Date   

[meta-selinux][PATCH 4/6] selinux-initsh.inc: install selinux-init.sh and selinux-labeldev.sh when using systemd

Yi Zhao
 

The commit 5fd3c5b71edb99659aeb5cb5903088d84517382e introduced an issue
that selinux-init.sh and selinux-labeldev.sh are not installed when
using systemd which will cause the selinux-ini.service and
selinux-labeldev.service fail to startup. Move the do_install codes from
selinux-autorelabel to selinux-initsh.inc to make sure install these
scripts when using systemd.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/selinux-autorelabel_0.1.bb | 3 ---
recipes-security/selinux/selinux-initsh.inc | 9 +++++++--
2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb b/recipes-security/selinux/selinux-autorelabel_0.1.bb
index 7e7d08c..b898c3b 100644
--- a/recipes-security/selinux/selinux-autorelabel_0.1.bb
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -21,9 +21,6 @@ require selinux-initsh.inc

do_install_append() {
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
- install -d ${D}${bindir}
- install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
- sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
echo "# first boot relabelling" > ${D}/.autorelabel
fi
}
diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc
index 6084762..0a6cf4b 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -27,8 +27,13 @@ do_install () {
-e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}

- install -d ${D}${systemd_unitdir}/system
- install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir}
+ sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+ fi
}

sysroot_stage_all_append () {
--
2.17.1


[meta-selinux][PATCH 3/6] libsemanage: fix race issue in parallel build

Yi Zhao
 

The install-pywarp target doesn't depend on swigify target because the
semanage.py is not generated by swigify target but pywrap target.
Here is the dependency chain:
install-pywrap -> pywrap -> $(SWIGSO) -> $(SWIGLOBJ) -> $(SWIGCOUT)
-> semanage.py

But in the recipe, the swigify target is added explicitly in do_install:
do_install_append() {
oe_runmake install-pywrap swigify \
[snip]
}

This target will regenerate the semanage.py when do_install. So there
will be a potential race issue in parallel build. The install-pywrap
target is trying to install semanage.py when swigify target is
generating the file. Then an empty semanage.py will be installed. Remove
the target swigify to fix this issue.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/libsemanage.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/libsemanage.inc b/recipes-security/selinux/libsemanage.inc
index 9dc1095..81a3eda 100644
--- a/recipes-security/selinux/libsemanage.inc
+++ b/recipes-security/selinux/libsemanage.inc
@@ -32,7 +32,7 @@ do_compile_append() {
}

do_install_append() {
- oe_runmake install-pywrap swigify \
+ oe_runmake install-pywrap \
PYCEXT='.so' \
PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
--
2.17.1


[meta-selinux][PATCH 6/6] refpolicy: switch to python3

Yi Zhao
 

* Switch to python3
* Update policy-version to 31 to match selinux 2.9

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/refpolicy/refpolicy_common.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 2d9ace5..2083a37 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -72,12 +72,12 @@ EXTRANATIVEPATH += "bzip2-native"
DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"

RDEPENDS_${PN}-dev =+ " \
- python \
+ python3-core \
"

PACKAGE_ARCH = "${MACHINE_ARCH}"

-inherit pythonnative
+inherit python3native

PARALLEL_MAKE = ""

@@ -181,7 +181,7 @@ path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
args = \$@
[end]

-policy-version = 30
+policy-version = 31
EOF

# Create policy store and build the policy
--
2.17.1


[meta-selinux][PATCH 5/6] refpolicy: add UPSTREAM_CHECK_GITTAGREGEX

Yi Zhao
 

Add UPSTREAM_CHECK_GITTAGREGEX to make devtool check-upgrade-status
works.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/refpolicy/refpolicy_2.20190201.inc | 2 ++
recipes-security/refpolicy/refpolicy_git.inc | 2 ++
2 files changed, 4 insertions(+)

diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc
index 78c6e74..4030b36 100644
--- a/recipes-security/refpolicy/refpolicy_2.20190201.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc
@@ -2,6 +2,8 @@ SRC_URI = "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE
SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d"
SRC_URI[sha256sum] = "ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843"

+UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
+
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"

include refpolicy_common.inc
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 8aeaf27..8de07c0 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -4,6 +4,8 @@ SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=git;branch=mas

SRCREV_refpolicy ?= "df696a325404b84c2c931c85356510005e5e6916"

+UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
+
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"

include refpolicy_common.inc
--
2.17.1


[meta-selinux][PATCH 2/6] libselinux-python: fix race issue in parallel build

Yi Zhao
 

The install-pywarp target doesn't depend on swigify target because the
selinux.py is not generated by swigify target but pywrap target.
Here is the dependency chain:
install-pywrap -> pywrap -> $(SWIGFILES) -> $(SWIGPYOUT) -> $(SWIGCOUT)
-> selinux.py

But in the recipe, the swigify target is added explicitly in do_install:
do_install_append() {
oe_runmake install-pywrap swigify \
[snip]
}

This target will regenerate the selinux.py when do_install. So there
will be a potential race issue in parallel build. The install-pywrap
target is trying to install selinux.py when swigify target is generating
the file. Then an empty selinux.py will be installed. Remove the target
swigify to fix this issue.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-security/selinux/libselinux-python.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/libselinux-python.inc b/recipes-security/selinux/libselinux-python.inc
index 62354b2..24407e8 100644
--- a/recipes-security/selinux/libselinux-python.inc
+++ b/recipes-security/selinux/libselinux-python.inc
@@ -33,7 +33,7 @@ do_compile() {
}

do_install() {
- oe_runmake install-pywrap swigify \
+ oe_runmake install-pywrap \
PYCEXT='.so' \
PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
--
2.17.1


[meta-selinux][PATCH 1/6] python-ipy: remove recipe

Yi Zhao
 

The python-ipy had been moved to meta-python.

Signed-off-by: Yi Zhao <yi.zhao@...>
---
recipes-devtools/python/python-ipy.inc | 18 ------------------
recipes-devtools/python/python-ipy_1.00.bb | 2 --
recipes-devtools/python/python3-ipy_1.00.bb | 2 --
3 files changed, 22 deletions(-)
delete mode 100644 recipes-devtools/python/python-ipy.inc
delete mode 100644 recipes-devtools/python/python-ipy_1.00.bb
delete mode 100644 recipes-devtools/python/python3-ipy_1.00.bb

diff --git a/recipes-devtools/python/python-ipy.inc b/recipes-devtools/python/python-ipy.inc
deleted file mode 100644
index ba4c2bd..0000000
--- a/recipes-devtools/python/python-ipy.inc
+++ /dev/null
@@ -1,18 +0,0 @@
-SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks"
-DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and Networks \
-in a fashion similar to perl's Net::IP and friends. The IP class allows \
-a comfortable parsing and handling for most notations in use for IPv4 \
-and IPv6 Addresses and Networks."
-SECTION = "devel/python"
-HOMEPAGE = "https://github.com/haypo/python-ipy"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=848d24919845901b4f48bae5f13252e6"
-
-SRC_URI[md5sum] = "1a90c68174234672241a7e60c7ea0fb9"
-SRC_URI[sha256sum] = "2f2bf658a858d43868d8a4352b3889cf78c66e2ce678b300dcf518c9149ba621"
-
-inherit pypi
-
-PYPI_PACKAGE = "IPy"
-
-BBCLASSEXTEND = "native"
diff --git a/recipes-devtools/python/python-ipy_1.00.bb b/recipes-devtools/python/python-ipy_1.00.bb
deleted file mode 100644
index 587a517..0000000
--- a/recipes-devtools/python/python-ipy_1.00.bb
+++ /dev/null
@@ -1,2 +0,0 @@
-inherit setuptools
-require python-ipy.inc
diff --git a/recipes-devtools/python/python3-ipy_1.00.bb b/recipes-devtools/python/python3-ipy_1.00.bb
deleted file mode 100644
index ea6a105..0000000
--- a/recipes-devtools/python/python3-ipy_1.00.bb
+++ /dev/null
@@ -1,2 +0,0 @@
-inherit setuptools3
-require python-ipy.inc
--
2.17.1


Re: Raspberry pi 4 recipe and layer issues.

Khem Raj
 

Hi Ed

if you are building on target, you need to install glibc-dev package
on your target as well. or perhaps you can build your image for target
with

IMAGE_INSTALL_append = " packagegroup-core-buildessential"

added to local.conf

On Sun, Dec 22, 2019 at 9:22 AM Ed Vidal <develone@...> wrote:

Hi,
Testing 1 of the 4 recipes in meta-yosys-tools nextpnr_0.1.bb.
I tried testing on target rpi4-64 to determine, EXTRA_OECMAKE = "-DARCH=ice40 -DBUILD_GUI=OFF ${S} "
variable. In yocto this uses the build directory. On the target, "cmake -DARACH=ice40 -DBUILD_GUI=OFF ."
which is the nextpnr directory. It appears that yocto uses ninja, while the target uses make. I have copies of both
CMakeError.log files for target & yocto at the links below.

https://github.com/develone/meta-yosys-tools/blob/master/doc-recipes/target/CMakeFiles/CMakeError.log

& https://github.com/develone/meta-yosys-tools/blob/master/doc-recipes/yocto/CMakeFiles/CMakeError.log


The target builds and installs while yocto fails do_configure step.

The recipe I am testing with the cmd "bitbake -DDD nextpnr" is

https://github.com/develone/meta-yosys-tools/blob/master/recipes-nextpnr/nextpnr/nextpnr_0.1.bb


This recipe nextpnr_0.1.bb is dependent on a 2nd recipe in meta-yosys-tools layer icestorm_0.1.bb in the same layer. This recipe creates the RPMs, but is failing in QA step. I use the "rpm -i icestorm-0.1+git0+041c075e4a-r0.aarch64.rpm" to test on the target.

Let me know if I can provide any additional information.
Thanks

Regards


Edward Vidal Jr. e-mail develone@... 915-595-1613
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
You automatically follow any topics you start or reply to.

View/Reply Online (#47795): https://lists.yoctoproject.org/g/yocto/message/47795
Mute This Topic: https://lists.yoctoproject.org/mt/68293684/1997914
Group Owner: yocto+owner@...
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [raj.khem@...]
-=-=-=-=-=-=-=-=-=-=-=-


[meta-security][PATCH 3/3] smack-test: add feature check for smack

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/smack/smack-test_1.0.bb | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/recipes-mac/smack/smack-test_1.0.bb b/recipes-mac/smack/smack-test_1.0.bb
index 7cf8f2e..d5de607 100644
--- a/recipes-mac/smack/smack-test_1.0.bb
+++ b/recipes-mac/smack/smack-test_1.0.bb
@@ -12,6 +12,10 @@ SRC_URI = " \

S = "${WORKDIR}"

+inherit features_check
+
+REQUIRED_DISTRO_FEATURES = "smack"
+
do_install() {
install -d ${D}${sbindir}
install -m 0755 notroot.py ${D}${sbindir}
--
2.17.1


[meta-security][PATCH 2/3] meta-integrity: fix issues with yocto-check-layer

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
.../recipes-core/initrdscripts/initramfs-framework-ima.bb | 3 +++
.../recipes-core/packagegroups/packagegroup-ima-evm-utils.bb | 2 +-
meta-integrity/recipes-kernel/linux/linux-%.bbappend | 4 ++--
.../recipes-security/ima-evm-utils/ima-evm-utils_git.bb | 4 +++-
.../ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb | 3 +++
.../ima_policy_hashed/ima-policy-hashed_1.0.bb | 3 +++
.../ima_policy_simple/ima-policy-simple_1.0.bb | 3 +++
7 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 95c853a..dacdc8b 100644
--- a/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -16,6 +16,9 @@ IMA_POLICY ?= "ima-policy-hashed"

SRC_URI = " file://ima"

+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ima"
+
do_install () {
install -d ${D}/${sysconfdir}/ima
install -d ${D}/init.d
diff --git a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
index 18acc9d..bc3ebd5 100644
--- a/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
+++ b/meta-integrity/recipes-core/packagegroups/packagegroup-ima-evm-utils.bb
@@ -4,6 +4,6 @@ LICENSE = "MIT"
inherit packagegroup

# Only one at the moment, but perhaps more will come in the future.
-RDEPENDS_${PN} = " \
+RDEPENDS_${PN}_ima = " \
ima-evm-utils \
"
diff --git a/meta-integrity/recipes-kernel/linux/linux-%.bbappend b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
index f9a48cd..443289b 100644
--- a/meta-integrity/recipes-kernel/linux/linux-%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-%.bbappend
@@ -1,5 +1,5 @@
-KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"
+KERNEL_FEATURES_append_ima = " ${@bb.utils.contains("DISTRO_FEATURES", "ima", " features/ima/ima.scc", "" ,d)}"

-KERNEL_FEATURES_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
+KERNEL_FEATURES_append_modsign = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"

inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
diff --git a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
index 92c24c9..7f649c2 100644
--- a/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ b/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
@@ -23,7 +23,9 @@ SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"

S = "${WORKDIR}/git"

-inherit pkgconfig autotools
+inherit pkgconfig autotools features_check
+
+REQUIRED_DISTRO_FEATURES = "ima"

EXTRA_OECONF_append_class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"

diff --git a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
index b58d3fe..da62a4c 100644
--- a/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -9,6 +9,9 @@ IMA_POLICY ?= "ima_policy_appraise_all"

SRC_URI = " file://${IMA_POLICY}"

+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ima"
+
do_install () {
install -d ${D}/${sysconfdir}/ima
install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
diff --git a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
index 3352daa..ebb0426 100644
--- a/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -11,6 +11,9 @@ SRC_URI = " \
file://${IMA_POLICY} \
"

+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ima"
+
do_install () {
install -d ${D}/${sysconfdir}/ima
install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
diff --git a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
index 17132aa..cb4b6b8 100644
--- a/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
+++ b/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -9,6 +9,9 @@ IMA_POLICY ?= "ima_policy_simple"

SRC_URI = " file://${IMA_POLICY}"

+inherit features_check
+REQUIRED_DISTRO_FEATURES = "ima"
+
do_install () {
install -d ${D}/${sysconfdir}/ima
install ${WORKDIR}/${IMA_POLICY} ${D}/${sysconfdir}/ima/ima-policy
--
2.17.1


[meta-security][PATCH 1/3] google-authenticator-libpam: update to 1.07

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
...cator-libpam_1.05.bb => google-authenticator-libpam_1.07.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename recipes-security/google-authenticator-libpam/{google-authenticator-libpam_1.05.bb => google-authenticator-libpam_1.07.bb} (91%)

diff --git a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
similarity index 91%
rename from recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb
rename to recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
index 2181629..98f895c 100644
--- a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb
+++ b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
LICENSE = "Apache-2.0"

SRC_URI = "git://github.com/google/google-authenticator-libpam.git"
-SRCREV = "7365ed10d54393fb4c100cac063ae8edb744eac6"
+SRCREV = "c9280f43610ce896f91eafd0f740a4eb4dcecedd"

DEPENDS = "libpam"

--
2.17.1


Re: Raspberry pi 4 recipe and layer issues.

Ed Vidal
 

Hi,
Testing 1 of the 4 recipes in meta-yosys-tools nextpnr_0.1.bb.
I tried testing on target rpi4-64 to determine, EXTRA_OECMAKE = "-DARCH=ice40 -DBUILD_GUI=OFF  ${S} "
variable.  In yocto this uses the build directory.  On the target, "cmake -DARACH=ice40 -DBUILD_GUI=OFF ."
which is the nextpnr directory.  It appears that yocto uses ninja, while the target uses make.  I have copies of both 
CMakeError.log files for target & yocto at the links below.

https://github.com/develone/meta-yosys-tools/blob/master/doc-recipes/target/CMakeFiles/CMakeError.log

https://github.com/develone/meta-yosys-tools/blob/master/doc-recipes/yocto/CMakeFiles/CMakeError.log


The target builds and installs while yocto fails do_configure step.

The recipe I am testing with the cmd "bitbake -DDD nextpnr" is 



This recipe nextpnr_0.1.bb is dependent on a 2nd recipe in meta-yosys-tools layer icestorm_0.1.bb in the same layer.  This recipe creates the RPMs, but is failing in QA step.  I use the "rpm -i icestorm-0.1+git0+041c075e4a-r0.aarch64.rpm" to test on the target.

Let me know if I can provide any additional information. 
Thanks 

Regards


Edward Vidal Jr. e-mail develone@... 915-595-1613


[meta-security][PATCH 2/2] python3-fail2ban: include python-fail2ban.inc

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
.../fail2ban/python3-fail2ban_0.10.4.0.bb | 51 +++++++++++++++++--
1 file changed, 47 insertions(+), 4 deletions(-)

diff --git a/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
index 23ef027..53f94ff 100644
--- a/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
+++ b/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
@@ -1,8 +1,51 @@
-inherit setuptools3
-require python-fail2ban.inc
+SUMMARY = "Daemon to ban hosts that cause multiple authentication errors."
+DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \
+many failed login attempts. It does this by updating system firewall rules to reject new \
+connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \
+out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \
+and is easy to configure to read any log file you choose, for any error you choose."
+HOMEPAGE = "http://www.fail2ban.org"

-RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"

-SRC_URI += " \
+SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578"
+SRC_URI = " \
+ git://github.com/fail2ban/fail2ban.git;branch=0.11 \
+ file://initd \
+ file://fail2ban_setup.py \
+ file://run-ptest \
file://0001-To-fix-build-error-of-xrang.patch \
"
+
+inherit update-rc.d ptest setuptools3
+
+S = "${WORKDIR}/git"
+
+do_compile_prepend () {
+ cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py
+}
+
+do_install_append () {
+ install -d ${D}/${sysconfdir}/fail2ban
+ install -d ${D}/${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
+ chown -R root:root ${D}/${bindir}
+}
+
+do_install_ptest_append () {
+ install -d ${D}${PTEST_PATH}
+ sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
+ install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
+}
+
+FILES_${PN} += "/run"
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "fail2ban-server"
+INITSCRIPT_PARAMS = "defaults 25"
+
+INSANE_SKIP_${PN}_append = "already-stripped"
+
+RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify"
+RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
--
2.17.1


[meta-security][PATCH 1/2] python-fail2ban: Drop python2 package

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-security/fail2ban/python-fail2ban.inc | 49 -------------------
.../fail2ban/python-fail2ban_0.10.4.0.bb | 4 --
2 files changed, 53 deletions(-)
delete mode 100644 recipes-security/fail2ban/python-fail2ban.inc
delete mode 100644 recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb

diff --git a/recipes-security/fail2ban/python-fail2ban.inc b/recipes-security/fail2ban/python-fail2ban.inc
deleted file mode 100644
index 7270ed8..0000000
--- a/recipes-security/fail2ban/python-fail2ban.inc
+++ /dev/null
@@ -1,49 +0,0 @@
-SUMMARY = "Daemon to ban hosts that cause multiple authentication errors."
-DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \
-many failed login attempts. It does this by updating system firewall rules to reject new \
-connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \
-out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \
-and is easy to configure to read any log file you choose, for any error you choose."
-HOMEPAGE = "http://www.fail2ban.org"
-
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
-
-SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578"
-SRC_URI = " \
- git://github.com/fail2ban/fail2ban.git;branch=0.11 \
- file://initd \
- file://fail2ban_setup.py \
- file://run-ptest \
-"
-
-inherit update-rc.d ptest
-
-S = "${WORKDIR}/git"
-
-INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME = "fail2ban-server"
-INITSCRIPT_PARAMS = "defaults 25"
-
-do_compile_prepend () {
- cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py
-}
-
-do_install_append () {
- install -d ${D}/${sysconfdir}/fail2ban
- install -d ${D}/${sysconfdir}/init.d
- install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
- chown -R root:root ${D}/${bindir}
-}
-
-do_install_ptest_append () {
- install -d ${D}${PTEST_PATH}
- sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
- install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
-}
-
-FILES_${PN} += "/run"
-
-INSANE_SKIP_${PN}_append = "already-stripped"
-
-RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify"
diff --git a/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb b/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb
deleted file mode 100644
index 17a7dd8..0000000
--- a/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb
+++ /dev/null
@@ -1,4 +0,0 @@
-inherit setuptools
-require python-fail2ban.inc
-
-RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban"
--
2.17.1


Debugging using a GUI

Fred Baksik
 

I'm having difficulties debugging using a GUI front-end for gdb.  I didn't have these many problems with Yocto Jethro.  But with Zeus I have not been able to figure out how to setup Eclipse Standalone debugger or VS Code.

I've followed the Development Guide instructions when building the default Poky core-image-minimal.  The debugger itself is just fine at the command line.  But when trying to setup a GUI debugger I keep getting the following types of errors:

warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x43d10
Cannot insert breakpoint -2.
Cannot access memory at address 0x43d20

Any advice or recommendations?


[meta-security][PATCH 2/2] smack: add distro check

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/smack/smack_1.3.1.bb | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/recipes-mac/smack/smack_1.3.1.bb b/recipes-mac/smack/smack_1.3.1.bb
index f32d91b..b1ea4e9 100644
--- a/recipes-mac/smack/smack_1.3.1.bb
+++ b/recipes-mac/smack/smack_1.3.1.bb
@@ -13,7 +13,12 @@ SRC_URI = " \

PV = "1.3.1"

-inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+inherit autotools update-rc.d pkgconfig ptest
+inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+inherit features_check
+
+REQUIRED_DISTRO_FEATURES = "smack"
+

S = "${WORKDIR}/git"

--
2.17.1


[meta-security][PATCH 1/2] apparmor: add distro check

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-mac/AppArmor/apparmor_2.13.3.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_2.13.3.bb b/recipes-mac/AppArmor/apparmor_2.13.3.bb
index 60d5e68..32230a5 100644
--- a/recipes-mac/AppArmor/apparmor_2.13.3.bb
+++ b/recipes-mac/AppArmor/apparmor_2.13.3.bb
@@ -30,7 +30,8 @@ S = "${WORKDIR}/git"

PARALLEL_MAKE = ""

-inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd
+inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check
+REQUIRED_DISTRO_FEATURES = "apparmor"

PACKAGECONFIG ??= "python perl aa-decode"
PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
--
2.17.1


Re: ubuntu from Yocto

Josef Holzmayr <holzmayr@...>
 

Howdy!

On Sat, Dec 21, 2019 at 08:20:16AM +0100, Peter Balazovic wrote:
Hello guys

Is there a way how to prepare "Ubuntu distribution" from Yocto project. It
means to create a standard Ubuntu (or other standard distribution).
I am looking for a procedure for it.
Please, can you point/link me?
Sorry, but there is no such thing. Yocto respectively OpenEmbedded
technology can build a custom distribution that suits a lot of cases,
but not being a drop-in replacement for general distributions. You might
have better luck asking the ubuntu folks if they offer customization
tooling.

Greetz


--
———————————————
Josef Holzmayr
Software Developer Embedded Systems

Tel: +49 8444 9204-48
Fax: +49 8444 9204-50

R-S-I Elektrotechnik GmbH & Co. KG
Woelkestrasse 11
D-85301 Schweitenkirchen
www.rsi-elektrotechnik.de
———————————————
Amtsgericht Ingolstadt – GmbH: HRB 191328 – KG: HRA 170393
Geschäftsführer: Dr.-Ing. Michael Sorg, Dipl.-Ing. Franz Sorg
Ust-IdNr: DE 128592548

_____________________________________________________________
Amtsgericht Ingolstadt - GmbH: HRB 191328 - KG: HRA 170363
Geschäftsführer: Dr.-Ing. Michael Sorg, Dipl.-Ing. Franz Sorg
USt-IdNr.: DE 128592548


Re: ubuntu from Yocto

Maciej Pijanowski
 


On 21.12.2019 08:20, Peter Balazovic wrote:
Hello guys

Is there a way how to prepare "Ubuntu distribution" from Yocto project. It means to create a standard Ubuntu (or other standard distribution).
There is not. With Yocto you create your own distribution.
I am looking for a procedure for it.
Please, can you point/link me?
You may be interested in isar then: https://github.com/ilbers/isar
It also uses OpenEmbedded but takes advantage of Debian binary
packages instead of building everything from source.

Thank you.
Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#47787): https://lists.yoctoproject.org/g/yocto/message/47787
Mute This Topic: https://lists.yoctoproject.org/mt/68963464/3616795
Group Owner: yocto+owner@...
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub  [maciej.pijanowski@...]
-=-=-=-=-=-=-=-=-=-=-=-
-- 
Maciej Pijanowski
Embedded Systems Engineer
https://3mdeb.com | @3mdeb_com


ubuntu from Yocto

Peter Balazovic <balazovic.peter@...>
 

Hello guys

Is there a way how to prepare "Ubuntu distribution" from Yocto project. It means to create a standard Ubuntu (or other standard distribution).
I am looking for a procedure for it.
Please, can you point/link me? 

Thank you.
Peter


[meta-openssl102-fips][PATCH] openssh bbappend: refresh local patches to 8.1p1

hongxu
 

Since upstream oe-core upgraded openssh to 8.1p1,
refresh local patches of fips

Signed-off-by: Hongxu Jia <hongxu.jia@...>
---
.../0001-conditional-enable-fips-mode.patch | 26 +++---
.../openssh/openssh/0001-openssh-8.0p1-fips.patch | 100 ++++++++++++---------
.../openssh/openssh-6.6p1-ctr-cavstest.patch | 14 +--
.../openssh/openssh/openssh-6.7p1-kdf-cavs.patch | 15 ++--
4 files changed, 91 insertions(+), 64 deletions(-)

diff --git a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
index b47e184..705d4be 100644
--- a/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
+++ b/recipes-connectivity/openssh/openssh/0001-conditional-enable-fips-mode.patch
@@ -1,6 +1,6 @@
-From ea3e5eceab28ad2c00d438efbcea2be37a1b2969 Mon Sep 17 00:00:00 2001
+From fac114e44c00382af087fec04cd4c2fbd144d759 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
-Date: Sun, 22 Sep 2019 14:31:51 +0800
+Date: Sat, 21 Dec 2019 13:03:23 +0800
Subject: [PATCH] conditional enable fips mode

Insert ssh_enable_fips_mode to ssh_malloc_init where each main app will invoke,
@@ -14,10 +14,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
1 file changed, 24 insertions(+)

diff --git a/xmalloc.c b/xmalloc.c
-index 5cc0310..0218ccd 100644
+index 9cd0127..75d5018 100644
--- a/xmalloc.c
+++ b/xmalloc.c
-@@ -23,12 +23,20 @@
+@@ -23,6 +23,10 @@
#include <stdlib.h>
#include <string.h>

@@ -28,17 +28,23 @@ index 5cc0310..0218ccd 100644
#include "xmalloc.h"
#include "log.h"

+@@ -30,11 +34,15 @@
+ char *malloc_options = "S";
+ #endif /* __OpenBSD__ */
+
+void ssh_enable_fips_mode(void);
+
- void
- ssh_malloc_init(void)
+ void *
+ xmalloc(size_t size)
{
+ void *ptr;
+
+ ssh_enable_fips_mode();
+
- #if defined(__OpenBSD__)
- extern char *malloc_options;
-
-@@ -116,3 +124,19 @@ xasprintf(char **ret, const char *fmt, ...)
+ if (size == 0)
+ fatal("xmalloc: zero size");
+ ptr = malloc(size);
+@@ -110,3 +118,19 @@ xasprintf(char **ret, const char *fmt, ...)

return (i);
}
diff --git a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
index a4b5836..0e35e31 100644
--- a/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
+++ b/recipes-connectivity/openssh/openssh/0001-openssh-8.0p1-fips.patch
@@ -1,6 +1,6 @@
-From 255e5dcdec36df7222f69b253dfc05be63927ed2 Mon Sep 17 00:00:00 2001
+From 511f5dfb3e22d30a7d573313fa88a063f1d49753 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
-Date: Fri, 20 Sep 2019 17:59:00 +0800
+Date: Sat, 21 Dec 2019 11:45:38 +0800
Subject: [PATCH] openssh 8.0p1 fips

Port openssh-7.7p1-fips.patch from Fedora
@@ -22,18 +22,18 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
readconf.c | 17 +++++++++--------
sandbox-seccomp-filter.c | 3 +++
servconf.c | 19 ++++++++++---------
- ssh-keygen.c | 6 ++++++
+ ssh-keygen.c | 17 ++++++++++++++++-
ssh.c | 16 ++++++++++++++++
sshconnect2.c | 11 ++++++++---
sshd.c | 19 +++++++++++++++++++
sshkey.c | 4 ++++
- 16 files changed, 176 insertions(+), 30 deletions(-)
+ 16 files changed, 186 insertions(+), 31 deletions(-)

diff --git a/Makefile.in b/Makefile.in
-index 6f001bb..ddd1804 100644
+index adb1977..37aec69 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -170,31 +170,31 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -175,31 +175,31 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@

ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -55,9 +55,9 @@ index 6f001bb..ddd1804 100644
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
-- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
+- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)

ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -68,10 +68,10 @@ index 6f001bb..ddd1804 100644

ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)

- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 32771f2..74fac3b 100644
--- a/cipher-ctr.c
@@ -87,10 +87,10 @@ index 32771f2..74fac3b 100644
return (&aes_ctr);
}
diff --git a/clientloop.c b/clientloop.c
-index 086c0df..0b308d4 100644
+index b5a1f70..0b675fe 100644
--- a/clientloop.c
+++ b/clientloop.c
-@@ -2036,7 +2036,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
+@@ -2035,7 +2035,8 @@ key_accepted_by_hostkeyalgs(const struct sshkey *key)
{
const char *ktype = sshkey_ssh_name(key);
const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
@@ -101,7 +101,7 @@ index 086c0df..0b308d4 100644
if (key == NULL || key->type == KEY_UNSPEC)
return 0;
diff --git a/dh.c b/dh.c
-index a98d39e..92e800a 100644
+index 7cb135d..306f1bc 100644
--- a/dh.c
+++ b/dh.c
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max)
@@ -157,10 +157,10 @@ index a98d39e..92e800a 100644
+
#endif /* WITH_OPENSSL */
diff --git a/dh.h b/dh.h
-index adb643a..5d1cad5 100644
+index 5d6df62..54c7aa2 100644
--- a/dh.h
+++ b/dh.h
-@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
+@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);

int dh_gen_key(DH *, int);
int dh_pub_is_valid(const DH *, const BIGNUM *);
@@ -169,7 +169,7 @@ index adb643a..5d1cad5 100644
u_int dh_estimate(int);

diff --git a/kex.c b/kex.c
-index 34808b5..b356a26 100644
+index 49d7015..f1f982d 100644
--- a/kex.c
+++ b/kex.c
@@ -161,7 +161,10 @@ kex_names_valid(const char *names)
@@ -208,7 +208,7 @@ index 1c65b8a..b6b25bf 100644

/* generate and send 'e', client DH public key */
diff --git a/myproposal.h b/myproposal.h
-index f167298..812d9a2 100644
+index 34bd10c..a3ae74b 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -111,6 +111,14 @@
@@ -264,12 +264,12 @@ index f167298..812d9a2 100644
+
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
- "ecdsa-sha2-nistp256," \
+ HOSTKEY_ECDSA_METHODS \
diff --git a/readconf.c b/readconf.c
-index ec497e7..1f1a16d 100644
+index f78b4d6..2f56ed2 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -2116,18 +2116,19 @@ fill_default_options(Options * options)
+@@ -2125,18 +2125,19 @@ fill_default_options(Options * options)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
@@ -298,10 +298,10 @@ index ec497e7..1f1a16d 100644
free(all_cipher);
free(all_mac);
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 5edbc69..3c40136 100644
+index b5cda70..f0607a3 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
-@@ -137,6 +137,9 @@ static const struct sock_filter preauth_insns[] = {
+@@ -156,6 +156,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_open
SC_DENY(__NR_open, EACCES),
#endif
@@ -312,7 +312,7 @@ index 5edbc69..3c40136 100644
SC_DENY(__NR_openat, EACCES),
#endif
diff --git a/servconf.c b/servconf.c
-index ffac5d2..7ad0e4e 100644
+index e76f9c3..591d437 100644
--- a/servconf.c
+++ b/servconf.c
@@ -200,18 +200,19 @@ assemble_algorithms(ServerOptions *o)
@@ -345,13 +345,13 @@ index ffac5d2..7ad0e4e 100644
free(all_cipher);
free(all_mac);
diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 3898b28..f3f4975 100644
+index 8c829ca..cb4982d 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
-@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
- OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
- if (*bitsp > maxbits)
- fatal("key bits exceeds maximum %d", maxbits);
+@@ -201,6 +201,12 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
+ #endif
+ }
+ #ifdef WITH_OPENSSL
+ if (FIPS_mode()) {
+ if (type == KEY_DSA)
+ fatal("DSA keys are not allowed in FIPS mode");
@@ -361,8 +361,28 @@ index 3898b28..f3f4975 100644
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
+@@ -1061,9 +1067,18 @@ do_gen_all_hostkeys(struct passwd *pw)
+ first = 1;
+ printf("%s: generating new host keys: ", __progname);
+ }
++
++ type = sshkey_type_from_name(key_types[i].key_type);
++
++ /* Skip the keys that are not supported in FIPS mode */
++ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
++ logit("Skipping %s key in FIPS mode",
++ key_types[i].key_type_display);
++ goto next;
++ }
++
+ printf("%s ", key_types[i].key_type_display);
+ fflush(stdout);
+- type = sshkey_type_from_name(key_types[i].key_type);
+ if ((fd = mkstemp(prv_tmp)) == -1) {
+ error("Could not save your public key in %s: %s",
+ prv_tmp, strerror(errno));
diff --git a/ssh.c b/ssh.c
-index 91e7c35..1cf14f6 100644
+index ee51823..0724df4 100644
--- a/ssh.c
+++ b/ssh.c
@@ -76,6 +76,8 @@
@@ -403,7 +423,7 @@ index 91e7c35..1cf14f6 100644
* Discard other fds that are hanging around. These can cause problem
* with backgrounded ssh processes started by ControlPersist.
diff --git a/sshconnect2.c b/sshconnect2.c
-index dffee90..28b2554 100644
+index 87fa70a..a42aacb 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -44,6 +44,8 @@
@@ -445,7 +465,7 @@ index dffee90..28b2554 100644
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(
diff --git a/sshd.c b/sshd.c
-index a3c1975..bf25d76 100644
+index f8dee0f..2bf8939 100644
--- a/sshd.c
+++ b/sshd.c
@@ -66,6 +66,7 @@
@@ -465,7 +485,7 @@ index a3c1975..bf25d76 100644
#include "openbsd-compat/openssl-compat.h"
#endif

-@@ -1447,6 +1450,18 @@ main(int ac, char **av)
+@@ -1445,6 +1448,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);

@@ -484,7 +504,7 @@ index a3c1975..bf25d76 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1905,6 +1920,10 @@ main(int ac, char **av)
+@@ -1910,6 +1925,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);

@@ -496,7 +516,7 @@ index a3c1975..bf25d76 100644
unmounted if desired. */
if (chdir("/") == -1)
diff --git a/sshkey.c b/sshkey.c
-index ad19577..18906cb 100644
+index ef90563..1b1ba01 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
@@ -508,14 +528,14 @@ index ad19577..18906cb 100644

#include "crypto_api.h"
@@ -57,6 +58,7 @@
+ #define SSHKEY_INTERNAL
#include "sshkey.h"
- #include "sshkey-xmss.h"
#include "match.h"
+#include "log.h"

- #include "xmss_fast.h"
-
-@@ -1481,6 +1483,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+ #ifdef WITH_XMSS
+ #include "sshkey-xmss.h"
+@@ -1491,6 +1493,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
index 29371f8..8b74451 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.6p1-ctr-cavstest.patch
@@ -1,7 +1,7 @@
-From a94a3d95439018dc7d276ec72de91af369ea413e Mon Sep 17 00:00:00 2001
+From 6d65893a85bddfc543ce894ee4940bd0d5ab368e Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
-Date: Sun, 22 Sep 2019 21:32:18 +0800
-Subject: [PATCH 1/2] add CAVS test driver for the aes-ctr ciphers
+Date: Sat, 21 Dec 2019 13:05:19 +0800
+Subject: [PATCH] add CAVS test driver for the aes-ctr ciphers

Original submission to Fedora, see:
https://lists.fedoraproject.org/pipermail/scm-commits/2012-January/715044.html
@@ -25,7 +25,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
create mode 100644 ctr-cavstest.c

diff --git a/Makefile.in b/Makefile.in
-index ddd1804..cb34681 100644
+index 37aec69..1d6e298 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -23,6 +23,7 @@ SSH_PROGRAM=@bindir@/ssh
@@ -45,7 +45,7 @@ index ddd1804..cb34681 100644

XMSS_OBJS=\
ssh-xmss.o \
-@@ -193,6 +194,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
+@@ -198,6 +199,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o c
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

@@ -53,9 +53,9 @@ index ddd1804..cb34681 100644
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)

-@@ -343,6 +347,7 @@ install-files:
+@@ -348,6 +352,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
diff --git a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
index 7ac881f..0cbccd7 100644
--- a/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
+++ b/recipes-connectivity/openssh/openssh/openssh-6.7p1-kdf-cavs.patch
@@ -1,7 +1,7 @@
-From 210d15fd146ff7037f03fff5e0ba6fcf0bfde683 Mon Sep 17 00:00:00 2001
+From 6b6e0f7d4a517378a8d53b84fbef2cfc78c42f46 Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@...>
-Date: Sun, 22 Sep 2019 21:40:51 +0800
-Subject: [PATCH 2/2] add KDF CAVS test driver
+Date: Sat, 21 Dec 2019 13:08:52 +0800
+Subject: [PATCH] add KDF CAVS test driver

Original submission to Fedora, see:
https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20150216/1514788.html
@@ -17,6 +17,7 @@ This is the makefile.in change for the normal configuration.
Signed-off-by: Mark Hatle <mark.hatle@...>

Upstream-Status: Inappropriate [oe specific]
+
Signed-off-by: Hongxu Jia <hongxu.jia@...>
---
Makefile.in | 8 +-
@@ -27,7 +28,7 @@ Signed-off-by: Hongxu Jia <hongxu.jia@...>
create mode 100644 ssh-cavs_driver.pl

diff --git a/Makefile.in b/Makefile.in
-index cb34681..368097e 100644
+index 1d6e298..be28411 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
@@ -47,7 +48,7 @@ index cb34681..368097e 100644

XMSS_OBJS=\
ssh-xmss.o \
-@@ -197,6 +198,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+@@ -202,6 +203,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

@@ -55,9 +56,9 @@ index cb34681..368097e 100644
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lssh $(LIBS)

-@@ -348,6 +352,8 @@ install-files:
+@@ -353,6 +357,8 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
--
2.7.4

9581 - 9600 of 57384