Date   

[meta-security][PATCH 2/2] apparmor: update to 2.13.4

Jan Luebbe
 

Signed-off-by: Jan Luebbe <jlu@...>
---
recipes-mac/AppArmor/{apparmor_2.13.3.bb => apparmor_2.13.4.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-mac/AppArmor/{apparmor_2.13.3.bb => apparmor_2.13.4.bb} (99%)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.4.bb
similarity index 99%
rename from recipes-mac/AppArmor/apparmor_2.13.3.bb
rename to recipes-mac/AppArmor/apparmor_2.13.4.bb
index 3398a3a75baa..f8fd19eb9e00 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.4.bb
@@ -25,7 +25,7 @@ SRC_URI = " \
file://run-ptest \
"

-SRCREV = "2f9d9ea7e01a115b29858455d3b1b5c6a0bab75c"
+SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
S = "${WORKDIR}/git"

PARALLEL_MAKE = ""
--
2.26.0.rc2


[meta-security][PATCH 1/2] apparmor: fix wrong executable permission on service file

Jan Luebbe
 

This avoids "systemd[1]: Configuration file
/lib/systemd/system/apparmor.service is marked executable. Please remove
executable permission bits. Proceeding anyway." on boot.

Signed-off-by: Jan Luebbe <jlu@...>
---
recipes-mac/AppArmor/apparmor_2.13.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 0c62a4daf172..3398a3a75baa 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -119,7 +119,7 @@ do_install () {

if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
install -d ${D}${systemd_system_unitdir}
- install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
fi
}

--
2.26.0.rc2


Re: Mechanism behind pkg_postinst_ontarget_${PN} #yocto

Alexander Kanavin
 

I am not sure about deb-postinsts. What I see the script doing is:

eval dpkg --configure -a $append_log

Alex


On Fri, 27 Mar 2020 at 10:26, <stefan.wenninger@...> wrote:
I am using deb as my package class. What I am gathering from that run-postinsts directory is that there is a systemd service that starts and executes the run-postinsts script.
That script looks for a directory /etc/deb-postinsts and executes all scripts in there. Does that mean, that the mechanism used in the end is the post-install scripts of deb packages?
So basically the pkg_postinst_ontarget_${PN} function adds a postinstall script to the .deb package of the recipe it is in, correct?
That should mean that I can expect to see a script in /etc/deb-postinsts that contains my commands. I will verify that right away.

If these assumptions are correct, you have already greatly improved my understanding of this process. Thank you for that.

Stefan


Re: Mechanism behind pkg_postinst_ontarget_${PN} #yocto

stefan.wenninger@...
 

I am using deb as my package class. What I am gathering from that run-postinsts directory is that there is a systemd service that starts and executes the run-postinsts script.
That script looks for a directory /etc/deb-postinsts and executes all scripts in there. Does that mean, that the mechanism used in the end is the post-install scripts of deb packages?
So basically the pkg_postinst_ontarget_${PN} function adds a postinstall script to the .deb package of the recipe it is in, correct?
That should mean that I can expect to see a script in /etc/deb-postinsts that contains my commands. I will verify that right away.

If these assumptions are correct, you have already greatly improved my understanding of this process. Thank you for that.

Stefan


Re: Mechanism behind pkg_postinst_ontarget_${PN} #yocto

Alexander Kanavin
 

Actually, that depends on which package format you use. The script that executes the postinsts on target can be found in meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.

Alex


On Fri, 27 Mar 2020 at 10:06, <stefan.wenninger@...> wrote:
Hi Alex,
Im not sure if my previous reply got sent/reached you. I apologise in case you receive this message twice.

Should there be a script in /etc created from my pkg_postinst_ontarget_${PN} function? If yes, what would its name be?

Stefan


Re: Mechanism behind pkg_postinst_ontarget_${PN} #yocto

stefan.wenninger@...
 

Hi Alex,
Im not sure if my previous reply got sent/reached you. I apologise in case you receive this message twice.

Should there be a script in /etc created from my pkg_postinst_ontarget_${PN} function? If yes, what would its name be?

Stefan


Re: Mechanism behind pkg_postinst_ontarget_${PN} #yocto

Alexander Kanavin
 

You can start by inspecting your image's rootfs, the scripts to run on first boot should be in /etc/ somewhere. Are they?

Alex


On Fri, 27 Mar 2020 at 09:14, <stefan.wenninger@...> wrote:
Hi,
I am trying to execute a few shell commands the first time a new image boots. The Yocto built-in mechanism for that should be pkg_postinst_ontarget_${PN}.
However I can not get the commands I put within that function to execute. I am having a hard time trying to figure out what the problem is.
I am installing the new image to my board via SWUpdate. My suspicion is that the mechanism behind the pkg_postinst_ontarget_${PN} is somehow hindered by the SWUpdate utility.
I could imagine that whatever mechanism is used might me surpressed/ignored by the SWUpdate process.

That is why im asking about the exact mechanism within Linux that is used to execute the contents of the pkg_postinst_ontarget_${PN} function on first boot.

As a reference:
Yocto version: sumo
pkg_postinst_ontarget_${PN} () {
#!/bin/sh
file=$D/home/root/test.txt
printf "hello world\n" > $file
}

Thanks in advance
Stefan Wenninger


Mechanism behind pkg_postinst_ontarget_${PN} #yocto

stefan.wenninger@...
 

Hi,
I am trying to execute a few shell commands the first time a new image boots. The Yocto built-in mechanism for that should be pkg_postinst_ontarget_${PN}.
However I can not get the commands I put within that function to execute. I am having a hard time trying to figure out what the problem is.
I am installing the new image to my board via SWUpdate. My suspicion is that the mechanism behind the pkg_postinst_ontarget_${PN} is somehow hindered by the SWUpdate utility.
I could imagine that whatever mechanism is used might me surpressed/ignored by the SWUpdate process.

That is why im asking about the exact mechanism within Linux that is used to execute the contents of the pkg_postinst_ontarget_${PN} function on first boot.

As a reference:
Yocto version: sumo
pkg_postinst_ontarget_${PN} () {
#!/bin/sh
file=$D/home/root/test.txt
printf "hello world\n" > $file
}

Thanks in advance
Stefan Wenninger


[meta-openssl102-fips][PATCH] nss: drop bbappend and patch

Yi Zhao
 

In nss 3.51, there is a C macro NSS_FIPS_DISABLED can be used to disable
some FIPS compliant code and enable alternative implementations. And the
current build system never defines NSS_FIPS_DISABLED and always uses the
FIPS compliant code. So we can drop this local patch.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
.../nss/0001-conditionally-enable-fips.patch | 93 -------------------
recipes-support/nss/nss_3.%.bbappend | 4 -
recipes-support/nss/nss_fips.inc | 4 -
3 files changed, 101 deletions(-)
delete mode 100644 recipes-support/nss/nss/0001-conditionally-enable-fips.patch
delete mode 100644 recipes-support/nss/nss_3.%.bbappend
delete mode 100644 recipes-support/nss/nss_fips.inc

diff --git a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch b/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
deleted file mode 100644
index d11db91..0000000
--- a/recipes-support/nss/nss/0001-conditionally-enable-fips.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From f2cb8bcc556aa1121db7209d433170bd1ab60954 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@...>
-Date: Sat, 12 Oct 2019 10:49:28 +0800
-Subject: [PATCH] conditionally enable fips
-
-Add export NSS_FORCE_FIPS=1 to force enable fips, and add the same
-macro limitaition to fips enable test, currently we are not ready
-to support nss fips
-
-...
-$ certutil -N -d sql:. --empty-password
-|certutil: function failed: SEC_ERROR_PKCS11_DEVICE_ERROR: A PKCS #11
-module returned CKR_DEVICE_ERROR, indicating that a problem has occurred
-with the token or slot.
-
-$rpm -h
-|error: Failed to initialize NSS library
-...
-
-Upstream-Status: Inappropriate [oe specific]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@...>
----
- nss/coreconf/config.mk | 2 ++
- nss/lib/freebl/nsslowhash.c | 2 +-
- nss/lib/pk11wrap/pk11util.c | 2 +-
- nss/lib/sysinit/nsssysinit.c | 4 ++++
- 4 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
-index 60a0841..dcca87f 100644
---- a/nss/coreconf/config.mk
-+++ b/nss/coreconf/config.mk
-@@ -179,6 +179,8 @@ endif
- # executing the startup tests at library load time.
- ifndef NSS_FORCE_FIPS
- DEFINES += -DNSS_NO_INIT_SUPPORT
-+else
-+DEFINES += -DNSS_FORCE_FIPS
- endif
-
- ifdef NSS_SEED_ONLY_DEV_URANDOM
-diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
-index 22f9781..baf71c3 100644
---- a/nss/lib/freebl/nsslowhash.c
-+++ b/nss/lib/freebl/nsslowhash.c
-@@ -26,7 +26,7 @@ struct NSSLOWHASHContextStr {
- static int
- nsslow_GetFIPSEnabled(void)
- {
--#ifdef LINUX
-+#if defined LINUX && defined NSS_FORCE_FIPS
- FILE *f;
- char d;
- size_t size;
-diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
-index 502c4d0..cd86270 100644
---- a/nss/lib/pk11wrap/pk11util.c
-+++ b/nss/lib/pk11wrap/pk11util.c
-@@ -98,7 +98,7 @@ SECMOD_Shutdown()
- int
- secmod_GetSystemFIPSEnabled(void)
- {
--#ifdef LINUX
-+#if defined LINUX && defined NSS_FORCE_FIPS
- FILE *f;
- char d;
- size_t size;
-diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
-index bd0fac2..5c09e8d 100644
---- a/nss/lib/sysinit/nsssysinit.c
-+++ b/nss/lib/sysinit/nsssysinit.c
-@@ -168,6 +168,7 @@ getFIPSEnv(void)
- static PRBool
- getFIPSMode(void)
- {
-+#ifdef NSS_FORCE_FIPS
- FILE *f;
- char d;
- size_t size;
-@@ -186,6 +187,9 @@ getFIPSMode(void)
- if (d != '1')
- return PR_FALSE;
- return PR_TRUE;
-+#else
-+ return PR_FALSE;
-+#endif
- }
-
- #define NSS_DEFAULT_FLAGS "flags=readonly"
---
-2.7.4
-
diff --git a/recipes-support/nss/nss_3.%.bbappend b/recipes-support/nss/nss_3.%.bbappend
deleted file mode 100644
index 9608ca3..0000000
--- a/recipes-support/nss/nss_3.%.bbappend
+++ /dev/null
@@ -1,4 +0,0 @@
-FIPSINC = ""
-FIPSINC_class-target = "${@'' if d.getVar('OPENSSL_FIPS_ENABLED', True) != '1' else 'nss_fips.inc'}"
-
-require ${FIPSINC}
diff --git a/recipes-support/nss/nss_fips.inc b/recipes-support/nss/nss_fips.inc
deleted file mode 100644
index b183f55..0000000
--- a/recipes-support/nss/nss_fips.inc
+++ /dev/null
@@ -1,4 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/nss:"
-SRC_URI += " \
- file://0001-conditionally-enable-fips.patch \
-"
--
2.17.1


Re: [meta-openssl102-fips][PATCH V2] openssh: refresh patches to 8.2p1

Yi Zhao
 

Ping


On 2/20/20 5:24 PM, Yi Zhao wrote:
Refresh patches to openssh-8.2p1.
Reference:
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.7p1-fips.patch
(commit 51f5c1c99f1d20e48328edde666061d0ce0da83b)

Signed-off-by: Yi Zhao <yi.zhao@...>
---
 .../0001-conditional-enable-fips-mode.patch   |  54 ++--
 ...ps.patch => 0001-openssh-8.2p1-fips.patch} | 300 ++++++++----------
 .../openssh/openssh-6.6p1-ctr-cavstest.patch  |  35 +-
 .../openssh/openssh-6.7p1-kdf-cavs.patch      |  35 +-
 recipes-connectivity/openssh/openssh_fips.inc |   2 +-
 5 files changed, 202 insertions(+), 224 deletions(-)
 rename recipes-connectivity/openssh/openssh/{0001-openssh-8.0p1-fips.patch => 0001-openssh-8.2p1-fips.patch} (57%)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index a0f496a..942fda6 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,4 +1,4 @@
-From 60204df9d1f54f581f9ddc5443228550cadd4b4b Mon Sep 17 00:00:00 2001
+From ef6490841a73b4f71ca35e09328c6a8b0ad9dba9 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 13:03:23 +0800
 Subject: [PATCH] conditional enable fips mode
@@ -56,10 +56,10 @@ index 359204f..346255a 100644
  	log_init(__progname, log_level, log_facility, log_stderr);
  
 diff --git a/sftp.c b/sftp.c
-index b66037f..ca263ac 100644
+index ff14d3c..a633200 100644
 --- a/sftp.c
 +++ b/sftp.c
-@@ -2387,6 +2387,7 @@ main(int argc, char **argv)
+@@ -2390,6 +2390,7 @@ main(int argc, char **argv)
  	size_t num_requests = DEFAULT_NUM_REQUESTS;
  	long long limit_kbps = 0;
  
@@ -68,10 +68,10 @@ index b66037f..ca263ac 100644
  	sanitise_stdfd();
  	msetlocale();
 diff --git a/ssh-add.c b/ssh-add.c
-index ebfb8a3..b7d59bc 100644
+index 8057eb1..19f3da2 100644
 --- a/ssh-add.c
 +++ b/ssh-add.c
-@@ -577,6 +577,7 @@ main(int argc, char **argv)
+@@ -628,6 +628,7 @@ main(int argc, char **argv)
  	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
  	LogLevel log_level = SYSLOG_LEVEL_INFO;
  
@@ -80,10 +80,10 @@ index ebfb8a3..b7d59bc 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-agent.c b/ssh-agent.c
-index 9c6680a..d701479 100644
+index 7eb6f0d..1409044 100644
 --- a/ssh-agent.c
 +++ b/ssh-agent.c
-@@ -1104,6 +1104,7 @@ main(int ac, char **av)
+@@ -1196,6 +1196,7 @@ main(int ac, char **av)
  	size_t npfd = 0;
  	u_int maxfds;
  
@@ -92,10 +92,10 @@ index 9c6680a..d701479 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cb4982d..84dd269 100644
+index feafe73..9b832f6 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -2800,6 +2800,7 @@ main(int argc, char **argv)
+@@ -3140,6 +3140,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -104,10 +104,10 @@ index cb4982d..84dd269 100644
  	sanitise_stdfd();
  
 diff --git a/ssh-keyscan.c b/ssh-keyscan.c
-index 5de0508..0644261 100644
+index a5e6440..e56a9d1 100644
 --- a/ssh-keyscan.c
 +++ b/ssh-keyscan.c
-@@ -663,6 +663,7 @@ main(int argc, char **argv)
+@@ -675,6 +675,7 @@ main(int argc, char **argv)
  	extern int optind;
  	extern char *optarg;
  
@@ -116,7 +116,7 @@ index 5de0508..0644261 100644
  	seed_rng();
  	TAILQ_INIT(&tq);
 diff --git a/ssh-keysign.c b/ssh-keysign.c
-index 6cfd5b4..23cf403 100644
+index 3e3ea3e..4804c42 100644
 --- a/ssh-keysign.c
 +++ b/ssh-keysign.c
 @@ -173,6 +173,7 @@ main(int argc, char **argv)
@@ -128,10 +128,10 @@ index 6cfd5b4..23cf403 100644
  		fatal("%s: pledge: %s", __progname, strerror(errno));
  
 diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
-index 3bcc244..6a78a1a 100644
+index 17220d6..1af0c2e 100644
 --- a/ssh-pkcs11-helper.c
 +++ b/ssh-pkcs11-helper.c
-@@ -325,6 +325,7 @@ main(int argc, char **argv)
+@@ -332,6 +332,7 @@ main(int argc, char **argv)
  	extern char *__progname;
  	struct pollfd pfd[2];
  
@@ -140,22 +140,22 @@ index 3bcc244..6a78a1a 100644
  	seed_rng();
  	TAILQ_INIT(&pkcs11_keylist);
 diff --git a/ssh.c b/ssh.c
-index 0724df4..9178673 100644
+index 49331fc..06836dd 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -598,6 +598,7 @@ main(int ac, char **av)
- 	struct ssh_digest_ctx *md;
+@@ -606,6 +606,7 @@ main(int ac, char **av)
  	u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+ 	size_t n, len;
  
 +	ssh_enable_fips_mode();
  	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  	sanitise_stdfd();
  
 diff --git a/sshd.c b/sshd.c
-index 2bf8939..c75e34a 100644
+index b86d682..304bf01 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1443,6 +1443,7 @@ main(int ac, char **av)
+@@ -1514,6 +1514,7 @@ main(int ac, char **av)
  	Authctxt *authctxt;
  	struct connection_info *connection_info = NULL;
  
@@ -164,7 +164,7 @@ index 2bf8939..c75e34a 100644
  	(void)set_auth_parameters(ac, av);
  #endif
 diff --git a/xmalloc.c b/xmalloc.c
-index 9cd0127..e2f8145 100644
+index b48d33b..456a063 100644
 --- a/xmalloc.c
 +++ b/xmalloc.c
 @@ -23,6 +23,10 @@
@@ -178,9 +178,9 @@ index 9cd0127..e2f8145 100644
  #include "xmalloc.h"
  #include "log.h"
  
-@@ -110,3 +114,19 @@ xasprintf(char **ret, const char *fmt, ...)
- 
- 	return (i);
+@@ -117,3 +121,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ 	va_end(ap);
+ 	return i;
  }
 +
 +void
@@ -199,13 +199,13 @@ index 9cd0127..e2f8145 100644
 +    }
 +}
 diff --git a/xmalloc.h b/xmalloc.h
-index 1d5f62d..d71b8a8 100644
+index abaf7ad..b3b1c8c 100644
 --- a/xmalloc.h
 +++ b/xmalloc.h
-@@ -24,3 +24,4 @@ char	*xstrdup(const char *);
- int	 xasprintf(char **, const char *, ...)
-                 __attribute__((__format__ (printf, 2, 3)))
+@@ -26,3 +26,4 @@ int	 xasprintf(char **, const char *, ...)
                  __attribute__((__nonnull__ (2)));
+ int	 xvasprintf(char **, const char *, va_list)
+ 		__attribute__((__nonnull__ (2)));
 +void	ssh_enable_fips_mode(void);
 -- 
 2.7.4
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
similarity index 57%
rename from recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
rename to recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
index 0e35e31..c1de130 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.2p1-fips.patch
@@ -1,7 +1,7 @@
-From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
+From c51dd44e1c594ddeb3a27ae5d9be2899e4bf2ac6 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 11:45:38 +0800
-Subject: [PATCH] openssh 8.0p1 fips
+Subject: [PATCH] openssh 8.2p1 fips
 
 Port openssh-7.7p1-fips.patch from Fedora
 https://src.fedoraproject.org/rpms/openssh.git
@@ -10,30 +10,33 @@ https://src.fedoraproject.org/rpms/openssh.git
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@...>
+
+Rebase to 8.2p1
+Signed-off-by: Yi Zhao <yi.zhao@...>
 ---
  Makefile.in              | 14 +++++++-------
  cipher-ctr.c             |  3 ++-
- clientloop.c             |  3 ++-
+ clientloop.c             |  2 +-
  dh.c                     | 40 ++++++++++++++++++++++++++++++++++++++++
  dh.h                     |  1 +
  kex.c                    |  5 ++++-
  kexgexc.c                |  5 +++++
- myproposal.h             | 40 ++++++++++++++++++++++++++++++++++++++++
- readconf.c               | 17 +++++++++--------
+ myproposal.h             | 35 +++++++++++++++++++++++++++++++++++
+ readconf.c               | 15 ++++++++++-----
  sandbox-seccomp-filter.c |  3 +++
- servconf.c               | 19 ++++++++++---------
- ssh-keygen.c             | 17 ++++++++++++++++-
+ servconf.c               | 15 ++++++++++-----
+ ssh-keygen.c             | 16 +++++++++++++++-
  ssh.c                    | 16 ++++++++++++++++
- sshconnect2.c            | 11 ++++++++---
+ sshconnect2.c            |  8 ++++++--
  sshd.c                   | 19 +++++++++++++++++++
  sshkey.c                 |  4 ++++
- 16 files changed, 186 insertions(+), 31 deletions(-)
+ 16 files changed, 178 insertions(+), 23 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index adb1977..37aec69 100644
+index e754947..57f94f4 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -206,25 +206,25 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -44,34 +47,36 @@ index adb1977..37aec69 100644
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
  
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- 	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
+ 	$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
  
- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
--	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
+-	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
--	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
+-	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
--	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
+-	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
--	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+	$(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
+-	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++	$(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ 	$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -233,7 +233,7 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
--	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+-	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
- 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
+ 	$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff --git a/cipher-ctr.c b/cipher-ctr.c
 index 32771f2..74fac3b 100644
 --- a/cipher-ctr.c
@@ -87,16 +92,15 @@ index 32771f2..74fac3b 100644
  	return (&aes_ctr);
  }
 diff --git a/clientloop.c b/clientloop.c
-index b5a1f70..0b675fe 100644
+index ebd0dbc..b3e0c19 100644
 --- a/clientloop.c
 +++ b/clientloop.c
-@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
+@@ -2083,7 +2083,7 @@ static int
+ key_accepted_by_hostkeyalgs(const struct sshkey *key)
  {
  	const char *ktype = sshkey_ssh_name(key);
- 	const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
--	    options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
-+	    options.hostkeyalgorithms : (FIPS_mode() ?
-+	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
+-	const char *hostkeyalgs = options.hostkeyalgorithms;
++	const char *hostkeyalgs = (FIPS_mode() ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms);
  
  	if (key == NULL || key->type == KEY_UNSPEC)
  		return 0;
@@ -169,10 +173,10 @@ index 5d6df62..54c7aa2 100644
  u_int	 dh_estimate(int);
  
 diff --git a/kex.c b/kex.c
-index 49d7015..f1f982d 100644
+index ce85f04..9cc14de 100644
 --- a/kex.c
 +++ b/kex.c
-@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
+@@ -163,7 +163,10 @@ kex_names_valid(const char *names)
  	for ((p = strsep(&cp, ",")); p && *p != '\0';
  	    (p = strsep(&cp, ","))) {
  		if (kex_alg_by_name(p) == NULL) {
@@ -185,7 +189,7 @@ index 49d7015..f1f982d 100644
  			return 0;
  		}
 diff --git a/kexgexc.c b/kexgexc.c
-index 1c65b8a..b6b25bf 100644
+index 323a659..812112d 100644
 --- a/kexgexc.c
 +++ b/kexgexc.c
 @@ -28,6 +28,7 @@
@@ -208,97 +212,86 @@ index 1c65b8a..b6b25bf 100644
  
  	/* generate and send 'e', client DH public key */
 diff --git a/myproposal.h b/myproposal.h
-index 34bd10c..a3ae74b 100644
+index 5312e60..d0accae 100644
 --- a/myproposal.h
 +++ b/myproposal.h
-@@ -111,6 +111,14 @@
+@@ -57,6 +57,20 @@
  	"rsa-sha2-256," \
  	"ssh-rsa"
  
 +#define	KEX_FIPS_PK_ALG	\
-+	HOSTKEY_ECDSA_CERT_METHODS \
++	"ecdsa-sha2-nistp256-cert-v01@...," \
++	"ecdsa-sha2-nistp384-cert-v01@...," \
++	"ecdsa-sha2-nistp521-cert-v01@...," \
++	"rsa-sha2-512-cert-v01@...," \
++	"rsa-sha2-256-cert-v01@...," \
 +	"ssh-rsa-cert-v01@...," \
-+	HOSTKEY_ECDSA_METHODS \
++	"ecdsa-sha2-nistp256," \
++	"ecdsa-sha2-nistp384," \
++	"ecdsa-sha2-nistp521," \
 +	"rsa-sha2-512," \
 +	"rsa-sha2-256," \
 +	"ssh-rsa"
 +
- /* the actual algorithms */
- 
- #define KEX_SERVER_ENCRYPT \
-@@ -134,6 +142,38 @@
+ #define	KEX_SERVER_ENCRYPT \
+ 	"chacha20-poly1305@...," \
+ 	"aes128-ctr,aes192-ctr,aes256-ctr," \
+@@ -78,6 +92,27 @@
  
  #define KEX_CLIENT_MAC KEX_SERVER_MAC
  
 +#define	KEX_FIPS_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
-+	"aes192-cbc,aes256-cbc,rijndael-cbc@..." \
-+	AESGCM_CIPHER_MODES
-+#ifdef HAVE_EVP_SHA256
-+# define KEX_DEFAULT_KEX_FIPS		\
-+	KEX_ECDH_METHODS \
-+	KEX_SHA2_METHODS \
++	"aes192-cbc,aes256-cbc,rijndael-cbc@...," \
++	"aes128-gcm@...,aes256-gcm@..."
++#define KEX_DEFAULT_KEX_FIPS		\
++	"ecdh-sha2-nistp256," \
++	"ecdh-sha2-nistp384," \
++	"ecdh-sha2-nistp521," \
++	"diffie-hellman-group-exchange-sha256," \
++	"diffie-hellman-group16-sha512," \
++	"diffie-hellman-group18-sha512," \
 +	"diffie-hellman-group14-sha256"
-+# define KEX_FIPS_MAC \
++#define KEX_FIPS_MAC \
 +	"hmac-sha1," \
 +	"hmac-sha2-256," \
 +	"hmac-sha2-512," \
 +	"hmac-sha1-etm@...," \
 +	"hmac-sha2-256-etm@...," \
 +	"hmac-sha2-512-etm@..."
-+#else
-+# ifdef OPENSSL_HAS_NISTP521
-+#  define KEX_DEFAULT_KEX_FIPS		\
-+	"ecdh-sha2-nistp256," \
-+	"ecdh-sha2-nistp384," \
-+	"ecdh-sha2-nistp521"
-+# else
-+#  define KEX_DEFAULT_KEX_FIPS		\
-+	"ecdh-sha2-nistp256," \
-+	"ecdh-sha2-nistp384"
-+# endif
-+#define        KEX_FIPS_MAC \
-+       "hmac-sha1"
-+#endif
 +
  /* Not a KEX value, but here so all the algorithm defaults are together */
  #define	SSH_ALLOWED_CA_SIGALGS	\
- 	HOSTKEY_ECDSA_METHODS \
+ 	"ecdsa-sha2-nistp256," \
 diff --git a/readconf.c b/readconf.c
-index f78b4d6..2f56ed2 100644
+index f3cac6b..26b9a59 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
- 	all_kex = kex_alg_list(',');
+@@ -2187,11 +2187,16 @@ fill_default_options(Options * options)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ 	/* remove unsupported algos from default lists */
+-	def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
+-	def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
+-	def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
+-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++	def_cipher = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
++	def_mac = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
++	def_kex = match_filter_whitelist((FIPS_mode() ?
++	    KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
++	def_key = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++	def_sig = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
  	do { \
  		if ((r = kex_assemble_names(&options->what, \
--		    defaults, all)) != 0) \
-+		    (FIPS_mode() ? fips_defaults : defaults), \
-+		    all)) != 0) \
- 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- 	} while (0)
--	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, all_cipher);
--	ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
--	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
--	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	ASSEMBLE(ciphers, KEX_CLIENT_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+	ASSEMBLE(macs, KEX_CLIENT_MAC, KEX_FIPS_MAC, all_mac);
-+	ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- 	free(all_cipher);
- 	free(all_mac);
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index b5cda70..f0607a3 100644
+index f80981f..00702a7 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
 @@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
@@ -312,43 +305,36 @@ index b5cda70..f0607a3 100644
  	SC_DENY(__NR_openat, EACCES),
  #endif
 diff --git a/servconf.c b/servconf.c
-index e76f9c3..591d437 100644
+index 70f5f73..815beaf 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
- 	all_kex = kex_alg_list(',');
+@@ -212,11 +212,16 @@ assemble_algorithms(ServerOptions *o)
  	all_key = sshkey_alg_list(0, 0, 1, ',');
  	all_sig = sshkey_alg_list(0, 1, 1, ',');
--#define ASSEMBLE(what, defaults, all) \
-+#define ASSEMBLE(what, defaults, fips_defaults, all) \
+ 	/* remove unsupported algos from default lists */
+-	def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
+-	def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
+-	def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
+-	def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
+-	def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
++	def_cipher = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
++	def_mac = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
++	def_kex = match_filter_whitelist((FIPS_mode() ?
++	    KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
++	def_key = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
++	def_sig = match_filter_whitelist((FIPS_mode() ?
++	    KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
+ #define ASSEMBLE(what, defaults, all) \
  	do { \
--		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
-+		if ((r = kex_assemble_names(&o->what, (FIPS_mode() \
-+		    ? fips_defaults : defaults), all)) != 0) \
- 			fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \
- 	} while (0)
--	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher);
--	ASSEMBLE(macs, KEX_SERVER_MAC, all_mac);
--	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
--	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
--	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
-+	ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
-+	ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
-+	ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
-+	ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
-+	ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
- #undef ASSEMBLE
- 	free(all_cipher);
- 	free(all_mac);
+ 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 8c829ca..cb4982d 100644
+index 0d6ed1f..feafe73 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
-@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+@@ -204,6 +204,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
  #endif
  	}
  #ifdef WITH_OPENSSL
@@ -361,17 +347,16 @@ index 8c829ca..cb4982d 100644
  	switch (type) {
  	case KEY_DSA:
  		if (*bitsp != 1024)
-@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1088,9 +1094,17 @@ do_gen_all_hostkeys(struct passwd *pw)
  			first = 1;
  			printf("%s: generating new host keys: ", __progname);
  		}
-+
 +		type = sshkey_type_from_name(key_types[i].key_type);
 +
 +		/* Skip the keys that are not supported in FIPS mode */
 +		if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
 +			logit("Skipping %s key in FIPS mode",
-+				key_types[i].key_type_display);
++			    key_types[i].key_type_display);
 +			goto next;
 +		}
 +
@@ -382,10 +367,10 @@ index 8c829ca..cb4982d 100644
  			error("Could not save your public key in %s: %s",
  			    prv_tmp, strerror(errno));
 diff --git a/ssh.c b/ssh.c
-index ee51823..0724df4 100644
+index 15aee56..49331fc 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -76,6 +76,8 @@
+@@ -77,6 +77,8 @@
  #include <openssl/evp.h>
  #include <openssl/err.h>
  #endif
@@ -394,7 +379,7 @@ index ee51823..0724df4 100644
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -600,6 +602,16 @@ main(int ac, char **av)
+@@ -608,6 +610,16 @@ main(int ac, char **av)
  	sanitise_stdfd();
  
  	__progname = ssh_get_progname(av[0]);
@@ -411,7 +396,7 @@ index ee51823..0724df4 100644
  
  #ifndef HAVE_SETPROCTITLE
  	/* Prepare for later setproctitle emulation */
-@@ -614,6 +626,10 @@ main(int ac, char **av)
+@@ -622,6 +634,10 @@ main(int ac, char **av)
  
  	seed_rng();
  
@@ -423,7 +408,7 @@ index ee51823..0724df4 100644
  	 * Discard other fds that are hanging around. These can cause problem
  	 * with backgrounded ssh processes started by ControlPersist.
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 87fa70a..a42aacb 100644
+index af00fb3..639fc51 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
 @@ -44,6 +44,8 @@
@@ -435,37 +420,28 @@ index 87fa70a..a42aacb 100644
  #include "openbsd-compat/sys-queue.h"
  
  #include "xmalloc.h"
-@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -119,7 +121,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
  	for (i = 0; i < options.num_system_hostfiles; i++)
  		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
  
--	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
+-	oavail = avail = xstrdup(options.hostkeyalgorithms);
 +	oavail = avail = xstrdup((FIPS_mode()
-+	    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
++	    ? KEX_FIPS_PK_ALG : options.hostkeyalgorithms));
  	maxlen = strlen(avail) + 1;
  	first = xmalloc(maxlen);
  	last = xmalloc(maxlen);
-@@ -179,14 +182,16 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
- 	if (options.hostkeyalgorithms != NULL) {
- 		all_key = sshkey_alg_list(0, 0, 1, ',');
- 		if (kex_assemble_names(&options.hostkeyalgorithms,
--		    KEX_DEFAULT_PK_ALG, all_key) != 0)
-+		    (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),
-+		    all_key) != 0)
- 			fatal("%s: kex_assemble_namelist", __func__);
- 		free(all_key);
- 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    compat_pkalg_proposal(options.hostkeyalgorithms);
- 	} else {
- 		/* Enforce default */
--		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
-+		options.hostkeyalgorithms = xstrdup((FIPS_mode()
-+		    ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
- 		/* Prefer algorithms that we already have keys for */
- 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    compat_pkalg_proposal(
+@@ -179,7 +182,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
+ 	/* Expand or fill in HostkeyAlgorithms */
+ 	all_key = sshkey_alg_list(0, 0, 1, ',');
+ 	if (kex_assemble_names(&options.hostkeyalgorithms,
+-	    kex_default_pk_alg(), all_key) != 0)
++	    (FIPS_mode() ? KEX_FIPS_PK_ALG : kex_default_pk_alg()),
++	    all_key) != 0)
+ 		fatal("%s: kex_assemble_namelist", __func__);
+ 	free(all_key);
+ 
 diff --git a/sshd.c b/sshd.c
-index f8dee0f..2bf8939 100644
+index 5b9a0b5..b86d682 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -66,6 +66,7 @@
@@ -485,7 +461,7 @@ index f8dee0f..2bf8939 100644
  #include "openbsd-compat/openssl-compat.h"
  #endif
  
-@@ -1445,6 +1448,18 @@ main(int ac, char **av)
+@@ -1516,6 +1519,18 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
@@ -504,7 +480,7 @@ index f8dee0f..2bf8939 100644
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
-@@ -1910,6 +1925,10 @@ main(int ac, char **av)
+@@ -1990,6 +2005,10 @@ main(int ac, char **av)
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
@@ -516,7 +492,7 @@ index f8dee0f..2bf8939 100644
  	   unmounted if desired. */
  	if (chdir("/") == -1)
 diff --git a/sshkey.c b/sshkey.c
-index ef90563..1b1ba01 100644
+index 57995ee..3fa4274 100644
 --- a/sshkey.c
 +++ b/sshkey.c
 @@ -34,6 +34,7 @@
@@ -532,10 +508,10 @@ index ef90563..1b1ba01 100644
  #include "sshkey.h"
  #include "match.h"
 +#include "log.h"
+ #include "ssh-sk.h"
  
  #ifdef WITH_XMSS
- #include "sshkey-xmss.h"
-@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+@@ -1597,6 +1599,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
  	}
  	if (!BN_set_word(f4, RSA_F4) ||
  	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
index 8b74451..c7635b2 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -1,4 +1,4 @@
-From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
+From bf3211bbff5cb9e1ef588f74844b04e09a9ad2b6 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 13:05:19 +0800
 Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers
@@ -18,6 +18,7 @@ Signed-off-by: Mark Hatle <mark.hatle@...>
 
 Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Hongxu Jia <hongxu.jia@...>
+Signed-off-by: Yi Zhao <yi.zhao@...>
 ---
  Makefile.in    |   7 +-
  ctr-cavstest.c | 215 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -25,7 +26,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
  create mode 100644 ctr-cavstest.c
 
 diff --git a/Makefile.in b/Makefile.in
-index 37aec69..1d6e298 100644
+index 57f94f4..0accd89 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
@@ -34,35 +35,35 @@ index 37aec69..1d6e298 100644
  SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
  PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -60,7 +61,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -68,7 +69,7 @@ MKDIR_P=@MKDIR_P@
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
+ .SUFFIXES: .lo
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
-@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+@@ -232,6 +233,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
+ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
+ 	$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
  
 +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
 +	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 +
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
-@@ -348,6 +352,7 @@ install-files:
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+@@ -389,6 +393,7 @@ install-files:
  	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-+	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
++	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff --git a/ctr-cavstest.c b/ctr-cavstest.c
 new file mode 100644
 index 0000000..0d4776b
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
index 0cbccd7..4a0ae2c 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
@@ -1,4 +1,4 @@
-From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
+From a2c2c21275ea701c2f0ae54bf5945c92860e9208 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@...>
 Date: Sat, 21 Dec 2019 13:08:52 +0800
 Subject: [PATCH] add KDF CAVS test driver
@@ -19,6 +19,7 @@ Signed-off-by: Mark Hatle <mark.hatle@...>
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@...>
+Signed-off-by: Yi Zhao <yi.zhao@...>
 ---
  Makefile.in        |   8 +-
  ssh-cavs.c         | 387 +++++++++++++++++++++++++++++++++++++++++++++++++++++
@@ -28,7 +29,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
  create mode 100644 ssh-cavs_driver.pl
 
 diff --git a/Makefile.in b/Makefile.in
-index 1d6e298..be28411 100644
+index 0accd89..5789323 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
@@ -37,36 +38,36 @@ index 1d6e298..be28411 100644
  CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
 +SSH_CAVS=$(libexecdir)/ssh-cavs
  SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
  PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -61,7 +62,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@
  
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
+ .SUFFIXES: .lo
+ 
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
  
  XMSS_OBJS=\
  	ssh-xmss.o \
-@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -236,6 +237,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
  ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
  	$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
-+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
-+	$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
++	$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- 	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
+ 	$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
  
-@@ -353,6 +357,8 @@ install-files:
- 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- 	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+@@ -394,6 +398,8 @@ install-files:
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
 +	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
- 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
  	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 diff --git a/ssh-cavs.c b/ssh-cavs.c
 new file mode 100644
 index 0000000..b74ae7f
diff --git a/recipes-connectivity/openssh/openssh_fips.inc b/recipes-connectivity/openssh/openssh_fips.inc
index 0eafb98..c74532f 100644
--- a/recipes-connectivity/openssh/openssh_fips.inc
+++ b/recipes-connectivity/openssh/openssh_fips.inc
@@ -6,7 +6,7 @@ DEPENDS += " \
 RRECOMMENDS_${PN}-sshd_remove = "rng-tools"
 
 SRC_URI += " \
-    file://0001-openssh-8.0p1-fips.patch \
+    file://0001-openssh-8.2p1-fips.patch \
     file://0001-conditional-enable-fips-mode.patch \
     file://openssh-6.6p1-ctr-cavstest.patch \
     file://openssh-6.7p1-kdf-cavs.patch \


    


Re: [yocto-announce] [ANNOUNCEMENT]Milestone 3 for Yocto Project 3.1 (yocto-3.1_M3) now available

Armin Kuster
 



On 3/26/20 3:08 PM, Vineela wrote:
Hello,

We are pleased to announce the third milestone release for Yocto Project 3.1 (yocto-3.1_M3) is now available for download.

Thanks to all who got this out considering the new challenges we all face.

Armin

Download:

http://downloads.yoctoproject.org/releases/yocto/milestones/yocto-3.1_M3

bitbake: e67dfa4a4d0d63e4752655f25367582e5a95f1da
meta-gplv2: 60b251c25ba87e946a0ca4cdc8d17b1cb09292ac
meta-intel: 60773e8496370d821309e00f2c312128a130c22b
meta-mingw: 524de686205b5d6736661d4532f5f98fee8589b7
oecore: 61d80b07bcfa4adf5f1feb2904fec0a8d09c89f6
poky: 6f02caa39985fb89d9ad49e1f788a9a8dd6e12d7

Full Test Report:

http://downloads.yoctoproject.org/releases/yocto/milestones/yocto-3.1_M3/testreport.txt

From 3.1_M3, the checksum used is moved from md5sum to sha256.

Thank you.

Vineela Tummalapalli
vineela.tummalapalli@...
Yocto Project Build and Release


    


[ANNOUNCEMENT]Milestone 3 for Yocto Project 3.1 (yocto-3.1_M3) now available

Vineela
 

Hello,

We are pleased to announce the third milestone release for Yocto Project 3.1 (yocto-3.1_M3) is now available for download.

Download:

http://downloads.yoctoproject.org/releases/yocto/milestones/yocto-3.1_M3

bitbake: e67dfa4a4d0d63e4752655f25367582e5a95f1da
meta-gplv2: 60b251c25ba87e946a0ca4cdc8d17b1cb09292ac
meta-intel: 60773e8496370d821309e00f2c312128a130c22b
meta-mingw: 524de686205b5d6736661d4532f5f98fee8589b7
oecore: 61d80b07bcfa4adf5f1feb2904fec0a8d09c89f6
poky: 6f02caa39985fb89d9ad49e1f788a9a8dd6e12d7

Full Test Report:

http://downloads.yoctoproject.org/releases/yocto/milestones/yocto-3.1_M3/testreport.txt

From 3.1_M3, the checksum used is moved from md5sum to sha256.

Thank you.

Vineela Tummalapalli
vineela.tummalapalli@...
Yocto Project Build and Release


[meta-cgl][PATCH] layer.conf: add dunfell

Jeremy Puhlman
 

Signed-off-by: Jeremy A. Puhlman <jpuhlman@...>
---
meta-cgl-common/conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-cgl-common/conf/layer.conf b/meta-cgl-common/conf/layer.conf
index a48f96e..6035b4b 100644
--- a/meta-cgl-common/conf/layer.conf
+++ b/meta-cgl-common/conf/layer.conf
@@ -11,6 +11,6 @@ BBFILE_PRIORITY_cgl-common = "7"

LAYERDEPENDS_cgl-common = "core openembedded-layer networking-layer perl-layer filesystems-layer security selinux"

-LAYERSERIES_COMPAT_cgl-common = "warrior zeus"
+LAYERSERIES_COMPAT_cgl-common = "warrior zeus dunfell"

require conf/distro/include/cgl_common_security_flags.inc
--
2.13.3


[meta-cgl][PATCH] pacemaker: add missing patch for python3 usage

Jeremy Puhlman
 

From: Jeremy Puhlman <jpuhlman@...>

---
.../pacemaker/0001-Fix-python3-usage.patch | 176 +++++++++++++++++++++
1 file changed, 176 insertions(+)
create mode 100644 meta-cgl-common/recipes-cgl/pacemaker/pacemaker/0001-Fix-python3-usage.patch

diff --git a/meta-cgl-common/recipes-cgl/pacemaker/pacemaker/0001-Fix-python3-usage.patch b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker/0001-Fix-python3-usage.patch
new file mode 100644
index 0000000..05d7a76
--- /dev/null
+++ b/meta-cgl-common/recipes-cgl/pacemaker/pacemaker/0001-Fix-python3-usage.patch
@@ -0,0 +1,176 @@
+From fdefa9efc726fe704238d462a3dc207e0282fb9e Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@...>
+Date: Sun, 15 Mar 2020 21:09:33 +0000
+Subject: [PATCH] Fix python3 usage
+
+Signed-off-by: Jeremy Puhlman <jpuhlman@...>
+Upstream-Status: Pending
+---
+ cts/CTSlab.py.in | 2 +-
+ cts/OCFIPraTest.py.in | 2 +-
+ cts/cluster_test.in | 2 +-
+ cts/cts-exec.in | 2 +-
+ cts/cts-fencing.in | 2 +-
+ cts/cts-log-watcher.in | 2 +-
+ cts/cts-scheduler.in | 2 +-
+ cts/environment.py | 2 +-
+ cts/fence_dummy.in | 2 +-
+ cts/pacemaker-cts-dummyd.in | 2 +-
+ daemons/fenced/fence_legacy.in | 2 +-
+ doc/Pacemaker_Development/en-US/Ch-Python.txt | 2 +-
+ doc/Pacemaker_Development/pot/Ch-Python.pot | 2 +-
+ tools/pcmk_simtimes.in | 2 +-
+ 14 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/cts/CTSlab.py.in b/cts/CTSlab.py.in
+index f4ae60dc1..55a0d4ecf 100644
+--- a/cts/CTSlab.py.in
++++ b/cts/CTSlab.py.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Command-line interface to Pacemaker's Cluster Test Suite (CTS)
+ """
+
+diff --git a/cts/OCFIPraTest.py.in b/cts/OCFIPraTest.py.in
+index 81a5da8c0..bbadf938a 100644
+--- a/cts/OCFIPraTest.py.in
++++ b/cts/OCFIPraTest.py.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+
+ '''OCF IPaddr/IPaddr2 Resource Agent Test'''
+
+diff --git a/cts/cluster_test.in b/cts/cluster_test.in
+index e0d28509d..f982be05a 100755
+--- a/cts/cluster_test.in
++++ b/cts/cluster_test.in
+@@ -171,4 +171,4 @@ printf "\nAll set to go for %d iterations!\n" "$CTS_numtests"
+ || echo "+ To use a different configuration, remove ~/.cts and re-run cts (or edit it manually)."
+
+ echo Now paste the following command into this shell:
+-echo "@PYTHON@ `dirname "$0"`/CTSlab.py -L \"$CTS_logfile\" --syslog-facility \"$CTS_logfacility\" --no-unsafe-tests --stack \"$CTS_stack\" $CTS_adv --at-boot \"$CTS_boot\" $cts_extra \"$CTS_numtests\" --nodes \"$CTS_node_list\""
++echo "/usr/bin/env python3 `dirname "$0"`/CTSlab.py -L \"$CTS_logfile\" --syslog-facility \"$CTS_logfacility\" --no-unsafe-tests --stack \"$CTS_stack\" $CTS_adv --at-boot \"$CTS_boot\" $cts_extra \"$CTS_numtests\" --nodes \"$CTS_node_list\""
+diff --git a/cts/cts-exec.in b/cts/cts-exec.in
+index 592d850b4..9a653a442 100644
+--- a/cts/cts-exec.in
++++ b/cts/cts-exec.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Regression tests for Pacemaker's pacemaker-execd
+ """
+
+diff --git a/cts/cts-fencing.in b/cts/cts-fencing.in
+index 2d9999ca0..8e3fb7203 100644
+--- a/cts/cts-fencing.in
++++ b/cts/cts-fencing.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Regression tests for Pacemaker's fencer
+ """
+
+diff --git a/cts/cts-log-watcher.in b/cts/cts-log-watcher.in
+index 28f4efe7f..b4ed5024f 100644
+--- a/cts/cts-log-watcher.in
++++ b/cts/cts-log-watcher.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Remote log reader for Pacemaker's Cluster Test Suite (CTS)
+
+ Reads a specified number of lines from the supplied offset
+diff --git a/cts/cts-scheduler.in b/cts/cts-scheduler.in
+index 8fa16fb69..d4306b02b 100644
+--- a/cts/cts-scheduler.in
++++ b/cts/cts-scheduler.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Regression tests for Pacemaker's scheduler
+ """
+
+diff --git a/cts/environment.py b/cts/environment.py
+index db9d3db16..9d103fda9 100644
+--- a/cts/environment.py
++++ b/cts/environment.py
+@@ -639,7 +639,7 @@ class Environment(object):
+ print("\t [--yes | -y] continue to run cts when there is an interaction whether to continue running pacemaker-cts")
+ print("\t ")
+ print("\t Example: ")
+- # @PYTHON@ would be better here but not worth making file this a .in
++ # /usr/bin/env python3 would be better here but not worth making file this a .in
+ print("\t python sys.argv[0] -g virt1 -r --stonith ssh --schema pacemaker-2.0 500")
+
+ sys.exit(status)
+diff --git a/cts/fence_dummy.in b/cts/fence_dummy.in
+index a2692b1e0..f1d111205 100644
+--- a/cts/fence_dummy.in
++++ b/cts/fence_dummy.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """Dummy fence agent for testing
+ """
+
+diff --git a/cts/pacemaker-cts-dummyd.in b/cts/pacemaker-cts-dummyd.in
+index bde98c5c9..c2e6d89f4 100644
+--- a/cts/pacemaker-cts-dummyd.in
++++ b/cts/pacemaker-cts-dummyd.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Slow-starting idle daemon that notifies systemd when it starts
+ """
+
+diff --git a/daemons/fenced/fence_legacy.in b/daemons/fenced/fence_legacy.in
+index 7324757e3..136125322 100755
+--- a/daemons/fenced/fence_legacy.in
++++ b/daemons/fenced/fence_legacy.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+
+ # Pacemaker targets compatibility with Python 2.7 and 3.2+
+ from __future__ import print_function, unicode_literals, absolute_import, division
+diff --git a/doc/Pacemaker_Development/en-US/Ch-Python.txt b/doc/Pacemaker_Development/en-US/Ch-Python.txt
+index 42d35b649..467e1c524 100644
+--- a/doc/Pacemaker_Development/en-US/Ch-Python.txt
++++ b/doc/Pacemaker_Development/en-US/Ch-Python.txt
+@@ -17,7 +17,7 @@ If a Python file is meant to be executed (as opposed to imported), it should
+ have a +.in+ extension, and its first line should be:
+ ====
+ ----
+-#!@PYTHON@
++#!/usr/bin/env python3
+ ----
+ ====
+ which will be replaced with the appropriate python executable when Pacemaker is
+diff --git a/doc/Pacemaker_Development/pot/Ch-Python.pot b/doc/Pacemaker_Development/pot/Ch-Python.pot
+index ed71331ce..27c7e22e5 100644
+--- a/doc/Pacemaker_Development/pot/Ch-Python.pot
++++ b/doc/Pacemaker_Development/pot/Ch-Python.pot
+@@ -39,7 +39,7 @@ msgstr ""
+
+ #. Tag: screen
+ #, no-c-format
+-msgid "#!@PYTHON@"
++msgid "#!/usr/bin/env python3"
+ msgstr ""
+
+ #. Tag: para
+diff --git a/tools/pcmk_simtimes.in b/tools/pcmk_simtimes.in
+index 6e362243b..28009f499 100644
+--- a/tools/pcmk_simtimes.in
++++ b/tools/pcmk_simtimes.in
+@@ -1,4 +1,4 @@
+-#!@PYTHON@
++#!/usr/bin/env python3
+ """ Timing comparisons for crm_simulate profiling output
+ """
+
+--
+2.23.0
+
--
2.13.3


Re: Best way to mask bbappends based on Poky version to have a layer support multiple versions of Poky?

Konrad Weihmann <kweihmann@...>
 

Hi,

I'll get your point.
Maybe this could be a solution to your problem https://www.yoctoproject.org/docs/current/bitbake-user-manual/bitbake-user-manual.html#var-BBVERSIONS.
Instead of having different bbappends have one and pick the right steps inside of the append.

If that is not working for you, you could also fake the behavior of BBFILES_DYNAMIC with putting the bbappend into separate subfolder, which than are
referenced by something like this

BBFILES += "${LAYERDIR}/dynamic-recipes/${BB_VERSION}/*.bbappend"

Regards
Konrad

On 26.03.20 20:56, Matt Campbell wrote:
I didn't know about  BB_DANGLINGAPPENDS_WARNONLY. That would mask the problem, but doesn't feel like a great solution. Either way I do appreciate you sharing that.

Further implementation and discussion with our team brought up another possible solution. We could wildcard all bbappends (_%.bbappend) and use some anonymous python inside our bbappend files that will error out if the package version isn't in a supported list. We could also easily roll this up into a bbclass to prevent the need to duplicate this everywhere.

python () {
    package_version = d.getVar("PV")
    if  package_version is not in ['3.14", "3.15"]:
        bb.error("This bbappend file isn't compatible with the version {}. You will need to add support to this bbappend for that version.".format(package_version))
}

This still seems more like we are fighting bitbake rather than working with it. Does anyone have any thoughts or suggestions on this?

Other upstreams seem to maintain different branches for different Poky releases. That is a road we would rather avoid if possible. Our goal is to be able to have an extra CI build against the version of Poky under development so we can continuously fix the upgrade issues as they come up rather than as a landslide when we upgrade. Making a separate branch for this would mean we would need to merge all active development into each branch to get the benefits of a poky next canary build plan. That said, I'd love to hear about a solution that lets us have our cake and eat it too.

~Matt

On Thu, Mar 26, 2020 at 9:55 AM Robert P. J. Day <rpjday@...> wrote:
On Thu, 26 Mar 2020, Matt Campbell wrote:

> HI All,

> We have a layer where we want to concurrently support two releases
> of Poky. There is an issue when we have bbappnds against recipes
> that have different versions in the two poky releases. for instance,
> imagine recipe foo that is version 1.0 in Zeus and 1.2 in Dunfell.
> If we had a bbappend in our layer `foo_1.0.bbappend` and tried to
> use our layer with Dunfell, bitbake will error out saying that
> `foo_1.0.bbappend` has no base recipe.

  not sure if this really solves the underlying issue, but you can
always turn those errors into warnings with:

  BB_DANGLINGAPPENDS_WARNONLY = "1"

in your local.conf, although i'm still skeptical as to whether that's
really the problem you're trying to solve.

rday


--
Matthew Campbell
Senior Embedded Systems Engineer

iZotope, Inc.


    


Re: Best way to mask bbappends based on Poky version to have a layer support multiple versions of Poky?

Matt Campbell
 

I didn't know about  BB_DANGLINGAPPENDS_WARNONLY. That would mask the problem, but doesn't feel like a great solution. Either way I do appreciate you sharing that.

Further implementation and discussion with our team brought up another possible solution. We could wildcard all bbappends (_%.bbappend) and use some anonymous python inside our bbappend files that will error out if the package version isn't in a supported list. We could also easily roll this up into a bbclass to prevent the need to duplicate this everywhere.

python () {
    package_version = d.getVar("PV")
    if  package_version is not in ['3.14", "3.15"]:
        bb.error("This bbappend file isn't compatible with the version {}. You will need to add support to this bbappend for that version.".format(package_version))
}

This still seems more like we are fighting bitbake rather than working with it. Does anyone have any thoughts or suggestions on this?

Other upstreams seem to maintain different branches for different Poky releases. That is a road we would rather avoid if possible. Our goal is to be able to have an extra CI build against the version of Poky under development so we can continuously fix the upgrade issues as they come up rather than as a landslide when we upgrade. Making a separate branch for this would mean we would need to merge all active development into each branch to get the benefits of a poky next canary build plan. That said, I'd love to hear about a solution that lets us have our cake and eat it too.

~Matt

On Thu, Mar 26, 2020 at 9:55 AM Robert P. J. Day <rpjday@...> wrote:
On Thu, 26 Mar 2020, Matt Campbell wrote:

> HI All,

> We have a layer where we want to concurrently support two releases
> of Poky. There is an issue when we have bbappnds against recipes
> that have different versions in the two poky releases. for instance,
> imagine recipe foo that is version 1.0 in Zeus and 1.2 in Dunfell.
> If we had a bbappend in our layer `foo_1.0.bbappend` and tried to
> use our layer with Dunfell, bitbake will error out saying that
> `foo_1.0.bbappend` has no base recipe.

  not sure if this really solves the underlying issue, but you can
always turn those errors into warnings with:

  BB_DANGLINGAPPENDS_WARNONLY = "1"

in your local.conf, although i'm still skeptical as to whether that's
really the problem you're trying to solve.

rday


--
Matthew Campbell
Senior Embedded Systems Engineer

iZotope, Inc.


How to ignore .so dependencies?

Antonio Teixeira
 

I have a problem where I need to support two different versions of a set of proprietary libraries (read: I don't have the source code so I can't recompile / relink them).

I intend to do so by installing both versions in my yocto image with versioned filenames (samplelibrary.so.2.0.0 and such) and detecting at runtime which version I should use (only one version will ever be used at the same time) and then symlink them to a non-versioned filename (samplelibrary.so). I need to do this because the libraries are linked amongst themselves to non-versioned filenames.

However, since they're linked against non-versioned filenames and I'm shipping versioned filenames that means I get errors such as:

"nothing provides somelib1.so()(64bit) needed by package-with-a-lot-of-libs"

Is there any way I can possibly ignore this error?

I'd also like to add that I'm aware using patchelf to make libs be linked against versioned filenames would be much cleaner, and I did try that, but for some reason when I do that with the libs and with a few binaries these packages ship, they all get corrupted/bugged somehow and I get some symbol lookup errors when trying to run the binaries.

Thanks in advance.


Downgrading LVM2 in Zeus

MikeB
 

Hi.

For several interoperabilty reasons, I find myself needing to downgrade Zeus' LVM2 back to the version used by Sumo.

I think I know the correct process for doing this, but I'm getting an error I don't understand.  I'm hoping someone can spot the problem.

I have a custom layer - meta-exos - for my OS-specific changes.

I copied Sumo's recipes-support/lvm2 support to my custom layer.

mberger@snickers:/data/mberger/exos-yocto-311$ ls layers/meta-exos/recipes-support/lvm2/
files  libdevmapper_2.02.171.bb  lvm2  lvm2_2.02.171.bb  lvm2.inc

I updated my conf file with the following preferences:
PREFERRED_VERSION_libdevmapper = "2.02.171"
PREFERRED_VERSION_lvm2 = "2.02.171"
 
When I try to build, I get the following errors.
Note that the parser doesn't seem to see my lvm2 2.02.171, but later complains that I'm trying to build two versions of lvm2.  Can someone explain what may be causing this, because I haven't been able to figure it out.

mberger@snickers:/data/mberger/exos-yocto-311/build/exos-x32$ bitbake lvm2
Parsing recipes: 100% |##############################################################################################| Time: 0:00:14
Parsing of 2434 .bb files complete (0 cached, 2434 parsed). 3582 targets, 336 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies
NOTE: preferred version 2.02.171 of lvm2 not available (for item libdevmapper)
NOTE: versions of lvm2 available: 2.03.02
 
Build Configuration:
BB_VERSION           = "1.44.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "universal-4.8"
TARGET_SYS           = "x86_64-poky-linux-gnux32"
MACHINE              = "exos-x32"
DISTRO               = "poky"
DISTRO_VERSION       = "3.0.2"
TUNE_FEATURES        = "mx32"
TARGET_FPU           = ""
meta                 
meta-poky            
meta-yocto-bsp       = "HEAD:04d71b42e7323087b945e9c507337c1cfb54f48b"
meta-oe              
meta-python          
meta-networking      
meta-filesystems     = "HEAD:bb65c27a772723dfe2c15b5e1b27bcc1a1ed884c"
meta-intel           = "HEAD:faced19dda5332cce9164903b250db5aa9b86259"
meta-virtualization  = "HEAD:561b597d4ba91dd36147e1af81bd1edc2d6636db"
meta-exos            = "xos_31.1:93612889cf9bcc78d5e683541ea0b315e9e0d9c7"
 
ERROR: Multiple versions of lvm2 are due to be built (/data/mberger/exos-yocto-311/layers/meta-exos/recipes-support/lvm2/lvm2_2.02.171.bb /data/mberger/exos-yocto-311/layers/meta-openembedded/meta-oe/recipes-support/lvm2/lvm2_2.03.02.bb). Only one version of a given PN should be built in any given build. You likely need to set PREFERRED_VERSION_lvm2 to select the correct version or don't depend on multiple versions.
 
Summary: There was 1 ERROR message shown, returning a non-zero exit code.
Thanks, Mike


Re: Best way to mask bbappends based on Poky version to have a layer support multiple versions of Poky?

Robert P. J. Day
 

On Thu, 26 Mar 2020, Matt Campbell wrote:

HI All,
We have a layer where we want to concurrently support two releases
of Poky. There is an issue when we have bbappnds against recipes
that have different versions in the two poky releases. for instance,
imagine recipe foo that is version 1.0 in Zeus and 1.2 in Dunfell.
If we had a bbappend in our layer `foo_1.0.bbappend` and tried to
use our layer with Dunfell, bitbake will error out saying that
`foo_1.0.bbappend` has no base recipe.
not sure if this really solves the underlying issue, but you can
always turn those errors into warnings with:

BB_DANGLINGAPPENDS_WARNONLY = "1"

in your local.conf, although i'm still skeptical as to whether that's
really the problem you're trying to solve.

rday


Best way to mask bbappends based on Poky version to have a layer support multiple versions of Poky?

Matt Campbell
 

HI All,

We have a layer where we want to concurrently support two releases of Poky. There is an issue when we have bbappnds against recipes that have different versions in the two poky releases. for instance, imagine recipe foo that is version 1.0 in Zeus and 1.2 in Dunfell. If we had a bbappend in our layer `foo_1.0.bbappend` and tried to use our layer with Dunfell, bitbake will error out saying that `foo_1.0.bbappend` has no base recipe.

The question is: how do we dynamically hide that bbappend only from Dunfell? Or, why is what we are trying to do not really the right 

I found BBFILES_DYNAMIC which is _alomst_ what we want, but only allows filtering based on the presence of another layer, not the version of Poky.

Right now we've got a solution using Python inline variable substitution to set BBMASK conditionally based on the poky version. (Side note: it looks like you can't do anonymous Python in the layer.conf file which I couldn't find any documentation about).

# Things to mask from zeus
BBMASK += "${@ ' '.join([ \
        'meta-izo-modus/recipes-devtools/libedit/libedit_20180525-3.1.bbappend', \
        'meta-izo-modus/recipes-devtools/lua/lua_5.3.4.bbappend', \
        'meta-izo-modus/recipes-extended/logrotate/logrotate_3.14.0.bbappend', \
        'meta-izo-modus/recipes-kernel/linux/linux-yocto_4.18.bbappend', \
    ]) if d.getVar('LAYERSERIES_CORENAMES') == 'zeus' else ''}"

This isn't the cleanest, but it does work.

I'm really curious if there Is there a more canonical and clean way of achieving what we are going for here.

Thanks in advance,
~Matt
--
Matthew Campbell
Senior Embedded Systems Engineer

iZotope, Inc.

8441 - 8460 of 57387