Date   

dnf error coming while compiling core-image-sato image.

NIKHIL PATIL <nikhilvp29@...>
 

Hi team ,
      I am getting continuously dnf error, How we can resolve these .

      core-image-sato-1.0-r0 do_rootfs: Could not invoke dnf. Command '/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/recipe-sysroot-native/usr/bin/dnf -y -c /data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/rootfs/etc/dnf/dnf.conf --setopt=reposdir=/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/rootfs/etc/yum.repos.d --repofrompath=oe-repo,/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/oe-rootfs-repo --installroot=/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/rootfs --setopt=logdir=/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/temp -x packagegroup-core-apl-extra --nogpgcheck install autoconf-archive dnf gstreamer1.0-vaapi iqvlinux jhi kernel-modules libtcti-device0 libtcti-device-dev libtcti-device-staticdev libtcti-socket0 libtcti-socket-dev libtcti-socket-staticdev libsapi0 libsapi-dev libsapi-staticdev libva mesa-glxinfo libmraa1 nodejs packagegroup-base-extended packagegroup-core-audio-essential packagegroup-core-boot packagegroup-core-buildessential-extended packagegroup-core-graphics-essential packagegroup-core-ssh-dropbear packagegroup-core-tools-testapps packagegroup-core-x11-base packagegroup-core-x11-sato psplash rpm run-postinsts swig tpm2-abrmd usb-modeswitch usb-modeswitch-data va-intel wayland weston weston-examples xinit-env xserver-xorg locale-base-en-us locale-base-en-gb' returned 1:
Added oe-repo repo from /data/pradeep/inti_dmsv/yocto_build/build/tmp/work/intel_corei7_64-poky-linux/core-image-sato/1.0-r0/oe-rootfs-repo


Re: Which dts is being compiled?

Bel Hadj Salem Talel <bhstalel@...>
 

Hi,

The kernel compiles every DTS exists in the Makefile which is located with DTS files. (arch/arm/boot/dts/Makefile) or (arch/arm64/boot/dts/[VENDOR]/Makefile)

In order to see what device tree is deployed into your image, please see the value of this variable : KERNEL_DEVICETREE:

$ bitbake -e | grep ^KERNEL_DEVICETREE=

You can specify your machine also : $ bitbake -e | grep ^KERNEL_DEVICETREE_[MACHINE]=

Generally this variable is used in your MACHINE configuration file.

If you want to understand how DTS is used in Yocto , you can take a look at poky/meta/classes/devicetree.bbclass

Best Regards, Talel


Re: Which dts is being compiled?

Zoran
 

Hello David,

Not sure if your question has anything to do with YOCTO (in contrary,
I this is has nothing to do with it). I see kerne's .dtb from U-BOOT
messages while booting the system:

debug: [enable_uboot_overlays=1] ...
debug: [enable_uboot_cape_universal=1] ...
debug: [uboot_base_dtb_univ=am335x-boneblack-uboot-univ.dtb] ...
uboot_overlays: [uboot_base_dtb=am335x-boneblack-uboot-univ.dtb] ...
<<======= .dtb used
uboot_overlays: Switching too: dtb=am335x-boneblack-uboot-univ.dtb ...
loading /boot/dtbs/5.7.4-bone10/am335x-boneblack-uboot-univ.dtb ...
<<======= .dtb loaded
210649 bytes read in 183 ms (1.1 MiB/s)
uboot_overlays: [fdt_buffer=0x60000] ...
uboot_overlays: loading /lib/firmware/BB-SPI0-SC16IS740-00A0.dtbo ...
2291 bytes read in 698 ms (2.9 KiB/s)

You can also stop in U-BOOT monitor and issue: printenv, then search
for dtb variables.

In my case it gives me the following:
...
uboot_base_dtb=am335x-boneblack-uboot.dtb <<======= This one is
probably one which U-BOOT uses for its purposes
uboot_base_dtb_univ=am335x-boneblack-uboot-univ.dtb <<======= One used
by the kernel
...

Hope this helps.

Best Regards,
Zoran
_______

On Sun, Oct 18, 2020 at 12:16 AM David Novak <david.novak@...> wrote:

Hi all. I've found the device tree files and I'm fairly certain I know
which one is being used in out image, but I want to be certain.

What process is used by Yocto to determine which top level dts file to
compile?

Thanks,
David






Re: do_fetch error while compiling code

Richard Purdie
 

On Sun, 2020-10-18 at 11:48 +0530, NIKHIL PATIL wrote:
hi ,
We totally stuck here , if anyone knows please let us know.

On Sat, Oct 17, 2020 at 3:43 PM NIKHIL PATIL via lists.yoctoproject.org <nikhilvp29=gmail.com@...> wrote:
Hi Team ,
We are compiling a source code in yocto . but while comiping we are getting following error . we are not able to find solution for these .

ERROR: Task (/data/pradeep/inti_dmsv/yocto_build/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb:do_fetch) failed with exit code '1'
ERROR: libxcursor-1_1.1.15-r0 do_fetch: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; export PATH="/data/pradeep/inti_dmsv/yocto_build/build/tmp/sysroots-uninative/x86_64-linux/usr/bin:/data/pradeep/inti_dmsv/yocto_build/scripts:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/usr/bin/x86_64-poky-linux:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot/usr/bin/crossscripts:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/usr/sbin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/usr/bin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/sbin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/bin:/data/pradeep/inti_dmsv/yocto_build/bitbake/bin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/hosttools"; export HOME="/home/pradeep"; /usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate -P /data/pradeep/inti_dmsv/yocto_build/build/downloads 'http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2' --progress=dot -v failed with exit code 4, output:
--2020-10-17 09:20:20-- http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2
Resolving xorg.freedesktop.org (xorg.freedesktop.org)... 131.252.210.176, 2610:10:20:722:a800:ff:feda:470f
Connecting to xorg.freedesktop.org (xorg.freedesktop.org)|131.252.210.176|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Retrying.

--2020-10-17 09:20:52-- (try: 2) http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2
Connecting to xorg.freedesktop.org (xorg.freedesktop.org)|131.252.210.176|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Giving up.

ERROR: libxcursor-1_1.1.15-r0 do_fetch: Fetcher failure for URL: 'http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2'. Unable to fetch URL from any source.
ERROR: libxcursor-1_1.1.15-r0 do_fetch: Function failed: base_do_fetch
ERROR: Logfile of failure stored in: /data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/temp/log.do_fetch.19859
ERROR: Task (/data/pradeep/inti_dmsv/yocto_build/meta/recipes-graphics/xorg-lib/libxcursor_1.1.15.bb:do_fetch) failed with exit code '1'


what will be the solution for these ?
The fetch error means it can't download the file. The above link:

(http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2)

works for me so it suggests something is wrong with the networking on
the machine you're trying to build on.

Cheers,

Richard


Re: do_fetch error while compiling code

NIKHIL PATIL <nikhilvp29@...>
 

hi ,
    We totally stuck here , if anyone knows please let us know.

On Sat, Oct 17, 2020 at 3:43 PM NIKHIL PATIL via lists.yoctoproject.org <nikhilvp29=gmail.com@...> wrote:
Hi Team ,
      We are compiling a source code in yocto . but while comiping we are getting following error . we are not able to find solution for these . 

ERROR: Task (/data/pradeep/inti_dmsv/yocto_build/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb:do_fetch) failed with exit code '1'
ERROR: libxcursor-1_1.1.15-r0 do_fetch: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; export PATH="/data/pradeep/inti_dmsv/yocto_build/build/tmp/sysroots-uninative/x86_64-linux/usr/bin:/data/pradeep/inti_dmsv/yocto_build/scripts:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/usr/bin/x86_64-poky-linux:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot/usr/bin/crossscripts:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/usr/sbin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/usr/bin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/sbin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/recipe-sysroot-native/bin:/data/pradeep/inti_dmsv/yocto_build/bitbake/bin:/data/pradeep/inti_dmsv/yocto_build/build/tmp/hosttools"; export HOME="/home/pradeep"; /usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate -P /data/pradeep/inti_dmsv/yocto_build/build/downloads 'http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2' --progress=dot -v failed with exit code 4, output:
--2020-10-17 09:20:20--  http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2
Resolving xorg.freedesktop.org (xorg.freedesktop.org)... 131.252.210.176, 2610:10:20:722:a800:ff:feda:470f
Connecting to xorg.freedesktop.org (xorg.freedesktop.org)|131.252.210.176|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Retrying.

--2020-10-17 09:20:52--  (try: 2)  http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2
Connecting to xorg.freedesktop.org (xorg.freedesktop.org)|131.252.210.176|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Giving up.

ERROR: libxcursor-1_1.1.15-r0 do_fetch: Fetcher failure for URL: 'http://xorg.freedesktop.org/releases/individual/lib/libXcursor-1.1.15.tar.bz2'. Unable to fetch URL from any source.
ERROR: libxcursor-1_1.1.15-r0 do_fetch: Function failed: base_do_fetch
ERROR: Logfile of failure stored in: /data/pradeep/inti_dmsv/yocto_build/build/tmp/work/corei7-64-poky-linux/libxcursor/1_1.1.15-r0/temp/log.do_fetch.19859
ERROR: Task (/data/pradeep/inti_dmsv/yocto_build/meta/recipes-graphics/xorg-lib/libxcursor_1.1.15.bb:do_fetch) failed with exit code '1'

     
what will be the solution for these ?




Which dts is being compiled?

David Novak <david.novak@...>
 

Hi all. I've found the device tree files and I'm fairly certain I know which one is being used in out image, but I want to be certain.

What process is used by Yocto to determine which top level dts file to compile?

Thanks,
David


[dunfell 32/32] apparmor: fix QA warning with systemd enabled

Armin Kuster
 

ERROR: apparmor-2.13.4-r0 do_package: QA Issue: apparmor: Files/directories were installed but not shipped in any package:
/usr/lib/systemd
/usr/lib/systemd/system
/usr/lib/systemd/system/apparmor.service

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/AppArmor/apparmor_2.13.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index c1f038f..ba58fc5 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -190,7 +190,7 @@ SYSTEMD_AUTO_ENABLE ?= "enable"

PACKAGES += "mod-${PN}"

-FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_${PN} += "/lib/apparmor/ ${systemd_system_unitdir} ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
FILES_mod-${PN} = "${libdir}/apache2/modules/*"

# Add coreutils and findutils only if sysvinit scripts are in use
--
2.17.1


[dunfell 31/32] apparmor: fix issue with older use of shell in make

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/AppArmor/apparmor_2.13.4.bb | 1 +
...-fix-failure-on-older-versions-of-Ma.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index 6ba1ea8..c1f038f 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://run-ptest \
file://0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch \
+ file://0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch \
"

SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
diff --git a/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch b/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch
new file mode 100644
index 0000000..a23d889
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-tests-regression-fix-failure-on-older-versions-of-Ma.patch
@@ -0,0 +1,40 @@
+From bf8c4ca570c27cf58e882e03680b40357223e6e7 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@...>
+Date: Wed, 30 Sep 2020 13:36:23 -0700
+Subject: [PATCH] tests regression: fix failure on older versions of Make
+
+Older versions of Make will choke on the # character in the $(shell
+expression, treating it as the beginning of a comment. Resulting in
+the following error
+
+make unterminated call to function 'shell': missing ')'. Stop.
+
+MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/639
+Signed-off-by: John Johansen <john.johansen@...>
+Acked-by: Steve Beattie <steve.beattie@...>
+(cherry picked from commit 8cf3534a5b11643c5913e5eb74e491f2f014d792)
+
+Upstream-Status: Backport
+[Minor fixup]
+Signed-off-by: Armin Kuster <akuster808@...>
+---
+ tests/regression/apparmor/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
+index c3d0cfb7..1d55547c 100644
+--- a/tests/regression/apparmor/Makefile
++++ b/tests/regression/apparmor/Makefile
+@@ -69,7 +69,8 @@ endif # USE_SYSTEM
+
+ CFLAGS += -g -O0 -Wall -Wstrict-prototypes
+
+-USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
++SYSCTL_INCLUDE="\#include <sys/sysctl.h>"
++USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
+
+
+ SRC=access.c \
+--
+2.17.1
+
--
2.17.1


[dunfell 30/32] README: updated branch for Dunfell

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
README | 12 ++++++------
meta-integrity/README.md | 8 ++------
meta-security-compliance/README | 8 ++++----
meta-security-isafw/README.md | 4 ++--
meta-tpm/README | 8 ++++----
5 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/README b/README
index f223fee..19b07c7 100644
--- a/README
+++ b/README
@@ -10,27 +10,27 @@ Dependencies
This layer depends on:

URI: git://git.openembedded.org/openembedded-core
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

URI: git://git.openembedded.org/meta-openembedded/meta-oe
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

URI: git://git.openembedded.org/meta-openembedded/meta-perl
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

URI: git://git.openembedded.org/meta-openembedded/meta-python
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

URI: git://git.openembedded.org/meta-openembedded/meta-networking
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

@@ -60,7 +60,7 @@ Maintenance
Send pull requests, patches, comments or questions to yocto@...

When sending single patches, please using something like:
-'git send-email -1 --to yocto@... --subject-prefix=meta-security][PATCH'
+'git send-email -1 --to yocto@... --subject-prefix=meta-security][dunfell][PATCH'

These values can be set as defaults for this repository:

diff --git a/meta-integrity/README.md b/meta-integrity/README.md
index 4607948..f08a164 100644
--- a/meta-integrity/README.md
+++ b/meta-integrity/README.md
@@ -10,15 +10,11 @@ Dependencies
This layer depends on:

URI: git://git.openembedded.org/bitbake
- branch: master
+ branch: dunfell

URI: git://git.openembedded.org/openembedded-core
layers: meta
- branch: master
-
- URI: git://github.com/01org/meta-security/meta-integrate
- layers: security-framework
- branch: master
+ branch: dunfell


Patches
diff --git a/meta-security-compliance/README b/meta-security-compliance/README
index 320f856..86a95fb 100644
--- a/meta-security-compliance/README
+++ b/meta-security-compliance/README
@@ -9,16 +9,16 @@ Dependencies
This layer depends on:

URI: git://git.openembedded.org/bitbake
- branch: master
+ branch: 1.48

URI: git://git.openembedded.org/openembedded-core
layers: meta
- branch: master
+ branch: dunfell

or

URI: git://git.yoctoproject.org/poky
- branch: master
+ branch: dunfell



@@ -28,7 +28,7 @@ Maintenance
Send pull requests, patches, comments or questions to yocto@...

When sending single patches, please using something like:
-'git send-email -1 --to yocto@... --subject-prefix=meta-security-compliance][PATCH'
+'git send-email -1 --to yocto@... --subject-prefix=meta-security-compliance][dunfell][PATCH'

Layer Maintainer: Armin Kuster <akuster808@...>

diff --git a/meta-security-isafw/README.md b/meta-security-isafw/README.md
index 16041cb..48db167 100644
--- a/meta-security-isafw/README.md
+++ b/meta-security-isafw/README.md
@@ -78,12 +78,12 @@ Patches
end pull requests, patches, comments or questions to yocto@...

When sending single patches, please using something like:
-'git send-email -1 --to yocto@... --subject-prefix=meta-security-isafw][PATCH'
+'git send-email -1 --to yocto@... --subject-prefix=meta-security-isafw][dunfell][PATCH'

These values can be set as defaults for this repository:

$ git config sendemail.to yocto@...
-$ git config format.subjectPrefix meta-security-isafw][PATCH
+$ git config format.subjectPrefix meta-security-isafw][dunfell][PATCH

Now you can just do 'git send-email origin/master' to send all local patches.

diff --git a/meta-tpm/README b/meta-tpm/README
index dd662b3..90e211c 100644
--- a/meta-tpm/README
+++ b/meta-tpm/README
@@ -9,12 +9,12 @@ Dependencies
This layer depends on:

URI: git://git.openembedded.org/openembedded-core
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

URI: git://git.openembedded.org/meta-openembedded/meta-oe
- branch: master
+ branch: dunfell
revision: HEAD
prio: default

@@ -41,12 +41,12 @@ Maintenance
Send pull requests, patches, comments or questions to yocto@...

When sending single patches, please using something like:
-'git send-email -1 --to yocto@... --subject-prefix=meta-security][PATCH'
+'git send-email -1 --to yocto@... --subject-prefix=meta-security][dunfell][PATCH'

These values can be set as defaults for this repository:

$ git config sendemail.to yocto@...
-$ git config format.subjectPrefix meta-security][PATCH
+$ git config format.subjectPrefix meta-security][dunfell][PATCH

Now you can just do 'git send-email origin/master' to send all local patches.

--
2.17.1


[dunfell 29/32] ibmswtpm2: fix QA warning

Armin Kuster
 

ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags

Signed-off-by: Armin Kuster <akuster808@...>
---
meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
index 8054226..a892761 100644
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1563.bb
@@ -16,6 +16,8 @@ SRC_URI[sha512sum] = "ff0b9e5f0d0070eb572b23641f7a0e70a8bc65cbf4b59dca1778be3bb0

S = "${WORKDIR}/src"

+INSANE_SKIP_${PN} += "ldflags"
+
do_compile () {
make CC='${CC}'
}
@@ -24,4 +26,3 @@ do_install () {
install -d ${D}/${bindir}
install -m 0755 tpm_server ${D}/${bindir}
}
-
--
2.17.1


[dunfell 28/32] layer.conf: use += instead of := to update BBFILES

Armin Kuster
 

From: Sajjad Ahmed <sajjad_ahmed@...>

Updating BBFILES with := isn't the standard way and can break
parsing under certain conditions, instead use += which is widely used.

Signed-off-by: Sajjad Ahmed <sajjad_ahmed@...>
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 63e1cf3ffa26a4e820ec8d882e67e438aa0d23ee)
---
meta-integrity/conf/layer.conf | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta-integrity/conf/layer.conf b/meta-integrity/conf/layer.conf
index b4edac3..6072e6d 100644
--- a/meta-integrity/conf/layer.conf
+++ b/meta-integrity/conf/layer.conf
@@ -2,8 +2,7 @@
BBPATH =. "${LAYERDIR}:"

# We have a packages directory, add to BBFILES
-BBFILES := "${BBFILES} \
- ${LAYERDIR}/recipes-*/*/*.bb \
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
${LAYERDIR}/recipes-*/*/*.bbappend"

BBFILE_COLLECTIONS += "integrity"
--
2.17.1


[dunfell 27/32] scap-security-guide: add expat-native to DEPENDS

Armin Kuster
 

From: Mingli Yu <mingli.yu@...>

Add expat-native to DEPENDS to fix the below do_configure error:
| CMake Error at CMakeLists.txt:165 (message):
| xmlwf is required!

Signed-off-by: Mingli Yu <mingli.yu@...>
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 4c2f7ffd492c7083273aca7cc718802279f05ce2)
---
.../scap-security-guide/scap-security-guide.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 66c2623..32fce0f 100644
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
LICENSE = "LGPL-2.1"

-DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native"
+DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native expat-native"

S = "${WORKDIR}/git"

--
2.17.1


[dunfell 26/32] packagegroup-core-security: remove clamav from musl image

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 496a734c14fc72250979a4e7eb69c5d541ffd870)
---
recipes-security/packagegroup/packagegroup-core-security.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 72ca0f4..fd6da9e 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -39,6 +39,7 @@ RDEPENDS_packagegroup-security-scanners = "\
checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam clamav-cvd",d)} \
"
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam clamav-cvd"

SUMMARY_packagegroup-security-audit = "Security Audit tools "
RDEPENDS_packagegroup-security-audit = " \
--
2.17.1


[dunfell 25/32] apparmor: fix build issue with ptest enabled.

Armin Kuster
 

minor spacing cleanup

Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 2a7963df18e7f43c6209387b6e1a1e75ff74b6ca)
---
recipes-mac/AppArmor/apparmor_2.13.4.bb | 181 +++++++++---------
...-Don-t-build-syscall_sysctl-if-missi.patch | 96 ++++++++++
2 files changed, 186 insertions(+), 91 deletions(-)
create mode 100644 recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index dcdc1f7..6ba1ea8 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -14,16 +14,17 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
DEPENDS = "bison-native apr gettext-native coreutils-native"

SRC_URI = " \
- git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
- file://disable_perl_h_check.patch \
- file://crosscompile_perl_bindings.patch \
- file://apparmor.rc \
- file://functions \
- file://apparmor \
- file://apparmor.service \
- file://0001-Makefile.am-suppress-perllocal.pod.patch \
- file://run-ptest \
- "
+ git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
+ file://disable_perl_h_check.patch \
+ file://crosscompile_perl_bindings.patch \
+ file://apparmor.rc \
+ file://functions \
+ file://apparmor \
+ file://apparmor.service \
+ file://0001-Makefile.am-suppress-perllocal.pod.patch \
+ file://run-ptest \
+ file://0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch \
+ "

SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
S = "${WORKDIR}/git"
@@ -54,76 +55,76 @@ python() {
DISABLE_STATIC = ""

do_configure() {
- cd ${S}/libraries/libapparmor
- aclocal
- autoconf --force
- libtoolize --automake -c --force
- automake -ac
- ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+ cd ${S}/libraries/libapparmor
+ aclocal
+ autoconf --force
+ libtoolize --automake -c --force
+ automake -ac
+ ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
}

do_compile () {
- # Fixes:
- # | sed -ie 's///g' Makefile.perl
- # | sed: -e expression #1, char 0: no previous regular expression
- #| Makefile:478: recipe for target 'Makefile.perl' failed
- sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
-
-
- oe_runmake -C ${B}/libraries/libapparmor
- oe_runmake -C ${B}/binutils
- oe_runmake -C ${B}/utils
- oe_runmake -C ${B}/parser
- oe_runmake -C ${B}/profiles
-
- if test -z "${HTTPD}" ; then
- oe_runmake -C ${B}/changehat/mod_apparmor
- fi
-
- if test -z "${PAMLIB}" ; then
- oe_runmake -C ${B}/changehat/pam_apparmor
- fi
+ # Fixes:
+ # | sed -ie 's///g' Makefile.perl
+ # | sed: -e expression #1, char 0: no previous regular expression
+ #| Makefile:478: recipe for target 'Makefile.perl' failed
+ sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+
+
+ oe_runmake -C ${B}/libraries/libapparmor
+ oe_runmake -C ${B}/binutils
+ oe_runmake -C ${B}/utils
+ oe_runmake -C ${B}/parser
+ oe_runmake -C ${B}/profiles
+
+ if test -z "${HTTPD}" ; then
+ oe_runmake -C ${B}/changehat/mod_apparmor
+ fi
+
+ if test -z "${PAMLIB}" ; then
+ oe_runmake -C ${B}/changehat/pam_apparmor
+ fi
}

do_install () {
- install -d ${D}/${INIT_D_DIR}
- install -d ${D}/lib/apparmor
- oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
- oe_runmake -C ${B}/binutils DESTDIR="${D}" install
- oe_runmake -C ${B}/utils DESTDIR="${D}" install
- oe_runmake -C ${B}/parser DESTDIR="${D}" install
- oe_runmake -C ${B}/profiles DESTDIR="${D}" install
-
- # If perl is disabled this script won't be any good
- if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
- rm -f ${D}${sbindir}/aa-notify
- fi
-
- if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
- rm -f ${D}${sbindir}/aa-decode
- fi
-
- if test -z "${HTTPD}" ; then
- oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
- fi
-
- if test -z "${PAMLIB}" ; then
- oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
- fi
-
- # aa-easyprof is installed by python-tools-setup.py, fix it up
- sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
- chmod 0755 ${D}${bindir}/aa-easyprof
-
- install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
- install ${WORKDIR}/functions ${D}/lib/apparmor
- sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
- sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions
-
- if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
- install -d ${D}${systemd_system_unitdir}
- install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
- fi
+ install -d ${D}/${INIT_D_DIR}
+ install -d ${D}/lib/apparmor
+ oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+ oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+ oe_runmake -C ${B}/utils DESTDIR="${D}" install
+ oe_runmake -C ${B}/parser DESTDIR="${D}" install
+ oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+ # If perl is disabled this script won't be any good
+ if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
+ rm -f ${D}${sbindir}/aa-notify
+ fi
+
+ if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
+ rm -f ${D}${sbindir}/aa-decode
+ fi
+
+ if test -z "${HTTPD}" ; then
+ oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+ fi
+
+ if test -z "${PAMLIB}" ; then
+ oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+ fi
+
+ # aa-easyprof is installed by python-tools-setup.py, fix it up
+ sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+ chmod 0755 ${D}${bindir}/aa-easyprof
+
+ install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+ install ${WORKDIR}/functions ${D}/lib/apparmor
+ sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
+ sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions
+
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ fi
}

#Building ptest on arm fails.
@@ -136,30 +137,28 @@ do_compile_ptest_arm () {
}

do_compile_ptest () {
- oe_runmake -C ${B}/tests/regression/apparmor
- oe_runmake -C ${B}/parser/tst
- oe_runmake -C ${B}/libraries/libapparmor
+ sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile
+ oe_runmake -C ${B}/tests/regression/apparmor
+ oe_runmake -C ${B}/libraries/libapparmor
}

do_install_ptest () {
- t=${D}/${PTEST_PATH}/testsuite
- install -d ${t}
- install -d ${t}/tests/regression/apparmor
- cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+ t=${D}/${PTEST_PATH}/testsuite
+ install -d ${t}
+ install -d ${t}/tests/regression/apparmor
+ cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression

- install -d ${t}/parser/tst
- cp -rf ${B}/parser/tst ${t}/parser
- cp ${B}/parser/apparmor_parser ${t}/parser
- cp ${B}/parser/frob_slack_rc ${t}/parser
+ cp ${B}/parser/apparmor_parser ${t}/parser
+ cp ${B}/parser/frob_slack_rc ${t}/parser

- install -d ${t}/libraries/libapparmor
- cp -rf ${B}/libraries/libapparmor ${t}/libraries
+ install -d ${t}/libraries/libapparmor
+ cp -rf ${B}/libraries/libapparmor ${t}/libraries

- install -d ${t}/common
- cp -rf ${B}/common ${t}
+ install -d ${t}/common
+ cp -rf ${B}/common ${t}

- install -d ${t}/binutils
- cp -rf ${B}/binutils ${t}
+ install -d ${t}/binutils
+ cp -rf ${B}/binutils ${t}
}

#Building ptest on arm fails.
diff --git a/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch b/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
new file mode 100644
index 0000000..3cd1e88
--- /dev/null
+++ b/recipes-mac/AppArmor/files/0001-regression-tests-Don-t-build-syscall_sysctl-if-missi.patch
@@ -0,0 +1,96 @@
+From 7a7c7fb346ded6f017c8df44486778a5f032d41a Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@...>
+Date: Tue, 29 Sep 2020 03:05:22 -0700
+Subject: [PATCH] regression tests: Don't build syscall_sysctl if missing
+ kernel headers
+
+sys/sysctl.h is not guaranteed to exist anymore since
+https://sourceware.org/pipermail/glibc-cvs/2020q2/069366.html
+
+which is a follow on to the kernel commit
+61a47c1ad3a4 sysctl: Remove the sysctl system call
+
+While the syscall_sysctl currently checks if the kernel supports
+sysctrs before running the tests. The tests can't even build if the
+kernel headers don't have the sysctl defines.
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/119
+Fixes: https://bugs.launchpad.net/apparmor/+bug/1897288
+MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/637
+Signed-off-by: John Johansen <john.johansen@...>
+Acked-by: Steve Beattie <steve.beattie@...>
+(cherry picked from commit 2e5a266eb715fc7e526520235a6450444775791f)
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@...>
+
+---
+ tests/regression/apparmor/Makefile | 10 +++++++++-
+ tests/regression/apparmor/syscall_sysctl.sh | 15 +++++++++++----
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
+index 198ca421..c3d0cfb7 100644
+--- a/tests/regression/apparmor/Makefile
++++ b/tests/regression/apparmor/Makefile
+@@ -69,6 +69,9 @@ endif # USE_SYSTEM
+
+ CFLAGS += -g -O0 -Wall -Wstrict-prototypes
+
++USE_SYSCTL:=$(shell echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null && echo true)
++
++
+ SRC=access.c \
+ at_secure.c \
+ introspect.c \
+@@ -130,7 +133,6 @@ SRC=access.c \
+ syscall_sethostname.c \
+ syscall_setdomainname.c \
+ syscall_setscheduler.c \
+- syscall_sysctl.c \
+ sysctl_proc.c \
+ tcp.c \
+ transition.c \
+@@ -146,6 +148,12 @@ ifneq (,$(findstring $(shell uname -i),i386 i486 i586 i686 x86 x86_64))
+ SRC+=syscall_ioperm.c syscall_iopl.c
+ endif
+
++#only do sysctl syscall test if defines installed and OR supported by the
++# kernel
++ifeq ($(USE_SYSCTL),true)
++SRC+=syscall_sysctl.c
++endif
++
+ #only do dbus if proper libs are installl
+ ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
+ SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c
+diff --git a/tests/regression/apparmor/syscall_sysctl.sh b/tests/regression/apparmor/syscall_sysctl.sh
+index f93946f3..5f856984 100644
+--- a/tests/regression/apparmor/syscall_sysctl.sh
++++ b/tests/regression/apparmor/syscall_sysctl.sh
+@@ -148,11 +148,18 @@ test_sysctl_proc()
+ # check if the kernel supports CONFIG_SYSCTL_SYSCALL
+ # generally we want to encourage kernels to disable it, but if it's
+ # enabled we want to test against it
+-settest syscall_sysctl
+-if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
+- echo " WARNING: syscall sysctl not implemented, skipping tests ..."
++# In addition test that sysctl exists in the kernel headers, if it does't
++# then we can't even built the syscall_sysctl test
++if echo "#include <sys/sysctl.h>" | cpp -dM >/dev/null 2>/dev/null ; then
++ settest syscall_sysctl
++
++ if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then
++ echo " WARNING: syscall sysctl not implemented, skipping tests ..."
++ else
++ test_syscall_sysctl
++ fi
+ else
+- test_syscall_sysctl
++ echo " WARNING: syscall sysctl not supported by kernel headers, skipping tests ..."
+ fi
+
+ # now test /proc/sys/ paths
+--
+2.17.1
+
--
2.17.1


[dunfell 24/32] linux-%/5.x: Add dm-verity fragment as needed

Armin Kuster
 

From: Naveen Saini <naveen.kumar.saini@...>

Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit d9feafe991cdf4084746c41438526dbf0b5dc2c8)
---
recipes-kernel/linux/linux-%_5.%.bbappend | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-kernel/linux/linux-%_5.%.bbappend b/recipes-kernel/linux/linux-%_5.%.bbappend
index 76b5df5..6bc40cd 100644
--- a/recipes-kernel/linux/linux-%_5.%.bbappend
+++ b/recipes-kernel/linux/linux-%_5.%.bbappend
@@ -1,4 +1,4 @@
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "yama", " features/yama/yama.scc", "" ,d)}"
-
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
--
2.17.1


[dunfell 23/32] wic: add wks.in for intel dm-verity

Armin Kuster
 

From: Naveen Saini <naveen.kumar.saini@...>

Based on systemd-bootdisk-microcode.wks.in, this adds
the dm-verity image similar to the beaglebone wks
already in meta-security.

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 0de4f3bfb7fffe8d91026f00ce7f9384e13dfc54)
---
wic/systemd-bootdisk-dmverity.wks.in | 15 +++++++++++++++
1 file changed, 15 insertions(+)
create mode 100644 wic/systemd-bootdisk-dmverity.wks.in

diff --git a/wic/systemd-bootdisk-dmverity.wks.in b/wic/systemd-bootdisk-dmverity.wks.in
new file mode 100644
index 0000000..ef114ca
--- /dev/null
+++ b/wic/systemd-bootdisk-dmverity.wks.in
@@ -0,0 +1,15 @@
+# A dm-verity variant of the regular wks for IA machines. We need to fetch
+# the partition images from the IMGDEPLOYDIR as the rootfs source plugin will
+# not recreate the exact block device corresponding with the hash tree. We must
+# not alter the label or any other setting on the image.
+# Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
+#
+# This .wks only works with the dm-verity-img class.
+
+part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid
+
+part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
+
+part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid
+
+bootloader --ptable gpt --timeout=5 --append=" "
--
2.17.1


[dunfell 22/32] initramfs-framework/dmverity: add retry loop for slow boot devices

Armin Kuster
 

From: Naveen Saini <naveen.kumar.saini@...>

Detection of USB devices by the kernel is slow enough. We need to
keep trying for a while (default: 5s seconds, controlled by roottimeout=<seconds>)
and sleep between each attempt (default: one second, rootdelay=<seconds>).

Fix is based on https://git.yoctoproject.org/cgit.cgi/poky/commit/meta/recipes-core/initrdscripts/initramfs-framework/rootfs?id=ee6a6c3461694ce09789bf4d852cea2e22fc95e4

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit e23767fc72040cc58e638b08925ab467221c91f9)
---
.../initramfs-framework/dmverity | 64 +++++++++++--------
1 file changed, 37 insertions(+), 27 deletions(-)

diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity
index bb07aab..888052c 100644
--- a/recipes-core/initrdscripts/initramfs-framework/dmverity
+++ b/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -10,33 +10,43 @@ dmverity_run() {

. /usr/share/misc/dm-verity.env

- case "${bootparam_root}" in
- ID=*)
- RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
- ;;
- LABEL=*)
- RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
- ;;
- PARTLABEL=*)
- RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
- ;;
- PARTUUID=*)
- RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
- ;;
- PATH=*)
- RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
- ;;
- UUID=*)
- RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
- ;;
- *)
- RDEV="${bootparam_root}"
- esac
-
- if ! [ -b "${RDEV}" ]; then
- echo "Root device resolution failed"
- exit 1
- fi
+ C=0
+ delay=${bootparam_rootdelay:-1}
+ timeout=${bootparam_roottimeout:-5}
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ while [ ! -b "${RDEV}" ]; do
+ if [ $(( $C * $delay )) -gt $timeout ]; then
+ fatal "Root device resolution failed"
+ exit 1
+ fi
+
+ case "${bootparam_root}" in
+ ID=*)
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ ;;
+ LABEL=*)
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ ;;
+ PARTLABEL=*)
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ ;;
+ PARTUUID=*)
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ ;;
+ PATH=*)
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ ;;
+ UUID=*)
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ ;;
+ *)
+ RDEV="${bootparam_root}"
+ esac
+ debug "Sleeping for $delay second(s) to wait root to settle..."
+ sleep $delay
+ C=$(( $C + 1 ))
+
+ done

veritysetup \
--data-block-size=1024 \
--
2.17.1


[dunfell 21/32] apparmor: exclude mips64, not supported

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit f176756890766bc9a6a00fe83bfe8e3c9bc13d07)
---
recipes-mac/AppArmor/apparmor_2.13.4.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.4.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
index 552cac7..dcdc1f7 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -30,6 +30,8 @@ S = "${WORKDIR}/git"

PARALLEL_MAKE = ""

+COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
+
inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check
REQUIRED_DISTRO_FEATURES = "apparmor"

--
2.17.1


[dunfell 20/32] packagegroup-core-security: dont include suricata on riscv or ppc

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit caf76696e8669ee48339c13f01042da9e52515ae)
---
recipes-security/packagegroup/packagegroup-core-security.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb
index 539ea2a..72ca0f4 100644
--- a/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -55,7 +55,7 @@ SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
RDEPENDS_packagegroup-security-ids = " \
tripwire \
samhain-standalone \
- suricata \
+ ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \
"

SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
--
2.17.1


[dunfell 19/32] beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

Armin Kuster
 

From: "niko.mauno@..." <niko.mauno@...>

Since dm-verity-image.bbclass effectively injects

<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE>

dependency for do_image_wic task, we can change verity rootfs artifact
reference here from DEPLOY_DIR_IMAGE to IMGDEPLOYDIR in order to
mitigate following breakage which was observed when bitbaking
<DM_VERITY_IMAGE> target from scratch (using sstate-cache provided
artifacts):

| wic.filemap.Error: cannot open image file '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity': [Errno 2] No such file or directory: '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity'
| WARNING: exit code 1 from a shell command.
|
ERROR: Task (.../meta/recipes-core/images/core-image-minimal.bb:do_image_wic) failed with exit code '1'

Signed-off-by: Niko Mauno <niko.mauno@...>
Signed-off-by: Armin Kuster <akuster808@...>
(cherry picked from commit 4602d6420835a603fde6f3f25a87b19cbf721ed6)
---
wic/beaglebone-yocto-verity.wks.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wic/beaglebone-yocto-verity.wks.in b/wic/beaglebone-yocto-verity.wks.in
index cd1702e..658018b 100644
--- a/wic/beaglebone-yocto-verity.wks.in
+++ b/wic/beaglebone-yocto-verity.wks.in
@@ -11,5 +11,5 @@
# This .wks only works with the dm-verity-img class.

part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
-part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
bootloader --append="console=ttyS0,115200"
--
2.17.1

6741 - 6760 of 57806