meta-security: subtree update:a85fbe980e..c20b35b527
Anton Antonov (1):
Parsec service. Update PACKAGECONFIG definitions and README.md
Armin Kuster (20):
python3-fail2ban: fix build failure and cleanup
meta-parsec/README: remove rust layer req.
opendnssec: blacklist do to ldns being blacklisted
apparmor: Add a python 3.10 compatability patch
tpm2-tools: update to 5.2
openssl-tpm-engine: fix build issue with openssl 3
tpm2-openssl: add new pkg
tpm2-pkcs11: update to 1.7.0
recipes: Update SRC_URI branch and protocols
sssd: Create /var/log/sssd in runtime
bastille: Create /var/log/Bastille in runtime
python3-fail2ban: remove /run
tpm2-pkcs11: update to 1.7.0
libest: does not build with openssl 3.x
clamav: fix useradd warning
python3-fail2ban: update to tip
tpm2-pkcs11: backport openssl 3.x build fixes
packagegroup-security-tpm2: drop ibmswtpm2
meta-integrity: drop strongswan bbappends
meta-tpm: drop strongswan bbappends
Kai Kang (2):
sssd: re-package to fix QA issues
apparmor: fix warning of remove operator combined with +=
Kristian Klausen (2):
swtpm: update to 0.6.1
dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS
Liwei Song (1):
recipes-security/chipsec: platform security assessment framework
Stefan Mueller-Klieser (1):
tpm2-tss: fix fapi package config
Yi Zhao (2):
openssl-tpm-engine: fix warning for append operator combined with +=
meta-parsec/README.md: fix for append operator combined with +=
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0
diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md
index 24958ac..bb4c2b9 100644
--- a/meta-security/meta-parsec/README.md
+++ b/meta-security/meta-parsec/README.md
@@ -1,8 +1,7 @@
meta-parsec layer
==============
-This layer contains recipes for the Parsec service with Mbed-Crypto,
-Pkcs11 and TPM providers and parsec tools.
+This layer contains recipes for the Parsec service and parsec tools.
Dependencies
============
@@ -11,23 +10,12 @@
URI: git://git.openembedded.org/meta-openembedded
branch: master
- revision: HEAD
- prio: default
URI git://git.yoctoproject.org/meta-security
branch: master
- revision: HEAD
- prio: default
-
- URI https://github.com/meta-rust/meta-rust.git
- branch: master
- revision: HEAD
- prio: default
URI https://github.com/kraj/meta-clang.git
branch: master
- revision: HEAD
- prio: default
Adding the meta-parsec layer to your build
==========================================
@@ -44,7 +32,6 @@
/path/to/yocto/meta-yocto-bsp \
/path/to/meta-openembedded/meta-oe \
/path/to/meta-openembedded/meta-python \
- /path/to/meta-rust \
/path/to/meta-clang \
/path/to/meta-security/meta-tpm \
/path/to/meta-security/meta-parsec \
@@ -55,9 +42,16 @@
IMAGE_INSTALL:append = " parsec-service"
- The Parsec service will be deployed into the image built with all the supported
-providers and with the default config file from the Parsec repository:
+ By default the Parsec service will be deployed into the image with
+TPM, PKCS11, MBED-CRYPTO and CRYPTOAUTHLIB providers build in
+and with the default config file from the Parsec repository:
https://github.com/parallaxsecond/parsec/blob/main/config.toml
+
+ You can use PACKAGECONFIG for Parsec servic recipe to define
+what providers should be built in. For example,
+
+ PACKAGECONFIG:pn-parsec-service = "TPM"
+
The default Parsec service config file contains the MbedCrypto provider
enabled. The config file needs to be updated to use the Parsec service
with other providers like TPM or PKCS11. The required procedures are
@@ -86,24 +80,31 @@
This layer also contains a recipe for pasec-tool which can be used for
manual testing of the Parsec service:
- IMAGE_INSTALL:append += " parsec-tools"
+ IMAGE_INSTALL:append = " parsec-tools"
There are a series of Parsec Demo videos showing how to use parsec-tool
to test the Parsec service base functionality:
https://www.youtube.com/watch?v=ido0CyUdMHM&list=PLKjl7IFAwc4S7WQqqphCsyy6DPDxJ2Skg&index=4
+ The parsec-tool recipe also includes `parsec-cli-tests.sh` script
+which runs e2e tests against all providers enabled and configured
+in Parsec service.
+
You can use runqemu to start a VM with a built image file and run
manual tests with parsec-tool.
+Enabling Parsec providers for manual testing
+============================================
+
1. MbedCrypto provider
The default Parsec service config file contains the MbedCrypto provider
-enabled. No changes required for manual testing.
+enabled. No changes required.
2. PKCS11 provider
The Software HSM can be used for manual testing of the provider by
including it into your test image:
- IMAGE_INSTALL:append += " softhsm"
+ IMAGE_INSTALL:append = " softhsm"
Inside the running VM:
- Stop Parsec
@@ -134,7 +135,7 @@
The IBM Software TPM service can be used for manual testing of the provider by
including it into your test image:
- IMAGE_INSTALL:append += " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
+ IMAGE_INSTALL:append = " ibmswtpm2 tpm2-tools libtss2 libtss2-tcti-mssim"
Inside the running VM:
- Stop Parsec
@@ -165,11 +166,11 @@
Send pull requests, patches, comments or questions to yocto@yoctoproject.org
When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-parsec][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-parsec][PATCH'
These values can be set as defaults for this repository:
-$ git config sendemail.to yocto@yoctoproject.org
+$ git config sendemail.to yocto@lists.yoctoproject.org
$ git config format.subjectPrefix meta-parsec][PATCH
Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
index b8bfa98..9161872 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_0.8.1.bb
@@ -13,15 +13,15 @@
DEPENDS = "clang-native"
PACKAGECONFIG ??= "TPM PKCS11 MBED-CRYPTO CRYPTOAUTHLIB"
-PACKAGECONFIG[ALL] = "all-providers,,tpm2-tss libts,libts"
-PACKAGECONFIG[TPM] = "tpm-provider,,tpm2-tss"
-PACKAGECONFIG[PKCS11] = "pkcs11-provider,"
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss"
+PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
PACKAGECONFIG[TS] = "trusted-service-provider,,libts,libts"
-PARSEC_PROVIDERS = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).replace(' ', ',')}"
-CARGO_BUILD_FLAGS += " --features ${PARSEC_PROVIDERS},cryptoki/generate-bindings,tss-esapi/generate-bindings"
+PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
+CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
inherit systemd
SYSTEMD_SERVICE:${PN} = "parsec.service"