSL/TLS and DTLS protocols that are needed in secure network
communications.

Add it to the kernel include files to build and link against
applications that need mbedtls.

Signed-off-by: Amit Kucheria <amit.kucheria.ext@...>
---
recipes-kernel/zephyr-kernel/zephyr-kernel-common.inc | 1 +
recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.5.0.inc | 1 +
recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc | 1 +
3 files changed, 3 insertions(+)

diff --git a/recipes-kernel/zephyr-kernel/zephyr-kernel-common.inc b/recipes-kernel/zephyr-kernel/zephyr-kernel-common.inc
index 330fe59aebe5..c9acbbbc3645 100644
--- a/recipes-kernel/zephyr-kernel/zephyr-kernel-common.inc
+++ b/recipes-kernel/zephyr-kernel/zephyr-kernel-common.inc
@@ -28,6 +28,7 @@ ZEPHYR_MODULES = ""
ZEPHYR_MODULES_append_arm = "\;${S}/modules/cmsis"
ZEPHYR_MODULES_append_nordic = "\;${S}/modules/hal/nordic"
ZEPHYR_MODULES_append_stm32 = "\;${S}/modules/hal/stm32"
+ZEPHYR_MODULES_append_mbedtls = "\;${S}/modules/lib/mbedtls"
ZEPHYR_MODULES_append_openamp = "\;${S}/modules/lib/open-amp\;${S}/modules/hal/libmetal"

EXTRA_OECMAKE_append = " -DZEPHYR_MODULES=${ZEPHYR_MODULES}"
diff --git a/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.5.0.inc b/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.5.0.inc
index 5d66f0f3cb5b..3aeb3bf6fc3f 100644
--- a/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.5.0.inc
+++ b/recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.5.0.inc
@@ -6,6 +6,7 @@ SRCREV_stm32 = "cc8731dba4fd9c57d7fe8ea6149828b89c2bd635"
SRCREV_open-amp = "de1b85a13032a2de1d8b6695ae5f800b613e739d"
SRCREV_libmetal = "9d4ee2c3cfd5f49861939447990f3b7d7bf9bf94"
SRCREV_tinycrypt = "3e9a49d2672ec01435ffbf0d788db6d95ef28de0"
+SRCREV_mbedtls = "5765cb7f75a9973ae9232d438e361a9d7bbc49e7"

PV = "2.5.0+git${SRCPV}"

diff --git a/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc b/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
index 1d06d916a1e0..069fa561667c 100644
--- a/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
+++ b/recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc
@@ -13,6 +13,7 @@ SRC_URI = "\
git://github.com/zephyrproject-rtos/cmsis.git;protocol=https;destsuffix=git/modules/cmsis;name=cmsis \
git://github.com/zephyrproject-rtos/hal_nordic.git;protocol=https;destsuffix=git/modules/hal/nordic;name=nordic \
git://github.com/zephyrproject-rtos/hal_stm32.git;protocol=https;destsuffix=git/modules/hal/stm32;name=stm32 \
+ git://github.com/zephyrproject-rtos/mbedtls.git;protocol=https;destsuffix=git/modules/lib/mbedtls;name=mbedtls \
git://github.com/zephyrproject-rtos/open-amp.git;protocol=https;destsuffix=git/modules/lib/open-amp;name=open-amp \
git://github.com/zephyrproject-rtos/libmetal.git;protocol=https;destsuffix=git/modules/hal/libmetal;name=libmetal \
git://github.com/zephyrproject-rtos/tinycrypt.git;protocol=https;destsuffix=git/modules/crypto/tinycrypt;name=tinycrypt \
--
2.25.1

From: Amit Kucheria <amit.kucheria.ext@...>


MBed TLS is a library that implements cryptographic primitives and SSL/TLS
and DTLS protocols that are needed in secure network communications.

Add it to the kernel include files to build and link against applications
that need mbedtls. Add a few sample applications that utilize mbedtls
library too.


Amit Kucheria (5):
zephyr-kernel: Clone mbedtls
zephyr-echo-client: Add recipe for echo client
zephyr-http-client: Add recipe for http client
zephyr-websocket-client: Add recipe for websocket client
zephyr-mqtt-publisher: Add recipe for mqtt publisher

recipes-kernel/zephyr-kernel/zephyr-echo-client.bb | 5 +++++
recipes-kernel/zephyr-kernel/zephyr-http-client.bb | 5 +++++
recipes-kernel/zephyr-kernel/zephyr-kernel-common.inc | 1 +
recipes-kernel/zephyr-kernel/zephyr-kernel-src-2.5.0.inc | 1 +
recipes-kernel/zephyr-kernel/zephyr-kernel-src.inc | 1 +
recipes-kernel/zephyr-kernel/zephyr-mqtt-publisher.bb | 5 +++++
recipes-kernel/zephyr-kernel/zephyr-websocket-client.bb | 5 +++++
7 files changed, 23 insertions(+)
create mode 100644 recipes-kernel/zephyr-kernel/zephyr-echo-client.bb
create mode 100644 recipes-kernel/zephyr-kernel/zephyr-http-client.bb
create mode 100644 recipes-kernel/zephyr-kernel/zephyr-mqtt-publisher.bb
create mode 100644 recipes-kernel/zephyr-kernel/zephyr-websocket-client.bb

--
2.25.1

In message: [linux-yocto] [linux-yocto v5.10/standard/nxp-sdk-5.4/nxp-s32g2xx]: drivers: dspi: fsl: fix dspi transfer hang issue
on 04/06/2021 Zhantao Tang wrote:

Hi Bruce,


There is an patch to fix dspi hang issue.

Would you please help to merge this patch into linux-ycoto kernel, v5.10, branch is v5.10/standard/nxp-sdk-5.4/nxp-s32g2xx?

This went to the wrong mailing list, but I did pick it up!

merged.

Bruce

Thanks,
Zhantao

Thanks Quentin, that did the trick.


On 6/5/21, Quentin Schulz <foss@...> wrote:

Hi,

On June 5, 2021 12:43:19 AM UTC, JH <jupiter.hce@...> wrote:

Hi,

I am building following imx6ulz-kobs.dts file to a dtb in zeus:

$ cat imx6ulz-kobs.dts

#include "imx6ulz.dts"

/{
model = "customized imx6ull";
compatible = "fsl,imx6ull";
};

&gpmi {
/delete-node/ fsl,use-minimum-ecc;
};

The building process was fine, but that fsl,use-minimum-ecc in dtb was
not deleted, is it a bug or it does not support /delete-node/?

fsl,use-minimum-ecc is a property not a node, you need to use
/delete-property/ instead, c.f.
https://devicetree-specification.readthedocs.io/en/latest/chapter6-source-language.html?highlight=delete-property#node-and-property-definitions.

Cheers,
Quentin

--
"A man can fail many times, but he isn't a failure until he begins to
blame somebody else."
-- John Burroughs

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-integrity/recipes-kernel/linux/linux-%.bbappend | 6 +-----
meta-integrity/recipes-kernel/linux/linux_ima.inc | 5 +++++
2 files changed, 6 insertions(+), 5 deletions(-)
create mode 100644 meta-integrity/recipes-kernel/linux/linux_ima.inc

diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index f9a48cd..be60bfe 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,5 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
-
-KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
-
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
new file mode 100644
index 0000000..f9a48cd
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -0,0 +1,5 @@
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+
+KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
+
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-integrity/README.md | 18 +++++++++++++++++-
.../classes/sanity-meta-integrity.bbclass | 10 ++++++++++
meta-integrity/conf/layer.conf | 4 ++++
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644 meta-integrity/classes/sanity-meta-integrity.bbclass

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 5048fba..8254b0d 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -1,8 +1,24 @@
This README file contains information on the contents of the
integrity layer.

-Please see the corresponding sections below for details.

+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'integrity' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+ DISTRO_FEATURES_append = " integrity"
+
+If meta-integrity is included, but integrity is not enabled as a
+distro feature a warning is printed at parse time:
+
+ You have included the meta-integritry layer, but
+ 'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+ and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+ SKIP_META_INTEGRITY_SANITY_CHECK = 1

Dependencies
============
diff --git a/meta-integrity/classes/sanity-meta-integrity.bbclass b/meta-integrity/classes/sanity-meta-integrity.bbclass
new file mode 100644
index 0000000..6ba7e3f
--- /dev/null
+++ b/meta-integrity/classes/sanity-meta-integrity.bbclass
@@ -0,0 +1,10 @@
+addhandler integrity_bbappend_distrocheck
+integrity_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python integrity_bbappend_distrocheck() {
+ skip_check = e.data.getVar('SKIP_META_INTEGRITY_SANITY_CHECK') == "1"
+ if 'integrity' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ bb.warn("You have included the meta-integrity layer, but \
+'integrity' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-integrity README \
+for details on enabling integrity support.")
+}
diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index ba028da..37776f8 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -26,6 +26,10 @@ LAYERDEPENDS_integrity = "core openembedded-layer"

BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity"

+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_INTEGRITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-integrity"
+
BBFILES_DYNAMIC += " \
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
.../linux/linux-yocto_5.%.bbappend | 18 +-----------------
.../recipes-kernel/linux/linux-yocto_tpm.inc | 17 +++++++++++++++++
2 files changed, 18 insertions(+), 17 deletions(-)
create mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc

diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
index cea8b1b..2cf1453 100644
--- a/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,17 +1 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
-
-# Enable tpm in kernel
-SRC_URI_append_x86 = " \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
- "
-
-SRC_URI_append_x86-64 = " \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
- "
-
-SRC_URI += " \
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \
- ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \
- "
+require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm', 'linux-yocto_tpm.inc', '', d)}
diff --git a/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc b/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
new file mode 100644
index 0000000..cea8b1b
--- /dev/null
+++ b/meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
@@ -0,0 +1,17 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+
+# Enable tpm in kernel
+SRC_URI_append_x86 = " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
+ "
+
+SRC_URI_append_x86-64 = " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
+ "
+
+SRC_URI += " \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \
+ ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \
+ "
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/README | 19 +++++++++++++++++++
meta-tpm/classes/sanity-meta-tpm.bbclass | 10 ++++++++++
meta-tpm/conf/layer.conf | 4 ++++
3 files changed, 33 insertions(+)
create mode 100644 meta-tpm/classes/sanity-meta-tpm.bbclass

diff --git a/meta-tpm/README b/meta-tpm/README
index dd662b3..59d2ee3 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README
@@ -1,6 +1,25 @@
meta-tpm layer
==============

+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'tpm' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+ DISTRO_FEATURES_append = " tmp"
+
+If meta-tpm is included, but tpm is not enabled as a
+distro feature a warning is printed at parse time:
+
+ You have included the meta-tpm layer, but
+ 'tpm' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+ and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+ SKIP_META_TPM_SANITY_CHECK = 1
+
+
This layer contains base TPM recipes.

Dependencies
diff --git a/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-tpm/classes/sanity-meta-tpm.bbclass
new file mode 100644
index 0000000..2f8b52d
--- /dev/null
+++ b/meta-tpm/classes/sanity-meta-tpm.bbclass
@@ -0,0 +1,10 @@
+addhandler tpm_machinecheck
+tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
+python tpm_machinecheck() {
+ skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
+ if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ bb.warn("You have included the meta-tpm layer, but \
+'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-tpm README \
+for details on enabling tpm support.")
+}
diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf
index 1b766cb..0b102c5 100644
--- a/meta-tpm/conf/layer.conf
+++ b/meta-tpm/conf/layer.conf
@@ -17,6 +17,10 @@ LAYERDEPENDS_tpm-layer = " \
"
BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"

+# Sanity check for meta-integrity layer.
+# Setting SKIP_META_TPM_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-tpm"
+
BBFILES_DYNAMIC += " \
networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-kernel/linux/linux-yocto-dev.bbappend | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 recipes-kernel/linux/linux-yocto-dev.bbappend

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend
deleted file mode 100644
index 1d9054f..0000000
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'security', '${BPN}_security.inc', '', d)}
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-kernel/linux/linux-yocto-dev.bbappend | 4 +---
recipes-kernel/linux/linux-yocto_5.%.bbappend | 4 +---
recipes-kernel/linux/linux-yocto_security.inc | 3 +++
3 files changed, 5 insertions(+), 6 deletions(-)
create mode 100644 recipes-kernel/linux/linux-yocto_security.inc

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend
index fa536d0..1d9054f 100644
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ b/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -1,3 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'security', '${BPN}_security.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend
index fa536d0..1d9054f 100644
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,3 +1 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
-KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'security', '${BPN}_security.inc', '', d)}
diff --git a/recipes-kernel/linux/linux-yocto_security.inc b/recipes-kernel/linux/linux-yocto_security.inc
new file mode 100644
index 0000000..fa536d0
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto_security.inc
@@ -0,0 +1,3 @@
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
README | 18 ++++++++++++++++++
classes/sanity-meta-security.bbclass | 10 ++++++++++
conf/layer.conf | 4 ++++
3 files changed, 32 insertions(+)
create mode 100644 classes/sanity-meta-security.bbclass

diff --git a/README b/README
index eb15366..4047b86 100644
--- a/README
+++ b/README
@@ -1,6 +1,24 @@
Meta-security
=============

+The bbappend files for some recipes (e.g. linux-yocto) in this layer need
+to have 'security' in DISTRO_FEATURES to have effect.
+To enable them, add in configuration file the following line.
+
+ DISTRO_FEATURES_append = " security"
+
+If meta-security is included, but security is not enabled as a
+distro feature a warning is printed at parse time:
+
+ You have included the meta-security layer, but
+ 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files
+ and preferred version setting may not take effect.
+
+If you know what you are doing, this warning can be disabled by setting the following
+variable in your configuration:
+
+ SKIP_META_SECURITY_SANITY_CHECK = 1
+
This layer provides security tools, hardening tools for Linux kernels
and libraries for implementing security mechanisms.

diff --git a/classes/sanity-meta-security.bbclass b/classes/sanity-meta-security.bbclass
new file mode 100644
index 0000000..b6c6b9c
--- /dev/null
+++ b/classes/sanity-meta-security.bbclass
@@ -0,0 +1,10 @@
+addhandler security_bbappend_distrocheck
+security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck"
+python security_bbappend_distrocheck() {
+ skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1"
+ if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ bb.warn("You have included the meta-security layer, but \
+'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
+and preferred version setting may not take effect. See the meta-security README \
+for details on enabling security support.")
+}
diff --git a/conf/layer.conf b/conf/layer.conf
index 906e024..7853d6e 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -13,6 +13,10 @@ LAYERSERIES_COMPAT_security = "hardknott"

LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"

+# Sanity check for meta-security layer.
+# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
+INHERIT += "sanity-meta-security"
+
BBFILES_DYNAMIC += " \
rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \
"
--
2.25.1

This series superceeds the privious set to help
pass the check-layer scrip.

Armin Kuster (7):
meta-security: add sanity check
meta-security/recipe-kernel: use sanity check
linux-yocto-dev: drop bbappend
meta-tpm: add layer sanity check
meta-tpm/linux-yocto: use sanity support
meta-integrity: add sanity check
meta-integrity/recipe-kernel: use sanity check

README | 18 ++++++++++++++++++
classes/sanity-meta-security.bbclass | 10 ++++++++++
conf/layer.conf | 4 ++++
meta-integrity/README.md | 18 +++++++++++++++++-
.../classes/sanity-meta-integrity.bbclass | 10 ++++++++++
meta-integrity/conf/layer.conf | 4 ++++
.../recipes-kernel/linux/linux-%.bbappend | 6 +-----
.../recipes-kernel/linux/linux_ima.inc | 5 +++++
meta-tpm/README | 19 +++++++++++++++++++
meta-tpm/classes/sanity-meta-tpm.bbclass | 10 ++++++++++
meta-tpm/conf/layer.conf | 4 ++++
.../linux/linux-yocto_5.%.bbappend | 18 +-----------------
.../recipes-kernel/linux/linux-yocto_tpm.inc | 17 +++++++++++++++++
recipes-kernel/linux/linux-yocto_5.%.bbappend | 4 +---
...-dev.bbappend => linux-yocto_security.inc} | 0
15 files changed, 121 insertions(+), 26 deletions(-)
create mode 100644 classes/sanity-meta-security.bbclass
create mode 100644 meta-integrity/classes/sanity-meta-integrity.bbclass
create mode 100644 meta-integrity/recipes-kernel/linux/linux_ima.inc
create mode 100644 meta-tpm/classes/sanity-meta-tpm.bbclass
create mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto_tpm.inc
rename recipes-kernel/linux/{linux-yocto-dev.bbappend => linux-yocto_security.inc} (100%)

--
2.25.1

Op 14-04-2021 om 06:59 schreef Richard Purdie:

On Tue, 2021-04-13 at 21:14 -0400, Randy MacLeod wrote:

On 2021-04-11 12:19 p.m., Alexander Kanavin wrote:

make already has -l option for limiting new instances if load average is
too high, so it's only natural to add a RAM limiter too.

   -l [N], --load-average[=N], --max-load[=N]
                               Don't start multiple jobs unless load is
below N.

In any case, patches welcome :)

During today's Yocto technical call (1),
we talked about approaches to limiting the system load and avoiding
swap and/or OOM events. Here's what (little!) i recall from the
discussion, 9 busy hours later.

In the short run, instead of independently maintaining changes to
configurations to limit parallelism or xz memory usage, etc, we
could develop an optional common include file where such limits
are shared across the community.

In the longer run, changes to how bitbake schedules work may be needed.

Richard says that there was a make/build server idea and maybe even a
patch from a while ago. It may be in one of his poky-contrib branches.
I took a few minutes to look but nothing popped up. A set of keywords to
search for might help me find it.

http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=rpurdie/wipqueue4&id=d66a327fb6189db5de8bc489859235dcba306237
Cheers,
Richard

I like the idea. Unfortunately the patch doesn't apply to Gatesgarth, so I couldn't test it. Any chance you would be doing a refresh?

Hi,

On June 5, 2021 12:43:19 AM UTC, JH <jupiter.hce@...> wrote:

Hi,

I am building following imx6ulz-kobs.dts file to a dtb in zeus:

$ cat imx6ulz-kobs.dts

#include "imx6ulz.dts"

/{
model = "customized imx6ull";
compatible = "fsl,imx6ull";
};

&gpmi {
/delete-node/ fsl,use-minimum-ecc;
};

The building process was fine, but that fsl,use-minimum-ecc in dtb was
not deleted, is it a bug or it does not support /delete-node/?

fsl,use-minimum-ecc is a property not a node, you need to use /delete-property/ instead, c.f. https://devicetree-specification.readthedocs.io/en/latest/chapter6-source-language.html?highlight=delete-property#node-and-property-definitions.

Cheers,
Quentin

Hi,

I am building following imx6ulz-kobs.dts file to a dtb in zeus:

$ cat imx6ulz-kobs.dts

#include "imx6ulz.dts"

/{
model = "customized imx6ull";
compatible = "fsl,imx6ull";
};

&gpmi {
/delete-node/ fsl,use-minimum-ecc;
};

The building process was fine, but that fsl,use-minimum-ecc in dtb was
not deleted, is it a bug or it does not support /delete-node/?

Thank you.

- jupiter

On Fri, Jun 4, 2021 at 5:00 AM <florian.kauer@...> wrote:

Hi,
I made the following observation in my custom Yocto system:
The device tree loaded by the Linux kernel is one that is only available in the barebox directory, but not available in the kernel sources. In fact, it is quite similar, but I made some changes to it in the device tree provided to the kernel. Especially the machine model that is shown during kernel boot is a string that can only be found in the compiled barebox image, but not in the dtb files (where I can find the correct machine model string) or anywhere else in the compilation results. But also other messages indicate that the wrong device tree is loaded.

It was correct before, and I am not really sure what triggered that (just upgraded from zeus, but it might or might not be triggered by that) and I wouldn't expect that anyone could guess what I have done wrong without debugging my setup in depth. But, my general question is: Is there any mechanism that could explain such a behavior? Any configuration that means "extract the device tree from the bootloader" or something similar?

In your upgrade, did the bootloader/initramfs/kernel version change ?
The passing of the device tree to the kernel is (commonly) part of the
bootflow, so changes to any of the components in that flow could cause
the different device tree usage you are seeing.

The bbclass and recipes involved wouldn't have been packaging up the
barebox tree and pulling it into the kernel in zeus, so while it isn't
impossible, it isn't likely to be in the build or packaging changes.

Bruce

Greetings,
Florian

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Fri, Jun 4, 2021 at 8:37 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:

On Fri, Jun 4, 2021 at 8:27 AM Bruce Ashfield <bruce.ashfield@...> wrote:

On Thu, Jun 3, 2021 at 11:35 PM Kai <kai.kang@...> wrote:

On 6/4/21 11:22 AM, Bruce Ashfield wrote:

On Thu, Jun 3, 2021 at 11:06 PM <kai.kang@...> wrote:

From: Kai Kang <kai.kang@...>

Replace hardknott with honister in layer.conf which aligns with
oe-core.

I had added this back in April, but apparently didn't push the change.

I also noticed that I've been updating the wrong branch with compatibility.

That should all be fixed now.

Hi Bruce,

Thanks. I have seen your commits.

But 3 items in LAYERSERIES_COMPAT_realtime will cause layer index show
warning:

WARNING: YPCompatibleVersion.name: dunfell gatesgarth hardknott:
length 28 exceeds maximum (25), truncating

Could we only keep the latest LAYERSERIES_CORENAMES (honister) in branch
master, please?

Nope. It is compatible with those releases, so they need to stay. I
see no valid reason to be limited to a certain number of characters.

Or it set in oe-core's layer.conf:

LAYERSERIES_CORENAMES = "hardknott honister"

we just align with it to keep the latest 2, please?

That is just as arbitrary, I'll keep it as-is.

I took a quick look, is this warning coming from the layer index ?
That would be important information to convey when sending changes
like this.

Apologies on this, I see in the follow up email you did mention the
layerindex .. I read completely over that, and had to search up the
warning myself. (my fault, not yours).

That being said, it is a longer fix to get that warning changed, and
I'd rather not break the index, so I dropped to only the last two
releases.

But I do recommend that the layer index be changed (if that is the
cause of the warning), since we shouldn't be adapting to the index ..
it should be adapting to layers.

This point still stands though :D

Bruce

Bruce

Bruce

Regards,
Kai

Bruce

Signed-off-by: Kai Kang <kai.kang@...>
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 007f578..8ae67ba 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -15,6 +15,6 @@ BBFILE_PRIORITY_realtime = "5"
# This should only be incremented on significant changes that will
# cause compatibility issues with other layers
LAYERVERSION_realtime = "1"
-LAYERSERIES_COMPAT_realtime = "hardknott"
+LAYERSERIES_COMPAT_realtime = "honister"
LAYERDEPENDS_realtime = "core openembedded-layer"
LAYERRECOMMENDS_realtime = "meta-realtime-dl (= 3.2)"
--
2.17.1

--
Kai Kang
Wind River Linux

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Fri, Jun 4, 2021 at 8:27 AM Bruce Ashfield <bruce.ashfield@...> wrote:

On Thu, Jun 3, 2021 at 11:35 PM Kai <kai.kang@...> wrote:

On 6/4/21 11:22 AM, Bruce Ashfield wrote:

On Thu, Jun 3, 2021 at 11:06 PM <kai.kang@...> wrote:

From: Kai Kang <kai.kang@...>

Replace hardknott with honister in layer.conf which aligns with
oe-core.

I had added this back in April, but apparently didn't push the change.

I also noticed that I've been updating the wrong branch with compatibility.

That should all be fixed now.

Hi Bruce,

Thanks. I have seen your commits.

But 3 items in LAYERSERIES_COMPAT_realtime will cause layer index show
warning:

WARNING: YPCompatibleVersion.name: dunfell gatesgarth hardknott:
length 28 exceeds maximum (25), truncating

Could we only keep the latest LAYERSERIES_CORENAMES (honister) in branch
master, please?

Nope. It is compatible with those releases, so they need to stay. I
see no valid reason to be limited to a certain number of characters.

Or it set in oe-core's layer.conf:

LAYERSERIES_CORENAMES = "hardknott honister"

we just align with it to keep the latest 2, please?

That is just as arbitrary, I'll keep it as-is.

I took a quick look, is this warning coming from the layer index ?
That would be important information to convey when sending changes
like this.

That being said, it is a longer fix to get that warning changed, and
I'd rather not break the index, so I dropped to only the last two
releases.

But I do recommend that the layer index be changed (if that is the
cause of the warning), since we shouldn't be adapting to the index ..
it should be adapting to layers.

Bruce

Bruce

Regards,
Kai

Bruce

Signed-off-by: Kai Kang <kai.kang@...>
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 007f578..8ae67ba 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -15,6 +15,6 @@ BBFILE_PRIORITY_realtime = "5"
# This should only be incremented on significant changes that will
# cause compatibility issues with other layers
LAYERVERSION_realtime = "1"
-LAYERSERIES_COMPAT_realtime = "hardknott"
+LAYERSERIES_COMPAT_realtime = "honister"
LAYERDEPENDS_realtime = "core openembedded-layer"
LAYERRECOMMENDS_realtime = "meta-realtime-dl (= 3.2)"
--
2.17.1

--
Kai Kang
Wind River Linux

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II