Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/AppArmor/apparmor_3.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.0.bb
index 35e95a0..015205d 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -39,7 +39,7 @@ PARALLEL_MAKE = ""

COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"

-inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion
+inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion

REQUIRED_DISTRO_FEATURES = "apparmor"

--
2.17.1

Hi,

Hi all

Is it possible to include a fine in local.conf?

yes. Just add "include my.conf" in your configuration.

https://docs.yoctoproject.org/bitbake/bitbake-user-manual/bitbake-user-manual-metadata.html#include-directive

Regards,
/Peter

MZ

Hello,

we are using a recipe to fetch binary from artifactory and package it in rootfile system.
and this artifactory path can be dynamic so i am using linux system variable to pass this information to the recipe by
d.getVar("SYSTEM_VAR",True)
and then using this variable in recipe to fetch binary from artifactory.

the problem is that when i change the "SYSTEM_VAR on linux machine then YOCTO complains "The metadata is not deterministic and this needs to be fixed"
because i am changing the variable without changing recipe, and the basehash value has changed.

what is the best way to solve the above problem?

On Mon, Feb 22, 2021 at 05:44 AM, Josef Holzmayr wrote:

I personally would probably go with a build-in-build, and put some
form of application rootfs on the emmc - this could either be a simple
chroot or some more advanced form of container. This avoids nasty
breakages and update problems when the filesystems go out of version
sync. Other techniques might also apply depending on your software
rollout process, like an addtional overlay fs, or a pivot-root with
initrd, or.... it depends. But ripping out random packages and
rearranging them at random locations certainly isn't a good idea. It
already hurts when I think of the mount-and-deploy magic one would
need for this to roll out in production.

My $.02

Okay, that makes sense!
I'll look for a better solution. 

KR,
Felix 

(re-adding list as this certainly does not contain sensitive
information - others might add other opinions and hints, as well as my
answer should be available for everyone to find it.)

Am Mo., 22. Feb. 2021 um 14:35 Uhr schrieb <felixn1996@...>:

On Mon, Feb 22, 2021 at 04:57 AM, Josef Holzmayr wrote:

Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.

Hi
I am aware that what I am asking for is a bit ugly.

The reason is that I have a small amount of memory at my disposal. I'm working with a setup with two partitions, a root-fs and an overlayed application file system. None of them has enough space for python.
Therefore I want to install it on the eMMC, which has plenty of space.
So instead of /usr which is on the root/app file system, I would install it under /media/<somewhere> on the mounted eMMC.

But maybe there exists a more elegant solution?

I personally would probably go with a build-in-build, and put some
form of application rootfs on the emmc - this could either be a simple
chroot or some more advanced form of container. This avoids nasty
breakages and update problems when the filesystems go out of version
sync. Other techniques might also apply depending on your software
rollout process, like an addtional overlay fs, or a pivot-root with
initrd, or.... it depends. But ripping out random packages and
rearranging them at random locations certainly isn't a good idea. It
already hurts when I think of the mount-and-deploy magic one would
need for this to roll out in production.

My $.02

Greetz

On Mon, Feb 22, 2021 at 04:57 AM, Josef Holzmayr wrote:

Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.

Hi all

Is it possible to include a fine in local.conf?

MZ

The installation of opkg-build man page introduces a host dependency
on perl for the pod2man package to generate the man page.

To allow the opkg-utils scripts to be installed separately from the
manpages, break apart the install step into two install steps:
install-utils and install-docs

CC: Christian Hermann <mail@...>
Signed-off-by: Ryan Barnett <ryanbarnett3@...>
---
v1 -> v2:
- Leave all target behavior unchanged (suggested by Christian)
---
Makefile | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 4049654..fe96d5a 100644
--- a/Makefile
+++ b/Makefile
@@ -27,9 +27,11 @@ mandir ?=3D $(PREFIX)/man
=20
all: $(UTILS) $(MANPAGES)
=20
-install: all
+install-utils: $(UTILS)
install -d $(DESTDIR)$(bindir)
install -m 755 $(UTILS) $(DESTDIR)$(bindir)
+
+install-docs: $(MANPAGES)
install -d $(DESTDIR)$(mandir)
for m in $(MANPAGES); \
do \
@@ -37,4 +39,6 @@ install: all
install -m 644 "$$m" $(DESTDIR)$(mandir)/man$${m##*.}; \
done
=20
-.PHONY: install all
+install: install-utils install-docs
+
+.PHONY: install install-utils install-docs all
--=20
2.25.1

Howdy!

Am Mo., 22. Feb. 2021 um 13:22 Uhr schrieb <felixn1996@...>:

I'm new to the Yocto Project. It is my first time posting a Yocto related question. If this is the wrong place, I apologize in advance.

No problem, welcome on board!

I need to change the python installation location on my target from /usr/bin and /usr/lib to somewhere under /media.
I have searched around online and tried looking in the recipe: http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/recipes-devtools/python/python3_3.9.1.bb

Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.

Greetz

https://twitter.com/TheYoctoJester/status/1358865946790797324

Am Mo., 22. Feb. 2021 um 12:24 Uhr schrieb Robert P. J. Day
<rpjday@...>:

colleague wants a recipe for libbpf:

https://github.com/libbpf/libbpf

would anyone have done that already and is willing to let me steal it?

rday

Remove bbappend since parted 3.4 has removed the enable_selinux
configure option[1].

Fixes:
QA Issue: parted: configure was passed unrecognised options: --enable-selinux [unknown-configure-option]

[1] https://git.savannah.gnu.org/cgit/parted.git/commit/?id=059200d50beb259c54469ae65f2d034af48ff849

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-extended/parted/parted_%.bbappend | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 recipes-extended/parted/parted_%.bbappend

diff --git a/recipes-extended/parted/parted_%.bbappend b/recipes-extended/parted/parted_%.bbappend
deleted file mode 100644
index 74e22b3..0000000
--- a/recipes-extended/parted/parted_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
--
2.25.1

Hi all,

This is the full report for yocto-3.2.2.rc1:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

No new issues found

Thanks,
Sangeeta

The installation of opkg-build man page introduces a host dependency
on perl for the pod2man package to generate the man page.

To allow the opkg-utils scripts to be installed separately from the
manpages, break apart the install step into two install steps:
install-utils and install-docs

Signed-off-by: Ryan Barnett <ryanbarnett3@...>
---
Makefile | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 4049654..7b7b8d5 100644
--- a/Makefile
+++ b/Makefile
@@ -25,11 +25,13 @@ mandir ?=3D $(PREFIX)/man
%.1: %
pod2man -r "" -c "opkg-utils Documentation" $< $@
=20
-all: $(UTILS) $(MANPAGES)
+all: install
=20
-install: all
+install-utils: $(UTILS)
install -d $(DESTDIR)$(bindir)
install -m 755 $(UTILS) $(DESTDIR)$(bindir)
+
+install-docs: $(MANPAGES)
install -d $(DESTDIR)$(mandir)
for m in $(MANPAGES); \
do \
@@ -37,4 +39,6 @@ install: all
install -m 644 "$$m" $(DESTDIR)$(mandir)/man$${m##*.}; \
done
=20
-.PHONY: install all
+install: install-utils install-docs
+
+.PHONY: install install-utils install-docs all
--=20
2.25.1

On 2/20/21 4:18 AM, liu.ming50@... wrote:

From: Ming Liu <liu.ming50@...>

Changes in patch set V2:

1 Split patches as suggested by Dmitry Baryshkov.

Thanks for for the changes.
This series is now being build tested etc.

Many thanks,

- armin

Ming Liu (8):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in
ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic

meta-integrity/README.md | 4 ++-
meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
.../initrdscripts/initramfs-framework-ima.bb | 2 +-
.../initrdscripts/initramfs-framework-ima/ima | 3 +-
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
.../ima-evm-utils/ima-evm-utils_git.bb | 1 +
6 files changed, 38 insertions(+), 21 deletions(-)
create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-security/softHSM/softhsm_2.6.1.bb | 30 -----------------------
1 file changed, 30 deletions(-)
delete mode 100644 recipes-security/softHSM/softhsm_2.6.1.bb

diff --git a/recipes-security/softHSM/softhsm_2.6.1.bb b/recipes-security/softHSM/softhsm_2.6.1.bb
deleted file mode 100644
index 74e837a..0000000
--- a/recipes-security/softHSM/softhsm_2.6.1.bb
+++ /dev/null
@@ -1,30 +0,0 @@
-SUMMARY = "SoftHSM is an implementation of a cryptographic store accessible through a PKCS #11 interface."
-HOMEPAGE = "www.opendnssec.org"
-
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ef3f77a3507c3d91e75b9f2bdaee4210"
-
-DEPENDS = "sqlite3"
-
-SRC_URI = "https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz"
-SRC_URI[sha256sum] = "61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2"
-
-inherit autotools pkgconfig siteinfo
-
-EXTRA_OECONF += " --with-sqlite3=${STAGING_DIR_HOST}/usr"
-EXTRA_OECONF += "${@oe.utils.conditional('SITEINFO_BITS', '64', ' --enable-64bit', '', d)}"
-
-PACKAGECONFIG ?= "pk11 openssl"
-
-PACKAGECONFIG[npm] = ",--disable-non-paged-memory"
-PACKAGECONFIG[ecc] = "--enable-ecc,--disable-ecc"
-PACKAGECONFIG[gost] = "--enable-gost,--disable-gost"
-PACKAGECONFIG[eddsa] = "--enable-eddsa, --disable-eddsa"
-PACKAGECONFIG[fips] = "--enable-fips, --disable-fips"
-PACKAGECONFIG[notvisable] = "--disable-visibility"
-PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr --with-crypto-backend=openssl, --without-openssl, openssl, openssl"
-PACKAGECONFIG[botan] = "--with-botan=${STAGING_DIR_HOST}/usr --with-crypto-backend=botan, --without-botan, botan"
-PACKAGECONFIG[migrate] = "--with-migrate"
-PACKAGECONFIG[pk11] = "--enable-p11-kit --with-p11-kit==${STAGING_DIR_HOST}/usr, --without-p11-kit, p11-kit, p11-kit"
-
-RDEPENDS_${PN} = "sqlite3"
--
2.17.1

From: Ming Liu <liu.ming50@...>

Or else wic will fail without "--no-fstab-update" option.

Signed-off-by: Ming Liu <liu.ming50@...>
---
meta-integrity/classes/ima-evm-rootfs.bbclass | 3 +++
1 file changed, 3 insertions(+)

diff --git a/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-integri=
ty/classes/ima-evm-rootfs.bbclass
index 4359af0..0acd6e7 100644
--- a/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -28,6 +28,9 @@ IMA_EVM_ROOTFS_HASHED ?=3D ". -depth 0 -false"
# the iversion flags (needed by IMA when allowing writing).
IMA_EVM_ROOTFS_IVERSION ?=3D ""
=20
+# Avoid re-generating fstab when ima is enabled.
+WIC_CREATE_EXTRA_ARGS_append =3D "${@bb.utils.contains('DISTRO_FEATURES'=
, 'ima', ' --no-fstab-update', '', d)}"
+
ima_evm_sign_rootfs () {
cd ${IMAGE_ROOTFS}
=20
--=20
2.29.0

From: Ming Liu <liu.ming50@...>

Otherwise, ima script would not run as intended.

Signed-off-by: Ming Liu <liu.ming50@...>
---
.../recipes-core/initrdscripts/initramfs-framework-ima/ima | 1 +
1 file changed, 1 insertion(+)

diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framewor=
k-ima/ima b/meta-integrity/recipes-core/initrdscripts/initramfs-framework=
-ima/ima
index 16ed53f..cff26a3 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/i=
ma
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima/i=
ma
@@ -6,6 +6,7 @@ ima_enabled() {
if [ "$bootparam_no_ima" =3D "true" ]; then
return 1
fi
+ return 0
}
=20
ima_run() {
--=20
2.29.0

From: Ming Liu <liu.ming50@...>

Signed-off-by: Ming Liu <liu.ming50@...>
---
meta-integrity/README.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 4607948..5048fba 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -73,8 +73,10 @@ Adding the layer only enables IMA (see below regarding=
EVM) during
compilation of the Linux kernel. To also activate it when building
the image, enable image signing in the local.conf like this:
=20
- INHERIT +=3D "ima-evm-rootfs"
+ IMAGE_CLASSES +=3D "ima-evm-rootfs"
IMA_EVM_KEY_DIR =3D "${INTEGRITY_BASE}/data/debug-keys"
+ IMA_EVM_PRIVKEY =3D "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+ IMA_EVM_X509 =3D "${IMA_EVM_KEY_DIR}/x509_ima.der"
=20
This uses the default keys provided in the "data" directory of the layer=
.
Because everyone has access to these private keys, such an image
--=20
2.29.0