its looking for tools in sdk dir, which is normal. I wonder if your
apps cmake files should be using CC or CLANGCC to do linking.

On Wed, Sep 9, 2020 at 8:58 AM Monsees, Steven C (US) via
lists.yoctoproject.org
<steven.monsees=baesystems.com@...> wrote:

On 7.9.2020 20.35, Bartosz Golaszewski wrote:

Hi Niko,
I saw these patches and had to double-check just to realize my
dm-verity patches actually got upstream to meta-security although I
explicitly stated in the cover letter that they don't work with
verified boot (which basically makes dm-verity useless).
It's funny you sent them now because I just started working on a
different approach that won't require the OE-core changes I posted a
while ago and which were never merged because they broke some unit
tests.
Niko: do your changes allow this to work with verified boot on BeagleBone Black?
Bartosz

Thanks Bartosz, I sent a v2 series based on your feedback about BeagleBone Black.

-Niko

Since dm-verity-image.bbclass effectively injects

<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE>

dependency for do_image_wic task, we can change verity rootfs artifact
reference here from DEPLOY_DIR_IMAGE to IMGDEPLOYDIR in order to
mitigate following breakage which was observed when bitbaking
<DM_VERITY_IMAGE> target from scratch (using sstate-cache provided
artifacts):

| wic.filemap.Error: cannot open image file '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity': [Errno 2] No such file or directory: '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity'
| WARNING: exit code 1 from a shell command.
|
ERROR: Task (.../meta/recipes-core/images/core-image-minimal.bb:do_image_wic) failed with exit code '1'

Signed-off-by: Niko Mauno <niko.mauno@...>
---
wic/beaglebone-yocto-verity.wks.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wic/beaglebone-yocto-verity.wks.in b/wic/beaglebone-yocto-verity.wks.in
index cd1702e1..658018ba 100644
--- a/wic/beaglebone-yocto-verity.wks.in
+++ b/wic/beaglebone-yocto-verity.wks.in
@@ -11,5 +11,5 @@
# This .wks only works with the dm-verity-img class.

part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
-part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
bootloader --append="console=ttyS0,115200"
--
2.20.1

Since IMAGE_LINGUAS defaults to 'en-us en-gb' and since localization is
not needed on this type of purpose-specific initramfs image, reset the
variable which helps by shaving off almost 700kB from resulting bundled
zImage-initramfs artifact.

Signed-off-by: Niko Mauno <niko.mauno@...>
---
recipes-core/images/dm-verity-image-initramfs.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 05ab10c8..187aeaee 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -16,6 +16,7 @@ PACKAGE_INSTALL = " \

# We want a clean, minimal image.
IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""

# Can we somehow inspect reverse dependencies to avoid these variables?
do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
--
2.20.1

This removes following boot-time complaints from udevd regarding
missing group declarations:

[ 6.624454] udevd[163]: specified group 'tty' unknown
[ 6.625340] udevd[163]: specified group 'dialout' unknown
[ 6.625692] udevd[163]: specified group 'kmem' unknown
[ 6.626022] udevd[163]: specified group 'input' unknown
[ 6.626541] udevd[163]: specified group 'video' unknown
[ 6.626977] udevd[163]: specified group 'audio' unknown
[ 6.627532] udevd[163]: specified group 'lp' unknown
[ 6.628187] udevd[163]: specified group 'disk' unknown
[ 6.628558] udevd[163]: specified group 'cdrom' unknown

Size impact of this change on resulting bundled zImage-initramfs
artifact is less than +1kB which is neglible.

Signed-off-by: Niko Mauno <niko.mauno@...>
---
recipes-core/images/dm-verity-image-initramfs.bb | 1 +
1 file changed, 1 insertion(+)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 0fdb46c5..05ab10c8 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -4,6 +4,7 @@ inherit core-image

PACKAGE_INSTALL = " \
base-files \
+ base-passwd \
busybox \
cryptsetup \
initramfs-module-dmverity \
--
2.20.1

- revise declaration ordering as suggested by oe-stylize.py
- sort PACKAGE_INSTALL entries in alphabetic order
- split long command line in deploy_verity_hash()

Signed-off-by: Niko Mauno <niko.mauno@...>
---
.../images/dm-verity-image-initramfs.bb | 20 ++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 6a1058dc..0fdb46c5 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -1,19 +1,21 @@
DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."

-# We want a clean, minimal image.
-IMAGE_FEATURES = ""
+inherit core-image

PACKAGE_INSTALL = " \
- initramfs-module-dmverity \
- initramfs-module-udev \
base-files \
busybox \
- util-linux-mount \
- udev \
cryptsetup \
+ initramfs-module-dmverity \
+ initramfs-module-udev \
lvm2-udevrules \
+ udev \
+ util-linux-mount \
"

+# We want a clean, minimal image.
+IMAGE_FEATURES = ""
+
# Can we somehow inspect reverse dependencies to avoid these variables?
do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"

@@ -22,9 +24,9 @@ do_image[nostamp] = "1"

IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"

-inherit core-image
-
deploy_verity_hash() {
- install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
+ install -D -m 0644 \
+ ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
+ ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
}
IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
--
2.20.1

Switch from this layer's initramfs-dm-verity recipe to poky-provided
initramfs-framework suite to manage veritysetup et al.

This commit also removes initramfs-dm-verity recipe which is not
referred from elsewhere in this meta layer.

Also update the install path of dm-verity.env from /usr/share to
/usr/share/misc in order to better comply with FHS3.0, see
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html#usrsharemiscMiscellaneousArchitecture

Signed-off-by: Niko Mauno <niko.mauno@...>
---
.../images/dm-verity-image-initramfs.bb | 5 +-
.../initrdscripts/initramfs-dm-verity.bb | 13 ------
.../initramfs-dm-verity/init-dm-verity.sh | 46 -------------------
3 files changed, 3 insertions(+), 61 deletions(-)
delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb
delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index e791c19a..6a1058dc 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -4,7 +4,8 @@ DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity de
IMAGE_FEATURES = ""

PACKAGE_INSTALL = " \
- initramfs-dm-verity \
+ initramfs-module-dmverity \
+ initramfs-module-udev \
base-files \
busybox \
util-linux-mount \
@@ -24,6 +25,6 @@ IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
inherit core-image

deploy_verity_hash() {
- install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/dm-verity.env
+ install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
}
IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
diff --git a/recipes-core/initrdscripts/initramfs-dm-verity.bb b/recipes-core/initrdscripts/initramfs-dm-verity.bb
deleted file mode 100644
index b6149565..00000000
--- a/recipes-core/initrdscripts/initramfs-dm-verity.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "Simple init script that uses devmapper to mount the rootfs in read-only mode protected by dm-verity"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-
-SRC_URI = "file://init-dm-verity.sh"
-
-do_install() {
- install -m 0755 ${WORKDIR}/init-dm-verity.sh ${D}/init
- install -d ${D}/dev
- mknod -m 622 ${D}/dev/console c 5 1
-}
-
-FILES_${PN} = "/init /dev/console"
diff --git a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh b/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
deleted file mode 100644
index 307d2c74..00000000
--- a/recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-RDEV=""
-ROOT_DIR="/new_root"
-
-mkdir -p /proc
-mkdir -p /sys
-mkdir -p /run
-mkdir -p /tmp
-mount -t proc proc /proc
-mount -t sysfs sysfs /sys
-mount -t devtmpfs none /dev
-
-udevd --daemon
-udevadm trigger --type=subsystems --action=add
-udevadm trigger --type=devices --action=add
-udevadm settle --timeout=10
-
-for PARAM in $(cat /proc/cmdline); do
- case $PARAM in
- root=*)
- RDEV=${PARAM#root=}
- ;;
- esac
-done
-
-if ! [ -b $RDEV ]; then
- echo "Missing root command line argument!"
- exit 1
-fi
-
-case $RDEV in
- UUID=*)
- RDEV=$(realpath /dev/disk/by-uuid/${RDEV#UUID=})
- ;;
-esac
-
-. /usr/share/dm-verity.env
-
-echo "Mounting $RDEV over dm-verity as the root filesystem"
-
-veritysetup --data-block-size=1024 --hash-offset=$DATA_SIZE create rootfs $RDEV $RDEV $ROOT_HASH
-mkdir -p $ROOT_DIR
-mount -o ro /dev/mapper/rootfs $ROOT_DIR
-exec switch_root $ROOT_DIR /sbin/init
--
2.20.1

Introduce new STAGING_VERITY_DIR variable specific to this bbclass which
defines the directory where the verity.env file is stored during
<DM_VERITY_IMAGE>:do_image_<DM_VERITY_IMAGE_TYPE> task and can
consequtively be picked up into associated initramfs rootfs (which
facilitates executing 'veritysetup' and related actions).

By doing this we mitigate failures that were thus far associated to this
facility, such as

install: cannot stat '.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.ext4.verity.env': No such file or directory

and

install: cannot stat '.../build/tmp/deploy/images/beaglebone-yocto/core-image-minimal-beaglebone-yocto.ext4.verity.env': No such file or directory

Signed-off-by: Niko Mauno <niko.mauno@...>
---
classes/dm-verity-img.bbclass | 10 +++++++---
recipes-core/images/dm-verity-image-initramfs.bb | 2 +-
2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 6ad0f75f..16d395b5 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -18,12 +18,18 @@
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.

+# Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
+# is stored where it can be installed into associated initramfs rootfs.
+STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
+
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
- local ENV="$OUTPUT.env"
+ local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
+ install -d ${STAGING_VERITY_DIR}
+ rm -f $ENV

# Each line contains a key and a value string delimited by ':'. Read the
# two parts into separate variables and process them separately. For the
@@ -39,8 +45,6 @@ process_verity() {

# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
-
- ln -sf $ENV ${IMAGE_BASENAME}-${MACHINE}.$TYPE.verity.env
}

verity_setup() {
diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 8dd8543c..e791c19a 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -24,6 +24,6 @@ IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
inherit core-image

deploy_verity_hash() {
- install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env
+ install -D -m 0644 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}${datadir}/dm-verity.env
}
IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
--
2.20.1

Add checks that include dm-verity specific kernel config fragment
when dm-verity-img.bbclass is used.

Signed-off-by: Niko Mauno <niko.mauno@...>
---
recipes-kernel/linux/linux-yocto-dev.bbappend | 1 +
recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 +
2 files changed, 2 insertions(+)

diff --git a/recipes-kernel/linux/linux-yocto-dev.bbappend b/recipes-kernel/linux/linux-yocto-dev.bbappend
index 39d4e6f5..fa536d09 100644
--- a/recipes-kernel/linux/linux-yocto-dev.bbappend
+++ b/recipes-kernel/linux/linux-yocto-dev.bbappend
@@ -1,2 +1,3 @@
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend
index 39d4e6f5..fa536d09 100644
--- a/recipes-kernel/linux/linux-yocto_5.%.bbappend
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -1,2 +1,3 @@
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
+KERNEL_FEATURES_append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
--
2.20.1

Add 'initramfs-module-dmverity' as an extension to poky upstream
provided initramfs-framework suite via matchingly named bbappend file.

Together with pre-existing 'initramfs-module-udev' this module can be
used to facilitate dm-verity rootfs mounting from initramfs context
that is bundled with Linux kernel.

Signed-off-by: Niko Mauno <niko.mauno@...>
---
.../initramfs-framework/dmverity | 53 +++++++++++++++++++
.../initramfs-framework_1.0.bbappend | 16 ++++++
2 files changed, 69 insertions(+)
create mode 100644 recipes-core/initrdscripts/initramfs-framework/dmverity
create mode 100644 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend

diff --git a/recipes-core/initrdscripts/initramfs-framework/dmverity b/recipes-core/initrdscripts/initramfs-framework/dmverity
new file mode 100644
index 00000000..bb07aab5
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework/dmverity
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+dmverity_enabled() {
+ return 0
+}
+
+dmverity_run() {
+ DATA_SIZE="__not_set__"
+ ROOT_HASH="__not_set__"
+
+ . /usr/share/misc/dm-verity.env
+
+ case "${bootparam_root}" in
+ ID=*)
+ RDEV="$(realpath /dev/disk/by-id/${bootparam_root#ID=})"
+ ;;
+ LABEL=*)
+ RDEV="$(realpath /dev/disk/by-label/${bootparam_root#LABEL=})"
+ ;;
+ PARTLABEL=*)
+ RDEV="$(realpath /dev/disk/by-partlabel/${bootparam_root#PARTLABEL=})"
+ ;;
+ PARTUUID=*)
+ RDEV="$(realpath /dev/disk/by-partuuid/${bootparam_root#PARTUUID=})"
+ ;;
+ PATH=*)
+ RDEV="$(realpath /dev/disk/by-path/${bootparam_root#PATH=})"
+ ;;
+ UUID=*)
+ RDEV="$(realpath /dev/disk/by-uuid/${bootparam_root#UUID=})"
+ ;;
+ *)
+ RDEV="${bootparam_root}"
+ esac
+
+ if ! [ -b "${RDEV}" ]; then
+ echo "Root device resolution failed"
+ exit 1
+ fi
+
+ veritysetup \
+ --data-block-size=1024 \
+ --hash-offset=${DATA_SIZE} \
+ create rootfs \
+ ${RDEV} \
+ ${RDEV} \
+ ${ROOT_HASH}
+
+ mount \
+ -o ro \
+ /dev/mapper/rootfs \
+ ${ROOTFS_DIR} || exit 2
+}
diff --git a/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
new file mode 100644
index 00000000..48e92c23
--- /dev/null
+++ b/recipes-core/initrdscripts/initramfs-framework_1.0.bbappend
@@ -0,0 +1,16 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI_append = "\
+ file://dmverity \
+"
+
+do_install_append() {
+ # dm-verity
+ install ${WORKDIR}/dmverity ${D}/init.d/80-dmverity
+}
+
+PACKAGES_append = " initramfs-module-dmverity"
+
+SUMMARY_initramfs-module-dmverity = "initramfs dm-verity rootfs support"
+RDEPENDS_initramfs-module-dmverity = "${PN}-base"
+FILES_initramfs-module-dmverity = "/init.d/80-dmverity"
--
2.20.1

Bind custom actions in this image recipe in do_image() rather than
do_rootfs(), which can help shaving even dozens of seconds from duration
of 'bitbake <DM_VERITY_IMAGE>' command re-execution.

Signed-off-by: Niko Mauno <niko.mauno@...>
---
recipes-core/images/dm-verity-image-initramfs.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index 60e98928..8dd8543c 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -14,10 +14,10 @@ PACKAGE_INSTALL = " \
"

# Can we somehow inspect reverse dependencies to avoid these variables?
-do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"
+do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"

# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
-do_rootfs[nostamp] = "1"
+do_image[nostamp] = "1"

IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"

@@ -26,4 +26,4 @@ inherit core-image
deploy_verity_hash() {
install -D -m 0644 ${DEPLOY_DIR_IMAGE}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity.env ${IMAGE_ROOTFS}/${datadir}/dm-verity.env
}
-ROOTFS_POSTPROCESS_COMMAND += "deploy_verity_hash;"
+IMAGE_PREPROCESS_COMMAND += "deploy_verity_hash;"
--
2.20.1

In order to ensure that the bundled initramfs always contains the most
recently generated DM_VERITY_IMAGE specific root filesystems' root hash,
we disable the timestamp for do_rootfs() task here, meaning that the
task will be re-executed whenever some task that depends on it executes.

Without this change, executing e.g. the following sequence

$ bitbake <DM_VERITY_IMAGE>
$ bitbake -c clean <DM_VERITY_IMAGE>
$ bitbake <DM_VERITY_IMAGE>

results in an unbootable <DM_VERITY_IMAGE> rootfs, which fails like

Mounting /dev/vda over dm-verity as the root filesystem
[ 8.729974] device-mapper: verity: sha256 using implementation sha256-generic
[ 8.810784] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813018] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.813912] Buffer I/O error on dev dm-0, logical block 2992, async page read
Verity device detected corruption after activation.
[ 8.889548] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891060] device-mapper: verity: 253:0: metadata block 3017 is corrupted
[ 8.891456] Buffer I/O error on dev dm-0, logical block 2992, async page read
...
[ 9.135707] EXT4-fs (dm-0): unable to read superblock
[ 9.142897] EXT4-fs (dm-0): unable to read superblock
[ 9.145393] EXT4-fs (dm-0): unable to read superblock
[ 9.147905] FAT-fs (dm-0): unable to read boot sector
mount: /new_root: can't read superblock on /dev/mapper/rootfs.
BusyBox v1.32.0 () multi-call binary.

Usage: switch_root [-c CONSOLE_DEV] NEW_ROOT NEW_INIT [ARGS]
[ 9.243274] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100
[ 9.243701] CPU: 0 PID: 1 Comm: switch_root Not tainted 5.8.3-yocto-standard #1
[ 9.243853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
...
[ 9.248548] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 ]---

Signed-off-by: Niko Mauno <niko.mauno@...>
---
recipes-core/images/dm-verity-image-initramfs.bb | 3 +++
1 file changed, 3 insertions(+)

diff --git a/recipes-core/images/dm-verity-image-initramfs.bb b/recipes-core/images/dm-verity-image-initramfs.bb
index f9ea3762..60e98928 100644
--- a/recipes-core/images/dm-verity-image-initramfs.bb
+++ b/recipes-core/images/dm-verity-image-initramfs.bb
@@ -16,6 +16,9 @@ PACKAGE_INSTALL = " \
# Can we somehow inspect reverse dependencies to avoid these variables?
do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"

+# Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
+do_rootfs[nostamp] = "1"
+
IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"

inherit core-image
--
2.20.1

Relocate checking if DM_VERITY_IMAGE and DM_VERITY_IMAGE_TYPE are
defined as non-empty strings before DM_VERITY_IMAGE vs. PN
comparison is performed. By doing so we start seeing following kind
of bitbake parse-time console warnings in case either DM_VERITY_IMAGE
or DM_VERITY_IMAGE_TYPE is not set, when 'dm-verity-img' is defined
in IMAGE_CLASSES:

WARNING: .../meta/recipes-core/images/core-image-minimal.bb: dm-verity-img class inherited but not used
WARNING: .../meta-openembedded/meta-oe/recipes-core/images/meta-oe-ptest-image.bb: dm-verity-img class inherited but not used

whereas before this change this warning was printed only once, when
image pointed by <DM_VERITY_IMAGE> was parsed (and recipe with that
name could be found in BBFILES mask scipe), and DM_VERITY_IMAGE_TYPE
was not set.

Signed-off-by: Niko Mauno <niko.mauno@...>
---
classes/dm-verity-img.bbclass | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 6faed5b6..6ad0f75f 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -68,13 +68,13 @@ python __anonymous() {
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')

- if verity_image != pn:
- return # This doesn't concern this image
-
if not verity_image or not verity_type:
bb.warn('dm-verity-img class inherited but not used')
return

+ if verity_image != pn:
+ return # This doesn't concern this image
+
if len(verity_type.split()) is not 1:
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')

--
2.20.1

Resort to printf in order to avoid usage of non-POSIX compliant echo
flags. This mitigates following errors visible in console during
boot-up with image that has been built on a host that symlinks
'/bin/sh' to 'dash':

/init: /usr/share/dm-verity.env: line 1: -NE_UUID: not found
/init: /usr/share/dm-verity.env: line 2: -ne: not found
/init: /usr/share/dm-verity.env: line 3: 642864e8-6a17-46b9-ba1e-9386a3909c8d: not found
/init: /usr/share/dm-verity.env: line 4: -NE_HASH_TYPE: not found
/init: /usr/share/dm-verity.env: line 5: -ne: not found
/init: /usr/share/dm-verity.env: line 6: 1: not found
/init: /usr/share/dm-verity.env: line 7: -NE_DATA_BLOCKS: not found
/init: /usr/share/dm-verity.env: line 8: -ne: not found
/init: /usr/share/dm-verity.env: line 9: 12064: not found
/init: /usr/share/dm-verity.env: line 10: -NE_DATA_BLOCK_SIZE: not found
/init: /usr/share/dm-verity.env: line 11: -ne: not found
/init: /usr/share/dm-verity.env: line 12: 1024: not found
/init: /usr/share/dm-verity.env: line 13: -NE_HASH_BLOCK_SIZE: not found
/init: /usr/share/dm-verity.env: line 14: -ne: not found
/init: /usr/share/dm-verity.env: line 15: 4096: not found
/init: /usr/share/dm-verity.env: line 16: -NE_HASH_ALGORITHM: not found
/init: /usr/share/dm-verity.env: line 17: -ne: not found
/init: /usr/share/dm-verity.env: line 18: sha256: not found
/init: /usr/share/dm-verity.env: line 19: -NE_SALT: not found
/init: /usr/share/dm-verity.env: line 20: -ne: not found
/init: /usr/share/dm-verity.env: line 21: 19d98185b42a897a37db6c56c7470ab2d455f0de46daa0df735eee6263816439: not found
/init: /usr/share/dm-verity.env: line 22: -NE_ROOT_HASH: not found
/init: /usr/share/dm-verity.env: line 23: -ne: not found
/init: /usr/share/dm-verity.env: line 24: 298d75fc2ea27fe594b6a37158a6ae7538e77d918bab98c475934f625de0e4ab: not found

Signed-off-by: Niko Mauno <niko.mauno@...>
---
classes/dm-verity-img.bbclass | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/classes/dm-verity-img.bbclass b/classes/dm-verity-img.bbclass
index 1c0e29b6..6faed5b6 100644
--- a/classes/dm-verity-img.bbclass
+++ b/classes/dm-verity-img.bbclass
@@ -32,9 +32,9 @@ process_verity() {
# just trim all white-spaces.
IFS=":"
while read KEY VAL; do
- echo -ne "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g' >> $ENV
- echo -ne "=" >> $ENV
- echo "$VAL" | tr -d " \t" >> $ENV
+ printf '%s=%s\n' \
+ "$(echo "$KEY" | tr '[:lower:]' '[:upper:]' | sed 's/ /_/g')" \
+ "$(echo "$VAL" | tr -d ' \t')" >> $ENV
done

# Add partition size
--
2.20.1

This set of patches addresses some small issues in dm-verity rootfs
facility, which were observed while making use of dm-verity-img.bbclass
to generate dm-verity rootfs images for real arm-based hardware. For
purposes of establishing this changeset, the default 'qemux86-64'
machine was used as a reference.

During testing/development the following additional settings were
defined in local.conf:

DM_VERITY_IMAGE = "core-image-minimal"
DM_VERITY_IMAGE_TYPE = "ext4"
IMAGE_CLASSES += "dm-verity-img"
INITRAMFS_IMAGE_BUNDLE = "1"
INITRAMFS_IMAGE = "dm-verity-image-initramfs"

And the following command line was used to test the changes with qemu:

KERNEL=.../build/tmp/deploy/images/qemux86-64/bzImage-initramfs-qemux86-64.bin \
QB_NET=none \
runqemu \
nographic \
qemuparams="-nic none" \
qemux86-64 \
.../build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity

Update since v1:

Based on the feedback to v1 of the changeset, I was able to observe that
if wic image type is used with this facility, it introduces circular
dependency related to the

do_image_wic[recrdeptask] += "do_deploy"

declaration in meta/classes/image_types_wic.bbclass side, and on the
other hand, related to the

do_rootfs[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}"

declaration in
meta-security/recipes-core/images/dm-verity-image-initramfs.bb side.

In order to mitigate this situation this version of changeset introduces
a custom staging directory for passing DM_VERITY_IMAGE rootfs specific
verity.env file to the initramfs image. While this may not be the most
optimal solution to the issue of passing staging files from one image
nested in another image, it should nevertheless resolve the issue in a
(hopefully) non-conflicting fashion for the time being, making also
'wic' images usable with the facility.

Furthermore the original dm-verity initramfs /init facility was replaced
to use existing poky-provided initramfs-framework suite complemented
with a dm-verity specific module, and added also some optimizations to
dm-verity-initramfs-image recipe, and a fix to a relevant wks.in file.

In addition to testing this updated changeset against default
'qemux86-64' machine, I also tested against 'beaglebone-yocto' machine
and a BeableBone Black board, for which purpose I added also the
following lines to local.conf:

MACHINE = "beaglebone-yocto"
IMAGE_BOOT_FILES_remove = "zImage"
IMAGE_BOOT_FILES_append = " zImage-initramfs-${MACHINE}.bin;zImage"
WKS_FILES = "${MACHINE}-verity.wks.in"

Since I use poky master branch, I also had to introduce

CONFIG_MMC_SDHCI=y
CONFIG_MMC_SDHCI_PLTFM=y
CONFIG_MMC_SDHCI_OMAP=y

via a kernel config fragment to adapt to included change in kernel
source tree
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?h=v5.8&id=0b4edf111870b83ea77b1d7e16b8ceac29f9f388
which otherwise prevented Linux from detecting neither eMMC or attached
SD card on the BeagleBone Black board.

When booting up the board from SD card which was programmed using
resulting 'core-image-minimal-beaglebone-yocto.wic' file, e.g. the
following lines were observed

Freeing unused kernel memory: 13312K
Run /init as init process
udevd[148]: starting version 3.2.9
udevd[149]: starting eudev-3.2.9
device-mapper: verity: sha256 using implementation &quot;sha256-generic&quot;
EXT4-fs (dm-0): mounted filesystem with ordered data mode. Opts: (null)
INIT: version booting
Starting udev

and after logging in via serial console checked that

root@beaglebone-yocto:~# grep ' / ' /proc/mounts
/dev/mapper/rootfs / ext4 ro,relatime 0 0

Finally, at least one obvious caveat in current changeset is the added

do_image[nostamp] = "1"

flag in dm-verity-image-initramfs.bb which seemed to have the impact of
rendering sstate-cache artifacts for virtual/kernel unusable.

Niko Mauno (12):
dm-verity-img.bbclass: Fix bashisms
dm-verity-img.bbclass: Reorder parse-time check
dm-verity-image-initramfs: Ensure verity hash sync
dm-verity-image-initramfs: Bind at do_image instead
linux-yocto(-dev): Add dm-verity fragment as needed
dm-verity-img.bbclass: Stage verity.env file
initramfs-framework: Add dmverity module
dm-verity-image-initramfs: Use initramfs-framework
dm-verity-initramfs-image: Cosmetic improvements
dm-verity-image-initramfs: Add base-passwd package
dm-verity-image-initramfs: Drop locales from image
beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

classes/dm-verity-img.bbclass | 22 ++++----
.../images/dm-verity-image-initramfs.bb | 28 ++++++----
.../initrdscripts/initramfs-dm-verity.bb | 13 -----
.../initramfs-dm-verity/init-dm-verity.sh | 46 ----------------
.../initramfs-framework/dmverity | 54 +++++++++++++++++++
.../initramfs-framework_1.0.bbappend | 16 ++++++
recipes-kernel/linux/linux-yocto-dev.bbappend | 1 +
recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 +
wic/beaglebone-yocto-verity.wks.in | 2 +-
9 files changed, 104 insertions(+), 79 deletions(-)
delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity.bb
delete mode 100644 recipes-core/initrdscripts/initramfs-dm-verity/init-dm-verity.sh
create mode 100644 recipes-core/initrdscripts/initramfs-framework/dmverity
create mode 100644 recipes-core/initrdscripts/initramfs-framework_1.0.bbappend

--
2.20.1

Update ibmswtpm2 from 1628 to 1637. Build 1637 Includes:
* Increase NV memory size to match PC Client RSA 3072 requirements
* Add and fix ACT support
* Update Visual Studio files to 2019.

Signed-off-by: Jens Rehsack <sno@...>
---
.../ibmswtpm2/files/fix-wrong-cast.patch | 27 ++++++++++
.../ibmswtpm2/files/remove_optimization.patch | 26 ----------
.../ibmswtpm2/files/tune-makefile.patch | 50 +++++++++++++++++++
.../recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb | 26 ----------
.../recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb | 30 +++++++++++
5 files changed, 107 insertions(+), 52 deletions(-)
create mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
delete mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
create mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
delete mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
create mode 100644 meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb

diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
new file mode 100644
index 0000000..9f10fbe
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
@@ -0,0 +1,27 @@
+Fix strict aliasing issue of gcc10
+
+fixes:
+
+TpmFail.c: In function 'TpmLogFailure':
+TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
+ 217 | s_failFunction = *(UINT32 *)&function; /* kgold */
+ | ^~~~~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+Upstream-Status: OE specific
+
+Signed-off-by: Jens Rehsack <sno@...>
+
+Index: src/TpmFail.c
+===================================================================
+--- src.orig/TpmFail.c 2020-09-10 15:43:57.085063875 +0200
++++ src/TpmFail.c 2020-09-10 15:48:35.563302634 +0200
+@@ -214,7 +214,7 @@
+ // On a 64-bit machine, this may truncate the address of the string
+ // of the function name where the error occurred.
+ #if FAIL_TRACE
+- s_failFunction = *(UINT32 *)&function; /* kgold */
++ memcpy(&s_failFunction, function, sizeof(uint32_t)); /* kgold */
+ s_failLine = line;
+ #else
+ s_failFunction = 0;
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch b/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
deleted file mode 100644
index 2919e2e..0000000
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/files/remove_optimization.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Allow recipe to overide optimization.
-
-fixes:
-
-397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
-| | ^~~~~~~
-| cc1: all warnings being treated as errors
-
-
-Upstream-Status: OE specific
-
-Signed-off-by: Armin Kuster <akuster808@...>
-
-Index: src/makefile
-===================================================================
---- src.orig/makefile
-+++ src/makefile
-@@ -43,7 +43,7 @@ CC = /usr/bin/gcc
- CCFLAGS = -Wall \
- -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
- -Werror -Wsign-compare \
-- -c -ggdb -O0 \
-+ -c -ggdb -O \
- -DTPM_POSIX \
- -D_POSIX_ \
- -DTPM_NUVOTON
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch b/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
new file mode 100644
index 0000000..eebddb9
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/files/tune-makefile.patch
@@ -0,0 +1,50 @@
+1) Allow recipe to overide optimization.
+
+fixes:
+
+397 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+| | ^~~~~~~
+| cc1: all warnings being treated as errors
+
+2) Allow recipe to override OE related compile-/link-flags
+
+fixes:
+
+ERROR: QA Issue: File /usr/bin/tpm_server in package ibmswtpm2 doesn't have GNU_HASH (didn't pass LDFLAGS?) [ldflags]
+
+Upstream-Status: OE specific
+
+Signed-off-by: Jens Rehsack <sno@...>
+
+Index: src/makefile
+===================================================================
+--- src.orig/makefile
++++ src/makefile
+@@ -38,12 +38,10 @@
+ #################################################################################
+
+
+-CC = /usr/bin/gcc
+-
+ CCFLAGS = -Wall \
+ -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
+ -Werror -Wsign-compare \
+- -c -ggdb -O0 \
++ -c -ggdb -O \
+ -DTPM_POSIX \
+ -D_POSIX_ \
+ -DTPM_NUVOTON
+@@ -79,11 +77,11 @@
+ .PRECIOUS: %.o
+
+ tpm_server: $(OBJFILES)
+- $(CC) $(OBJFILES) $(LNFLAGS) -o tpm_server
++ $(CCLD) $(OBJFILES) $(LDFLAGS) $(LNFLAGS) -o tpm_server
+
+ clean:
+ rm -f *.o tpm_server *~
+
+ %.o: %.c
+- $(CC) $(CCFLAGS) $< -o $@
++ $(CC) $(CCFLAGS) $(CFLAGS) $< -o $@
+
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
deleted file mode 100644
index 3373a30..0000000
--- a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1628.bb
+++ /dev/null
@@ -1,26 +0,0 @@
-SUMMARY = "IBM's Software TPM 2.0"
-LICENSE = "BSD"
-SECTION = "securty/tpm"
-LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
-
-DEPENDS = "openssl"
-
-SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
- file://remove_optimization.patch \
- "
-SRC_URI[md5sum] = "bfd3eca2411915f24de628b9ec36f259"
-SRC_URI[sha256sum] = "a8e874e7a1ae13a1290d7679d846281f72d0eb6a5e4cfbafca5297dbf4e29ea3"
-SRC_URI[sha1sum] = "7c8241a4e97a801eace9f0eea8cdda7c58114f7f"
-SRC_URI[sha384sum] = "eec25cc8ba0e3cb27d41ba4fa4c71d8158699953ccb61bb6d440236dcbd8f52b6954eaae9d640a713186e0b99311fd91"
-SRC_URI[sha512sum] = "ab47caa4406ba57c0afc6fadae304fc9ef5e3e125be0f2fb1955a419cf93cd5e9176e103f0b566825abc16cca00b795f98d2b407f0a2bf7b141ef4b025d907d0"
-
-S = "${WORKDIR}/src"
-
-do_compile () {
- make CC='${CC}'
-}
-
-do_install () {
- install -d ${D}/${bindir}
- install -m 0755 tpm_server ${D}/${bindir}
-}
diff --git a/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
new file mode 100644
index 0000000..ff8c604
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
@@ -0,0 +1,30 @@
+SUMMARY = "IBM's Software TPM 2.0"
+HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl"
+
+SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
+ file://tune-makefile.patch \
+ file://fix-wrong-cast.patch \
+ "
+SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c"
+SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327"
+SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e"
+SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d"
+SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed"
+
+S = "${WORKDIR}/src"
+
+CFLAGS += "-Wno-error=maybe-uninitialized"
+
+do_compile () {
+ make CC='${CC}'
+}
+
+do_install () {
+ install -d ${D}/${bindir}
+ install -m 0755 tpm_server ${D}/${bindir}
+}
--
2.17.1

Signed-off-by: Charlie Davies <charles.davies@...>
---
recipes-scanners/clamav/clamav_0.101.5.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-scanners/clamav/clamav_0.101.5.bb b/recipes-scanners=
/clamav/clamav_0.101.5.bb
index 2ea2c9b..30c8c08 100644
--- a/recipes-scanners/clamav/clamav_0.101.5.bb
+++ b/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -23,7 +23,7 @@ SRC_URI =3D "git://github.com/vrtadmin/clamav-devel;bra=
nch=3Drel/0.101 \
S =3D "${WORKDIR}/git"
=20
LEAD_SONAME =3D "libclamav.so"
-SO_VER =3D "9.0.2"
+SO_VER =3D "9.0.4"
=20
inherit autotools pkgconfig useradd systemd multilib_header multilib_scr=
ipt
=20
--=20
2.28.0

Recipe provides INSTALL_CLAMAV_CVD flag to bypass clamav
cvd db creation. During do_install this flag should be
used to conditionally skip install of cvd db if needed.

Signed-off-by: Charlie Davies <charles.davies@...>
---
recipes-scanners/clamav/clamav_0.101.5.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes-scanners/clamav/clamav_0.101.5.bb b/recipes-scanners=
/clamav/clamav_0.101.5.bb
index 2ea2c9b..770186a 100644
--- a/recipes-scanners/clamav/clamav_0.101.5.bb
+++ b/recipes-scanners/clamav/clamav_0.101.5.bb
@@ -89,7 +89,9 @@ do_install_append_class-target () {
install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/de=
fault/volatiles/volatiles.03_clamav
sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclam=
av.pc
rm ${D}/${libdir}/libclamav.so
- install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
+ if [ "${INSTALL_CLAMAV_CVD}" =3D "1" ]; then
+ install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav=
/.
+ fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d=
)};then
install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitd=
ir}/system/clamav.service
install -d ${D}${sysconfdir}/tmpfiles.d
--=20
2.27.0

Signed-off-by: Richard Purdie <richard.purdie@...>
---
scripts/utils.py | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/scripts/utils.py b/scripts/utils.py
index 500138d..46346fb 100644
--- a/scripts/utils.py
+++ b/scripts/utils.py
@@ -233,18 +233,24 @@ def fetchgitrepo(clonedir, repo, params, stashdir):
branch = params["branch"]
revision = params["revision"]
print("Checking for stash at: " + stashdir + "/" + repo)
+ flush()
if os.path.exists(stashdir + "/" + repo):
print("Cloning from stash to %s..." % sharedrepo)
+ flush()
subprocess.check_call(["git", "clone", "file://%s/%s" % (stashdir, repo), "%s/%s" % (clonedir, repo)])
subprocess.check_call(["git", "remote", "rm", "origin"], cwd=sharedrepo)
subprocess.check_call(["git", "remote", "add", "origin", params["url"]], cwd=sharedrepo)
print("Updating from origin...")
+ flush()
subprocess.check_call(["git", "fetch", "origin"], cwd=sharedrepo)
subprocess.check_call(["git", "fetch", "origin", "-t"], cwd=sharedrepo)
else:
print("Cloning from origin to %s..." % sharedrepo)
+ flush()
subprocess.check_call(["git", "clone", params["url"], sharedrepo])

+ print("Updating checkout...")
+ flush()
subprocess.check_call(["git", "checkout", branch], cwd=sharedrepo)
# git reset revision==HEAD won't help, we need to reset onto the potentially fetched origin branch
subprocess.check_call(["git", "reset", "origin/" + branch, "--hard"], cwd=sharedrepo)
--
2.25.1