subtree updates: raspberrypi security arm
meta-arm: eb9c47a4e1..9b6c8c95e4:
Abdellatif El Khlifi (1):
CI: append classes to INHERIT in the common fvp.yml
Adam Johnston (1):
arm-bsp/linux-yocto: Update N1SDP PCI quirk patch
Jon Mason (10):
CI: add yml files for defaults
CI: add support for dev kernel, rt kernel, and poky-tiny
arm-bsp/fvp-base: update to u-boot 2023.01
arm-bsp/fvp-base-arm32: remove support
ci: add external-toolchain to qemuarm-secureboot
arm-bsp/optee: remove unused recipes
arm/optee: optee-os include cleanup
arm/optee-os: update to 3.20.0
arm/edk2: update version and relocate edk2-basetools to be with edk2
arm-bsp/fvp-base: Add edk2 build testing
Ross Burton (7):
arm-bsp/linux-arm64-ack: update Upstream-Status tags
CI: add CI_CLEAN_REPOS variable to allow cleaning the repo reference cache
arm/scp-firmware: fix up whitespace
arm/scp-firmware: enable verbose builds
arm/scp-firmware: remove textrel from INSANE_SKIP
arm/scp-firmware: improve debug packaging
CI: mask poky's llvm if we're using clang
Rui Miguel Silva (1):
arm-bsp/optee: bump corstone1000 to v3.20
Satish Kumar (1):
arm-bsp/corstone1000: new gpt based disk layout and fwu metadata
Xueliang Zhong (1):
arm-bsp/n1sdp: update to linux yocto kernel 6.1
meta-security: c06b9a18a6..a397a38ed9:
Armin Kuster (16):
openscap: update to 1.3.6
openscap: update to 1.3.7
openscap git: add DEFAULT_PREFERENCE
python3-fail2ban: update to 1.0.2
python3-privacyidea: update to 3.8.1
libhtp: update to 0.5.42
lkrg-modules: update to 0.9.6
chkrootkit: update to 0.57
fscrypt: update to 1.1.0
libmspack: update to 1.11
firejail: update 0.9.72
suricata: update to 6.0.10
apparmor: update to 3.1.3
krill: update 0.12.3
cryptmout: update to 6.2.0
packagegroup-core-security: refactor the inclusion of krill
Eero Aaltonen (1):
dm-verity-img.bbclass: fix syntax warning
Jose Quaresma (3):
meta-hardening/layer: lower the priority from 10 to 6
meta-security-compliance/layer: lower the priority from 10 to 6
meta-tpm/layer: lower the priority from 10 to 6
Kevin Hao (1):
dm-verity-img.bbclass: Fix the hash offset alignment issue
Mikko Rapeli (1):
ima-evm-utils: disable documentation from build
Paul Gortmaker (3):
dm-verity: update beaglebone wic to match meta-yocto
dm-verity: add basic non-arch/non-BSP yocto specific settings
dm-verity: document board specifics for Beaglebone Black
Peter Marko (1):
tpm2-tss: correct CVE product
meta-raspberrypi: e15b876155..3afdbbf782:
Carlos Alberto Lopez Perez (1):
mesa-demos: enable build with userland graphics drivers.
Khem Raj (6):
linux-raspberrypi: Add recipes for 6.1 kernel
psplash: Make psplash wait for the framebuffer to be ready
rpi-default-versions: Use 6.1 kernel as default
gstreamer1.0-plugins-bad: Drop gpl packageconfig
rpidistro-ffmpeg: Pin to use gcc always
rpidistro-vlc: Fix build with clang16
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ie6e60085306d31972098b87738eb550e5140b92a
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index e5946bc..d809985 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -25,6 +25,9 @@
# Define the data block size to use in veritysetup.
DM_VERITY_IMAGE_DATA_BLOCK_SIZE ?= "1024"
+# Define the hash block size to use in veritysetup.
+DM_VERITY_IMAGE_HASH_BLOCK_SIZE ?= "4096"
+
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
@@ -56,11 +59,18 @@
local SIZE=$(stat --printf="%s" $INPUT)
local OUTPUT=$INPUT.verity
+ if [ ${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} -ge ${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} ]; then
+ align=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE}
+ else
+ align=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE}
+ fi
+ SIZE=$(expr \( $SIZE + $align - 1 \) / $align \* $align)
+
cp -a $INPUT $OUTPUT
# Let's drop the first line of output (doesn't contain any useful info)
# and feed the rest to another function.
- veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
+ veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
}
VERITY_TYPES = " \
@@ -87,7 +97,7 @@
if verity_image != pn:
return # This doesn't concern this image
- if len(verity_type.split()) is not 1:
+ if len(verity_type.split()) != 1:
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type)
diff --git a/meta-security/docs/dm-verity-beaglebone.txt b/meta-security/docs/dm-verity-beaglebone.txt
new file mode 100644
index 0000000..5f0caa4
--- /dev/null
+++ b/meta-security/docs/dm-verity-beaglebone.txt
@@ -0,0 +1,37 @@
+dm-verity and beaglebone-black
+------------------------------
+Set/uncomment the MACHINE line for "beaglebone-yocto" if you haven't yet.
+
+In addition to the basic dm-verity settings, you'll also want in local.conf:
+
+IMAGE_BOOT_FILES:remove = "zImage"
+IMAGE_BOOT_FILES:append = " zImage-initramfs-${MACHINE}.bin;zImage"
+WKS_FILES = "${MACHINE}-verity.wks.in"
+
+Read-only issues: The beaglebone BSP by default declares the following:
+
+ SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0 115200;ttyAMA0"
+ SERIAL_CONSOLES_CHECK = "${SERIAL_CONSOLES}"
+
+...which are variables used by sysV init, in order to determine the
+appropriate /etc/inittab entries. The problem that arises is that by
+default, an on-target runtime check of /proc/consoles is used to finalize
+the /etc/inittab -- and of course that fails a build with read-only-rootfs
+[see the pkg_postinst_ontarget rule in the sysvinit rule for details.]
+
+If you don't need a serial console, the quick fix is to add in local.conf
+
+SERIAL_CONSOLES = ""
+
+If you do need/want a serial console, then probably a local bbappend to
+manually set the /etc/inittab as desired is easiest.
+
+After running "wic create -e core-image-minimal beaglebone-yocto-verity"
+you should have a "direct" image ready to write to a u-SD card. Remember
+that the "direct" image contains the bootloader and partition table
+already, so you'll be writing it to a device such as /dev/sdb and not
+just a partition -- like /dev/sdb1
+
+Also recall that booting from u-SD requires pressing and holding the S2
+(SYSBOOT) button during power-on in order to divert the boot from the normal
+soldered on storage and to the removable u-SD card.
diff --git a/meta-security/docs/dm-verity.txt b/meta-security/docs/dm-verity.txt
new file mode 100644
index 0000000..602a826
--- /dev/null
+++ b/meta-security/docs/dm-verity.txt
@@ -0,0 +1,114 @@
+dm-verity and Yocto/OE
+----------------------
+The dm-verity feature provides a level of data integrity and resistance to
+data tampering. It does this by creating a hash for each data block of
+the underlying device as the base of a hash tree. There are many
+documents out there to further explain the implementaion, such as the
+in-kernel one itself:
+
+https://docs.kernel.org/admin-guide/device-mapper/verity.html
+
+The goal of this document is not to reproduce that content, but instead to
+capture the Yocto/OE specifics of the dm-verity infrastructure used here.
+
+Ideally this should enable a person to build and deploy an image on one of
+the supported reference platforms, and then further adapt to their own
+platform and specific storage requirements.
+
+Basic Settings
+--------------
+Largely everything is driven off of a dm-verity image class; a typical
+block of non MACHINE specific settings are shown below:
+
+INITRAMFS_IMAGE = "dm-verity-image-initramfs"
+DM_VERITY_IMAGE = "core-image-minimal"
+DM_VERITY_IMAGE_TYPE = "ext4"
+IMAGE_CLASSES += "dm-verity-img"
+INITRAMFS_IMAGE_BUNDLE = "1"
+
+Kernel Configuration
+--------------------
+Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES
+which will source features/device-mapper/dm-verity.scc when dm-verity-img
+is used. [See commit d9feafe991c]
+
+Supported Platforms
+-------------------
+In theory, you can use dm-verity anywhere - there is nothing arch/BSP
+specific in the core kernel support. However, at the BSP level, one
+eventually has to decide what device(s) are to be hashed, and where the
+hash tables are stored.
+
+To that end, the BSP storage specifics live in meta-security/wic dir and
+represent the current set of example configurations that have been tested
+and submitted at some point.
+
+Getting Started
+---------------
+This document assumes you are starting from the basic auto-created
+conf/local.conf and conf/bblayers.conf from the oe-init-build-env
+
+Firstly, you need the meta-security layer to conf/bblayers.conf along with
+the dependencies it has -- see the top level meta-security README for that.
+
+Next, assuming you'll be using dm-verity for validation of your rootfs,
+you'll need to enable read-only rootfs support in your local.conf with:
+
+EXTRA_IMAGE_FEATURES = "read-only-rootfs"
+
+For more details, see the associated documentation:
+
+https://docs.yoctoproject.org/dev/dev-manual/read-only-rootfs.html
+
+Also add the basic block of dm-verity settings shown above, and select
+your MACHINE from one of the supported platforms.
+
+If there is a dm-verity-<MACHINE>.txt file for your BSP, check that for
+any additional platform specific recommended settings, such as the
+WKS_FILES which can specify board specific storage layout discussed below.
+
+Then you should be able to do a "bitbake core-image-minimal" just like any
+other normal build. What you will notice, is the content in
+tmp/deploy/images/<MACHINE>/ now have suffixes like "rootfs.ext4.verity"
+
+While you can manually work with these images just like any other build,
+this is where the BSP specific recipes in meta-security/wic can simplify
+things and remove a bunch of manual steps that might be error prone.
+
+Consider for example, the beaglebone black WIC file, which contains:
+
+part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat
+--label boot --active --align 4 --fixed-size 32 --sourceparams="loader=u-boot" --use-uuid
+part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
+bootloader --append="console=ttyS0,115200"
+
+As can be seen, it maps out the partitions, including the bootloader, and
+saves doing a whole bunch of manual partitioning and dd steps.
+
+This file is copied into tmp/deploy/images/<MACHINE>/ with bitbake
+variables expanded with their corresponding values for wic to make use of.
+
+Continuing with the beaglebone example, we'll see output similar to:
+
+ ----------------------
+$ wic create -e core-image-minimal beaglebone-yocto-verity
+
+[...]
+
+INFO: Creating image(s)...
+
+INFO: The new image(s) can be found here:
+ ./beaglebone-yocto-verity.wks-202303070223-mmcblk0.direct
+
+The following build artifacts were used to create the image(s):
+ BOOTIMG_DIR: /home/paul/poky/build-bbb-verity/tmp/work/beaglebone_yocto-poky-linux-gnueabi/core-image-minimal/1.0-r0/recipe-sysroot/usr/share
+ KERNEL_DIR: /home/paul/poky/build-bbb-verity/tmp/deploy/images/beaglebone-yocto
+ NATIVE_SYSROOT: /home/paul/poky/build-bbb-verity/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/wic-tools/1.0-r0/recipe-sysroot-native
+
+INFO: The image(s) were created using OE kickstart file:
+ /home/paul/poky/meta-security/wic/beaglebone-yocto-verity.wks.in
+ ----------------------
+
+The "direct" image contains the partition table, bootloader, and dm-verity
+enabled ext4 image all in one -- ready to write to a raw device, such as a
+u-SD card in the case of the beaglebone.
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
similarity index 90%
rename from meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
rename to meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
index 1f55267..9379494 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
@@ -11,11 +11,11 @@
DEPENDS = "python3-native"
-SRCREV ="4fe4ac8dde6ba14841da598ec37f8c6911fe0f64"
-SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11;protocol=https \
- file://initd \
- file://run-ptest \
-"
+SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120"
+SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \
+ file://initd \
+ file://run-ptest \
+ "
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.7.4.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb
similarity index 95%
rename from meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.7.4.bb
rename to meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb
index b6a0e06..8bb88f1 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.7.4.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb
@@ -6,7 +6,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55"
PYPI_PACKAGE = "privacyIDEA"
-SRC_URI[sha256sum] = "187b6aa61f8b27e1972512123c8295ea6d2501b3d90d975d4603e753f146b50c"
+SRC_URI[sha256sum] = "e0dae763575c6300ccaebe6dcc8d3f119cb3e25c11302b1e78a96a12e8ab2b38"
inherit pypi setuptools3
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
index add3cbc..1dbc537 100644
--- a/meta-security/meta-hardening/conf/layer.conf
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -6,7 +6,7 @@
BBFILE_COLLECTIONS += "harden-layer"
BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_harden-layer = "10"
+BBFILE_PRIORITY_harden-layer = "6"
LAYERSERIES_COMPAT_harden-layer = "mickledore"
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
index 4f1d1a3..873aeeb 100644
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -14,6 +14,7 @@
REQUIRED_DISTRO_FEATURES = "ima"
REQUIRED_DISTRO_FEATURES:class-native = ""
+EXTRA_OECONF += "MANPAGE_DOCBOOK_XSL=0"
EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
# blkid is called by evmctl when creating evm checksums.
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index f07532c..82409a6 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -6,7 +6,7 @@
BBFILE_COLLECTIONS += "scanners-layer"
BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_scanners-layer = "10"
+BBFILE_PRIORITY_scanners-layer = "6"
LAYERSERIES_COMPAT_scanners-layer = "mickledore"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
deleted file mode 100644
index 192b008..0000000
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.3.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-SUMARRY = "NIST Certified SCAP 1.2 toolkit"
-
-require openscap.inc
-
-SRCREV = "0cb55c55af6be9934d6fd0caf4563b206f289732"
-SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \
-"
-
-DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.7.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.7.bb
new file mode 100644
index 0000000..cfe93f0
--- /dev/null
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.7.bb
@@ -0,0 +1,19 @@
+SUMARRY = "NIST Certified SCAP 1.2 toolkit"
+
+DEPENDS:append = " xmlsec1"
+
+require openscap.inc
+
+inherit systemd
+
+SRCREV = "55efbfda0f617e05862ab6ed4862e10dbee52b03"
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https"
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "oscap-remediate.service"
+
+do_install:append () {
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service
+ fi
+}
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
index a18cbd1..3543e11 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
@@ -10,3 +10,5 @@
"
PV = "1.3.3+git${SRCPV}"
+
+DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 81690ca..12bd6b7 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -6,7 +6,7 @@
BBFILE_COLLECTIONS += "tpm-layer"
BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_tpm-layer = "10"
+BBFILE_PRIORITY_tpm-layer = "6"
LAYERSERIES_COMPAT_tpm-layer = "mickledore"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
index 657a2cd..cc7e6ae 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.0.1.bb
@@ -14,6 +14,8 @@
UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
+CVE_PRODUCT = "tpm2_software_stack"
+
inherit autotools pkgconfig systemd useradd
PACKAGECONFIG ??= "vendor"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 22c1245..b009a4d 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -40,16 +40,16 @@
sshguard \
firejail \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
- ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam krill", "",d)} \
+ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
"
-RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec"
-RDEPENDS:packagegroup-security-utils:append:x86-64 = " chipsec"
-RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail krill"
+have_krill = "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}"
+RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:x86-64 = " chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:aarch64 = " ${have_krill}"
+RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail"
RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill"
-RDEPENDS:packagegroup-security-utils:remove:riscv64 = "krill"
-RDEPENDS:packagegroup-security-utils:remove:armv7ve = " krill"
SUMMARY:packagegroup-security-scanners = "Security scanners"
RDEPENDS:packagegroup-security-scanners = "\
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.40.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.42.bb
similarity index 90%
rename from meta-security/recipes-ids/suricata/libhtp_0.5.40.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.42.bb
index 08e285e..e2866c8 100644
--- a/meta-security/recipes-ids/suricata/libhtp_0.5.40.bb
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.42.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "1733478f7fd09e936fea2e024f1d228d40741df2"
+SRCREV = "b14f81bfddbc7206ea713177fcf1e1090257dcd2"
DEPENDS = "zlib"
diff --git a/meta-security/recipes-ids/suricata/suricata_6.0.6.bb b/meta-security/recipes-ids/suricata/suricata_6.0.10.bb
similarity index 97%
rename from meta-security/recipes-ids/suricata/suricata_6.0.6.bb
rename to meta-security/recipes-ids/suricata/suricata_6.0.10.bb
index ce9aca8..0422ead 100644
--- a/meta-security/recipes-ids/suricata/suricata_6.0.6.bb
+++ b/meta-security/recipes-ids/suricata/suricata_6.0.10.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
-SRC_URI[sha256sum] = "00173634fa76aee636e38a90b1c02616c903e42173107d47b4114960b5fbe839"
+SRC_URI[sha256sum] = "59bfd1bf5d9c1596226fa4815bf76643ce59698866c107a26269c481f125c4d7"
DEPENDS = "lz4 libhtp"
@@ -190,6 +190,7 @@
sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc
sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl
+ sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${libdir}/suricata/python/suricata/sc/suricatasc.py
}
pkg_postinst_ontarget:${PN} () {
diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.5.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.6.bb
similarity index 95%
rename from meta-security/recipes-kernel/lkrg/lkrg-module_0.9.5.bb
rename to meta-security/recipes-kernel/lkrg/lkrg-module_0.9.6.bb
index fa46cb6..421d924 100644
--- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.5.bb
+++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.6.bb
@@ -11,7 +11,7 @@
SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main"
-SRCREV = "c58cb52145b8e8ccc6bd19079f5c835933281cdc"
+SRCREV = "2481b3e2dd04eac945c31f99058b0aeee73c3a71"
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.7.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
similarity index 95%
rename from meta-security/recipes-mac/AppArmor/apparmor_3.0.7.bb
rename to meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
index e7d677e..fd649e4 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.7.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
@@ -14,15 +14,14 @@
DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
SRC_URI = " \
- git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
+ git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.1 \
file://run-ptest \
file://crosscompile_perl_bindings.patch \
file://0001-Makefile.am-suppress-perllocal.pod.patch \
file://0001-Makefile-fix-hardcoded-installation-directories.patch \
- file://0001-rc.apparmor.debian-add-missing-functions.patch \
"
-SRCREV = "0ead606d9e608801f45e13a34358036135470729"
+SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe"
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
@@ -95,7 +94,7 @@
if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
install -d ${D}${sysconfdir}/init.d
- install -m 755 ${B}/parser/rc.apparmor.debian ${D}${sysconfdir}/init.d/apparmor
+ install -m 755 ${B}/parser/rc.apparmor.functions ${D}${sysconfdir}/init.d/apparmor
fi
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch b/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
deleted file mode 100644
index 53bdde8..0000000
--- a/meta-security/recipes-mac/AppArmor/files/0001-rc.apparmor.debian-add-missing-functions.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From a737c95ac0f887c365fe8f16583ea95da79de1e9 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Mon, 21 Jun 2021 16:53:39 +0800
-Subject: [PATCH] rc.apparmor.debian: add missing functions
-
-Add missing functions:
- aa_log_action_start
- aa_log_action_end
- aa_log_daemon_msg
- aa_log_end_msg
-
-Fixes:
-$ /etc/init.d/apparmor start
-/lib/apparmor/rc.apparmor.functions: line 294: aa_log_daemon_msg: command not found
-/lib/apparmor/rc.apparmor.functions: line 214: aa_log_action_start: command not found
-
-Upstream-Status: Pending
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- parser/rc.apparmor.debian | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/parser/rc.apparmor.debian b/parser/rc.apparmor.debian
-index 8efd4400..f35124e8 100644
---- a/parser/rc.apparmor.debian
-+++ b/parser/rc.apparmor.debian
-@@ -70,6 +70,26 @@ aa_log_skipped_msg() {
- echo ": Skipped."
- }
-
-+aa_log_action_start()
-+{
-+ echo "$@"
-+}
-+
-+aa_log_action_end()
-+{
-+ printf ""
-+}
-+
-+aa_log_daemon_msg()
-+{
-+ echo "$@"
-+}
-+
-+aa_log_end_msg()
-+{
-+ printf ""
-+}
-+
- usage() {
- echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
- }
---
-2.17.1
-
diff --git a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb b/meta-security/recipes-scanners/rootkits/chkrootkit_0.57.bb
similarity index 94%
rename from meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb
rename to meta-security/recipes-scanners/rootkits/chkrootkit_0.57.bb
index fe0e989..d35f5f6 100644
--- a/meta-security/recipes-scanners/rootkits/chkrootkit_0.55.bb
+++ b/meta-security/recipes-scanners/rootkits/chkrootkit_0.57.bb
@@ -7,7 +7,7 @@
SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
file://musl_fix.patch"
-SRC_URI[sha256sum] = "a81c0286ec449313f953701202a00e81b204fc2cf43e278585a11c12a5e0258b"
+SRC_URI[sha256sum] = "06d1faee151aa3e3c0f91ac807ca92e60b75ed1c18268ccef2c45117156d253c"
inherit autotools-brokensep
diff --git a/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
index a32720a..7e70692 100644
--- a/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
+++ b/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
@@ -5,28 +5,28 @@
we are currently doing this on the target.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: git/Makefile.in
+Index: git/Makefile
===================================================================
---- git.orig/Makefile.in
-+++ git/Makefile.in
-@@ -34,7 +34,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION
+--- git.orig/Makefile
++++ git/Makefile
+@@ -18,7 +18,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION
MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
- .PHONY: all_items $(ALL_ITEMS)
-@@ -52,7 +51,7 @@ $(MANPAGES): src/man
+ .PHONY: all
+@@ -43,7 +42,7 @@ $(MANPAGES): src/man config.mk
man: $(MANPAGES)
-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
-+filters: $(SBOX_APPS_NON_DUMPABLE)
++filters: $(SBOX_APPS_NON_DUMPABLE)
seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
src/fseccomp/fseccomp default seccomp
src/fsec-optimize/fsec-optimize seccomp
-@@ -81,7 +80,6 @@ clean:
+@@ -72,7 +71,6 @@ clean:
done
$(MAKE) -C test clean
rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
@@ -34,12 +34,12 @@
rm -f test/utils/index.html*
rm -f test/utils/wget-log
rm -f test/utils/firejail-test-file*
-@@ -119,7 +117,7 @@ endif
+@@ -110,7 +108,7 @@ endif
# libraries and plugins
install -m 0755 -d $(DESTDIR)$(libdir)/firejail
install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
-+ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS)
++ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS)
install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
# plugins w/o read permission (non-dumpable)
diff --git a/meta-security/recipes-security/Firejail/firejail_0.9.70.bb b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb
similarity index 95%
rename from meta-security/recipes-security/Firejail/firejail_0.9.70.bb
rename to meta-security/recipes-security/Firejail/firejail_0.9.72.bb
index 35f7b07..12a3105 100644
--- a/meta-security/recipes-security/Firejail/firejail_0.9.70.bb
+++ b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb
@@ -9,7 +9,7 @@
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
LICENSE = "GPL-2.0-only"
-SRCREV = "b4b08d21cd95725c9d55dfdb6987fcc6d7893247"
+SRCREV = "2551bc71f14052344666f3ca2ad67f5b798020b9"
SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \
file://exclude_seccomp_util_compiles.patch \
"
@@ -46,6 +46,7 @@
FILES:${PN}-vim = "${datadir}/vim/"
FILES:${PN}-zsh = "${datadir}/zsh/"
+FILES:${PN}-dev = "${datadir}/gtksourceview-5/"
pkg_postinst_ontarget:${PN} () {
${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp
diff --git a/meta-security/recipes-security/cryptmount/cryptmount_6.0.bb b/meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb
similarity index 83%
rename from meta-security/recipes-security/cryptmount/cryptmount_6.0.bb
rename to meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb
index d712a61..d815e1d 100644
--- a/meta-security/recipes-security/cryptmount/cryptmount_6.0.bb
+++ b/meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb
@@ -1,12 +1,10 @@
SUMMARY = "Linux encrypted filesystem management tool"
HOMEPAGE = "http://cryptmount.sourceforge.net/"
-LIC_FILES_CHKSUM = "file://README;beginline=3;endline=4;md5=dae0772f0ff46fd927e7fdb08af51b71"
+LIC_FILES_CHKSUM = "file://COPYING;beginline=1;endline=4;md5=6e69c425bf32ecf9b1e11d29d146d03d"
LICENSE = "GPL-2.0-only"
+SRC_URI = "https://sourceforge.net/projects/cryptmount/files/${BPN}/${BPN}-6.2/${BPN}-${PV}.tar.gz"
-SRC_URI = "https://sourceforge.net/projects/cryptmount/files/${BPN}/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
- "
-
-SRC_URI[sha256sum] = "86528a9175e1eb53f60613e3c3ea6ae6d69dbfe5ac2b53b2f58ba0f768371e7e"
+SRC_URI[sha256sum] = "90cc49fd598d636929c70479b1305f12b011edadf4a54578ace6c0fca8cb5ed2"
inherit autotools-brokensep gettext pkgconfig systemd
diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb
similarity index 96%
rename from meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
rename to meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb
index 8147fe6..ea9593b 100644
--- a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
+++ b/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb
@@ -11,7 +11,7 @@
# fscrypt depends on go and libpam
DEPENDS += "go-native libpam"
-SRCREV = "92b1e9a8670ccd3916a7d24a06cab1e4c9815bc4"
+SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23"
SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https"
GO_IMPORT = "import"
diff --git a/meta-security/recipes-security/krill/files/panic_workaround.patch b/meta-security/recipes-security/krill/files/panic_workaround.patch
index 9b08cb5..dc26416 100644
--- a/meta-security/recipes-security/krill/files/panic_workaround.patch
+++ b/meta-security/recipes-security/krill/files/panic_workaround.patch
@@ -5,7 +5,7 @@
===================================================================
--- git.orig/Cargo.toml
+++ git/Cargo.toml
-@@ -71,7 +71,7 @@ static-openssl = [ "openssl/vendored" ]
+@@ -91,7 +91,7 @@ hsm-tests-pkcs11 = [ "hsm" ]
# Make sure that Krill crashes on panics, rather than losing threads and
# limping on in a bad state.
[profile.release]
@@ -13,4 +13,4 @@
+#panic = "abort"
[dev-dependencies]
- # for user management
+ regex = "1.5.5"
diff --git a/meta-security/recipes-security/krill/krill.inc b/meta-security/recipes-security/krill/krill.inc
index bb40f57..22fe269 100644
--- a/meta-security/recipes-security/krill/krill.inc
+++ b/meta-security/recipes-security/krill/krill.inc
@@ -1,3 +1,6 @@
+# Auto-Generated by cargo-bitbake 0.3.16
+#
+
# please note if you have entries that do not begin with crate://
# you must change them to how that package can be fetched
SRC_URI += " \
@@ -5,46 +8,61 @@
crate://crates.io/adler/1.0.2 \
crate://crates.io/adler32/1.2.0 \
crate://crates.io/aho-corasick/0.7.18 \
+ crate://crates.io/android_system_properties/0.1.5 \
crate://crates.io/ansi_term/0.12.1 \
crate://crates.io/ascii-canvas/3.0.0 \
crate://crates.io/ascii/1.0.0 \
crate://crates.io/atty/0.2.14 \
crate://crates.io/autocfg/1.1.0 \
- crate://crates.io/backtrace/0.3.64 \
+ crate://crates.io/backoff/0.3.0 \
+ crate://crates.io/backtrace/0.3.66 \
crate://crates.io/base64/0.13.0 \
crate://crates.io/basic-cookies/0.1.4 \
- crate://crates.io/bcder/0.6.1 \
+ crate://crates.io/bcder/0.7.0 \
crate://crates.io/bit-set/0.5.2 \
crate://crates.io/bit-vec/0.6.3 \
crate://crates.io/bitflags/1.3.2 \
+ crate://crates.io/block-buffer/0.10.2 \
crate://crates.io/block-buffer/0.9.0 \
- crate://crates.io/bumpalo/3.9.1 \
+ crate://crates.io/bumpalo/3.10.0 \
crate://crates.io/bytes/1.1.0 \
crate://crates.io/cc/1.0.73 \
crate://crates.io/cfg-if/1.0.0 \
- crate://crates.io/chrono/0.4.19 \
+ crate://crates.io/chrono/0.4.22 \
crate://crates.io/chunked_transfer/1.4.0 \
crate://crates.io/cipher/0.2.5 \
crate://crates.io/clap/2.34.0 \
+ crate://crates.io/codespan-reporting/0.11.1 \
crate://crates.io/core-foundation-sys/0.8.3 \
crate://crates.io/core-foundation/0.9.3 \
- crate://crates.io/cpufeatures/0.2.1 \
+ crate://crates.io/cpufeatures/0.2.2 \
crate://crates.io/crc32fast/1.3.2 \
crate://crates.io/crunchy/0.2.2 \
+ crate://crates.io/crypto-common/0.1.6 \
crate://crates.io/crypto-mac/0.10.1 \
- crate://crates.io/ctrlc/3.2.1 \
+ crate://crates.io/cryptoki-sys/0.1.4 \
+ crate://crates.io/cryptoki/0.3.0 \
+ crate://crates.io/ctrlc/3.2.2 \
+ crate://crates.io/cxx-build/1.0.79 \
+ crate://crates.io/cxx/1.0.79 \
+ crate://crates.io/cxxbridge-flags/1.0.79 \
+ crate://crates.io/cxxbridge-macro/1.0.79 \
+ crate://crates.io/derivative/2.2.0 \
crate://crates.io/deunicode/0.4.3 \
- crate://crates.io/diff/0.1.12 \
+ crate://crates.io/diff/0.1.13 \
+ crate://crates.io/digest/0.10.3 \
crate://crates.io/digest/0.9.0 \
crate://crates.io/dirs-next/2.0.0 \
crate://crates.io/dirs-sys-next/0.1.2 \
- crate://crates.io/either/1.6.1 \
+ crate://crates.io/either/1.7.0 \
crate://crates.io/ena/0.14.0 \
- crate://crates.io/encoding_rs/0.8.30 \
+ crate://crates.io/encoding_rs/0.8.31 \
+ crate://crates.io/enum-display-derive/0.1.1 \
+ crate://crates.io/enum-flags/0.1.8 \
crate://crates.io/error-chain/0.11.0 \
crate://crates.io/fastrand/1.7.0 \
crate://crates.io/fern/0.5.9 \
- crate://crates.io/fixedbitset/0.2.0 \
+ crate://crates.io/fixedbitset/0.4.2 \
crate://crates.io/fnv/1.0.7 \
crate://crates.io/foreign-types-shared/0.1.1 \
crate://crates.io/foreign-types/0.3.2 \
@@ -60,181 +78,202 @@
crate://crates.io/futures-util/0.3.21 \
crate://crates.io/futures/0.3.21 \
crate://crates.io/generic-array/0.14.5 \
- crate://crates.io/getrandom/0.2.4 \
- crate://crates.io/gimli/0.26.1 \
- crate://crates.io/h2/0.3.11 \
- crate://crates.io/hashbrown/0.11.2 \
+ crate://crates.io/getrandom/0.2.7 \
+ crate://crates.io/gimli/0.26.2 \
+ crate://crates.io/h2/0.3.13 \
+ crate://crates.io/hashbrown/0.12.3 \
crate://crates.io/hermit-abi/0.1.19 \
crate://crates.io/hex/0.4.3 \
crate://crates.io/hmac/0.10.1 \
- crate://crates.io/http-body/0.4.4 \
- crate://crates.io/http/0.2.6 \
- crate://crates.io/httparse/1.6.0 \
+ crate://crates.io/http-body/0.4.5 \
+ crate://crates.io/http/0.2.8 \
+ crate://crates.io/httparse/1.7.1 \
crate://crates.io/httpdate/1.0.2 \
crate://crates.io/hyper-tls/0.5.0 \
- crate://crates.io/hyper/0.14.17 \
+ crate://crates.io/hyper/0.14.20 \
+ crate://crates.io/iana-time-zone-haiku/0.1.1 \
+ crate://crates.io/iana-time-zone/0.1.51 \
crate://crates.io/idna/0.2.3 \
crate://crates.io/impl-trait-for-tuples/0.2.2 \
- crate://crates.io/indexmap/1.8.0 \
+ crate://crates.io/indexmap/1.9.1 \
crate://crates.io/instant/0.1.12 \
crate://crates.io/intervaltree/0.2.7 \
- crate://crates.io/ipnet/2.3.1 \
+ crate://crates.io/ipnet/2.5.0 \
crate://crates.io/itertools/0.10.3 \
- crate://crates.io/itertools/0.9.0 \
- crate://crates.io/itoa/1.0.1 \
+ crate://crates.io/itoa/1.0.2 \
crate://crates.io/jmespatch/0.3.0 \
- crate://crates.io/js-sys/0.3.56 \
- crate://crates.io/lalrpop-util/0.19.7 \
- crate://crates.io/lalrpop/0.19.7 \
+ crate://crates.io/js-sys/0.3.58 \
+ crate://crates.io/kmip-protocol/0.4.2 \
+ crate://crates.io/kmip-ttlv/0.3.3 \
+ crate://crates.io/lalrpop-util/0.19.8 \
+ crate://crates.io/lalrpop/0.19.8 \
crate://crates.io/lazy_static/1.4.0 \
- crate://crates.io/libc/0.2.119 \
- crate://crates.io/libflate/1.1.2 \
+ crate://crates.io/libc/0.2.126 \
+ crate://crates.io/libflate/1.2.0 \
crate://crates.io/libflate_lz77/1.1.0 \
- crate://crates.io/lock_api/0.4.6 \
- crate://crates.io/log/0.4.14 \
+ crate://crates.io/libloading/0.7.3 \
+ crate://crates.io/link-cplusplus/1.0.7 \
+ crate://crates.io/lock_api/0.4.7 \
+ crate://crates.io/log/0.4.17 \
crate://crates.io/maplit/1.0.2 \
crate://crates.io/matchers/0.0.1 \
crate://crates.io/matches/0.1.9 \
- crate://crates.io/memchr/2.4.1 \
- crate://crates.io/memoffset/0.6.5 \
+ crate://crates.io/maybe-async/0.2.6 \
+ crate://crates.io/memchr/2.5.0 \
crate://crates.io/mime/0.3.16 \
- crate://crates.io/miniz_oxide/0.4.4 \
- crate://crates.io/mio/0.8.0 \
- crate://crates.io/miow/0.3.7 \
- crate://crates.io/native-tls/0.2.8 \
+ crate://crates.io/miniz_oxide/0.5.3 \
+ crate://crates.io/mio/0.8.4 \
+ crate://crates.io/native-tls/0.2.10 \
crate://crates.io/new_debug_unreachable/1.0.4 \
- crate://crates.io/nix/0.23.1 \
- crate://crates.io/ntapi/0.3.7 \
+ crate://crates.io/nix/0.24.2 \
crate://crates.io/num-bigint/0.4.3 \
- crate://crates.io/num-integer/0.1.44 \
- crate://crates.io/num-traits/0.2.14 \
+ crate://crates.io/num-integer/0.1.45 \
+ crate://crates.io/num-traits/0.2.15 \
crate://crates.io/num_cpus/1.13.1 \
- crate://crates.io/oauth2/4.1.0 \
- crate://crates.io/object/0.27.1 \
- crate://crates.io/once_cell/1.9.0 \
+ crate://crates.io/oauth2/4.2.3 \
+ crate://crates.io/object/0.29.0 \
+ crate://crates.io/once_cell/1.13.0 \
crate://crates.io/opaque-debug/0.3.0 \
- crate://crates.io/openidconnect/2.2.0 \
+ crate://crates.io/openidconnect/2.3.2 \
+ crate://crates.io/openssl-macros/0.1.0 \
crate://crates.io/openssl-probe/0.1.5 \
- crate://crates.io/openssl-src/111.17.0+1.1.1m \
- crate://crates.io/openssl-sys/0.9.72 \
- crate://crates.io/openssl/0.10.38 \
- crate://crates.io/ordered-float/1.1.1 \
+ crate://crates.io/openssl-src/111.25.0+1.1.1t \
+ crate://crates.io/openssl-sys/0.9.75 \
+ crate://crates.io/openssl/0.10.41 \
+ crate://crates.io/ordered-float/2.10.0 \
crate://crates.io/oso/0.12.4 \
- crate://crates.io/parking_lot/0.11.2 \
- crate://crates.io/parking_lot_core/0.8.5 \
+ crate://crates.io/parking_lot/0.12.1 \
+ crate://crates.io/parking_lot_core/0.9.3 \
crate://crates.io/pbkdf2/0.7.5 \
crate://crates.io/percent-encoding/2.1.0 \
- crate://crates.io/petgraph/0.5.1 \
+ crate://crates.io/petgraph/0.6.2 \
crate://crates.io/phf_shared/0.10.0 \
crate://crates.io/pico-args/0.4.2 \
- crate://crates.io/pin-project-lite/0.2.8 \
+ crate://crates.io/pin-project-lite/0.2.9 \
crate://crates.io/pin-utils/0.1.0 \
- crate://crates.io/pkg-config/0.3.24 \
+ crate://crates.io/pkg-config/0.3.25 \
crate://crates.io/polar-core/0.12.4 \
crate://crates.io/ppv-lite86/0.2.16 \
crate://crates.io/precomputed-hash/0.1.1 \
- crate://crates.io/priority-queue/1.2.1 \
- crate://crates.io/proc-macro2/1.0.36 \
- crate://crates.io/quick-xml/0.22.0 \
- crate://crates.io/quote/1.0.15 \
+ crate://crates.io/priority-queue/1.2.2 \
+ crate://crates.io/proc-macro2/1.0.40 \
+ crate://crates.io/quick-xml/0.23.0 \
+ crate://crates.io/quote/1.0.20 \
+ crate://crates.io/r2d2/0.8.10 \
crate://crates.io/rand/0.8.5 \
crate://crates.io/rand_chacha/0.3.1 \
crate://crates.io/rand_core/0.6.3 \
- crate://crates.io/redox_syscall/0.2.10 \
- crate://crates.io/redox_users/0.4.0 \
+ crate://crates.io/redox_syscall/0.2.13 \
+ crate://crates.io/redox_users/0.4.3 \
crate://crates.io/regex-automata/0.1.10 \
- crate://crates.io/regex-syntax/0.6.25 \
- crate://crates.io/regex/1.5.5 \
+ crate://crates.io/regex-syntax/0.6.27 \
+ crate://crates.io/regex/1.6.0 \
crate://crates.io/remove_dir_all/0.5.3 \
- crate://crates.io/reqwest/0.11.9 \
+ crate://crates.io/reqwest/0.11.11 \
crate://crates.io/ring/0.16.20 \
crate://crates.io/rle-decode-fast/1.0.3 \
+ crate://crates.io/routecore/0.2.0 \
crate://crates.io/rpassword/5.0.1 \
- crate://crates.io/rpki/0.13.2 \
+ crate://crates.io/rpki/0.15.8 \
crate://crates.io/rustc-demangle/0.1.21 \
- crate://crates.io/rustc_version/0.2.3 \
+ crate://crates.io/rustc_version/0.4.0 \
crate://crates.io/rustls/0.19.1 \
- crate://crates.io/rustversion/1.0.6 \
- crate://crates.io/ryu/1.0.9 \
+ crate://crates.io/rustversion/1.0.8 \
+ crate://crates.io/ryu/1.0.10 \
crate://crates.io/salsa20/0.7.2 \
- crate://crates.io/schannel/0.1.19 \
+ crate://crates.io/schannel/0.1.20 \
+ crate://crates.io/scheduled-thread-pool/0.2.6 \
crate://crates.io/scopeguard/1.1.0 \
+ crate://crates.io/scratch/1.0.2 \
crate://crates.io/scrypt/0.6.5 \
crate://crates.io/sct/0.6.1 \
crate://crates.io/security-framework-sys/2.6.1 \
crate://crates.io/security-framework/2.6.1 \
- crate://crates.io/semver-parser/0.7.0 \
- crate://crates.io/semver/0.9.0 \
- crate://crates.io/serde-value/0.6.0 \
- crate://crates.io/serde/1.0.136 \
- crate://crates.io/serde_derive/1.0.136 \
- crate://crates.io/serde_json/1.0.79 \
+ crate://crates.io/semver/1.0.12 \
+ crate://crates.io/serde-value/0.7.0 \
+ crate://crates.io/serde/1.0.139 \
+ crate://crates.io/serde_bytes/0.11.6 \
+ crate://crates.io/serde_derive/1.0.139 \
+ crate://crates.io/serde_json/1.0.82 \
crate://crates.io/serde_path_to_error/0.1.7 \
crate://crates.io/serde_urlencoded/0.7.1 \
+ crate://crates.io/sha2/0.10.2 \
crate://crates.io/sha2/0.9.9 \
crate://crates.io/sharded-slab/0.1.4 \
- crate://crates.io/siphasher/0.3.9 \
- crate://crates.io/slab/0.4.5 \
+ crate://crates.io/signal-hook-registry/1.4.0 \
+ crate://crates.io/siphasher/0.3.10 \
+ crate://crates.io/slab/0.4.6 \
crate://crates.io/slug/0.1.4 \
- crate://crates.io/smallvec/1.8.0 \
+ crate://crates.io/smallvec/1.9.0 \
crate://crates.io/socket2/0.4.4 \
crate://crates.io/spin/0.5.2 \
- crate://crates.io/string_cache/0.8.3 \
+ crate://crates.io/string_cache/0.8.4 \
crate://crates.io/strsim/0.8.0 \
crate://crates.io/subtle/2.4.1 \
- crate://crates.io/syn/1.0.86 \
+ crate://crates.io/syn/1.0.98 \
crate://crates.io/syslog/4.0.1 \
+ crate://crates.io/target-lexicon/0.12.4 \
crate://crates.io/tempfile/3.3.0 \
crate://crates.io/term/0.7.0 \
+ crate://crates.io/termcolor/1.1.3 \
crate://crates.io/textwrap/0.11.0 \
- crate://crates.io/thiserror-impl/1.0.30 \
- crate://crates.io/thiserror/1.0.30 \
+ crate://crates.io/thiserror-impl/1.0.31 \
+ crate://crates.io/thiserror/1.0.31 \
crate://crates.io/thread_local/1.1.4 \
- crate://crates.io/time/0.1.43 \
+ crate://crates.io/time/0.1.44 \
crate://crates.io/tiny-keccak/2.0.2 \
crate://crates.io/tiny_http/0.8.2 \
- crate://crates.io/tinyvec/1.5.1 \
+ crate://crates.io/tinyvec/1.6.0 \
crate://crates.io/tinyvec_macros/0.1.0 \
- crate://crates.io/tokio-macros/1.7.0 \
+ crate://crates.io/tokio-macros/1.8.0 \
crate://crates.io/tokio-native-tls/0.3.0 \
crate://crates.io/tokio-rustls/0.22.0 \
- crate://crates.io/tokio-util/0.6.9 \
- crate://crates.io/tokio/1.17.0 \
- crate://crates.io/toml/0.5.8 \
- crate://crates.io/tower-service/0.3.1 \
- crate://crates.io/tracing-attributes/0.1.19 \
- crate://crates.io/tracing-core/0.1.22 \
- crate://crates.io/tracing-log/0.1.2 \
+ crate://crates.io/tokio-util/0.7.3 \
+ crate://crates.io/tokio/1.20.4 \
+ crate://crates.io/toml/0.5.9 \
+ crate://crates.io/tower-service/0.3.2 \
+ crate://crates.io/tracing-attributes/0.1.22 \
+ crate://crates.io/tracing-core/0.1.28 \
+ crate://crates.io/tracing-log/0.1.3 \
crate://crates.io/tracing-serde/0.1.3 \
crate://crates.io/tracing-subscriber/0.2.25 \
- crate://crates.io/tracing/0.1.31 \
+ crate://crates.io/tracing/0.1.35 \
+ crate://crates.io/trait-set/0.2.0 \
crate://crates.io/try-lock/0.2.3 \
crate://crates.io/typenum/1.15.0 \
- crate://crates.io/unicode-bidi/0.3.7 \
- crate://crates.io/unicode-normalization/0.1.19 \
+ crate://crates.io/unicode-bidi/0.3.8 \
+ crate://crates.io/unicode-ident/1.0.2 \
+ crate://crates.io/unicode-normalization/0.1.21 \
crate://crates.io/unicode-width/0.1.9 \
- crate://crates.io/unicode-xid/0.2.2 \
+ crate://crates.io/unicode-xid/0.2.3 \
crate://crates.io/untrusted/0.7.1 \
crate://crates.io/url/2.2.2 \
crate://crates.io/urlparse/0.7.3 \
- crate://crates.io/uuid/0.8.2 \
+ crate://crates.io/uuid/1.1.2 \
crate://crates.io/valuable/0.1.0 \
crate://crates.io/vcpkg/0.2.15 \
crate://crates.io/vec_map/0.8.2 \
crate://crates.io/version_check/0.9.4 \
crate://crates.io/want/0.3.0 \
- crate://crates.io/wasi/0.10.2+wasi-snapshot-preview1 \
- crate://crates.io/wasm-bindgen-backend/0.2.79 \
- crate://crates.io/wasm-bindgen-futures/0.4.29 \
- crate://crates.io/wasm-bindgen-macro-support/0.2.79 \
- crate://crates.io/wasm-bindgen-macro/0.2.79 \
- crate://crates.io/wasm-bindgen-shared/0.2.79 \
- crate://crates.io/wasm-bindgen/0.2.79 \
- crate://crates.io/web-sys/0.3.56 \
+ crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \
+ crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1 \
+ crate://crates.io/wasm-bindgen-backend/0.2.81 \
+ crate://crates.io/wasm-bindgen-futures/0.4.31 \
+ crate://crates.io/wasm-bindgen-macro-support/0.2.81 \
+ crate://crates.io/wasm-bindgen-macro/0.2.81 \
+ crate://crates.io/wasm-bindgen-shared/0.2.81 \
+ crate://crates.io/wasm-bindgen/0.2.81 \
+ crate://crates.io/web-sys/0.3.58 \
crate://crates.io/webpki/0.21.4 \
crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \
+ crate://crates.io/winapi-util/0.1.5 \
crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \
crate://crates.io/winapi/0.3.9 \
- crate://crates.io/winreg/0.7.0 \
- crate://crates.io/xml-rs/0.8.4 \
+ crate://crates.io/windows-sys/0.36.1 \
+ crate://crates.io/windows_aarch64_msvc/0.36.1 \
+ crate://crates.io/windows_i686_gnu/0.36.1 \
+ crate://crates.io/windows_i686_msvc/0.36.1 \
+ crate://crates.io/windows_x86_64_gnu/0.36.1 \
+ crate://crates.io/windows_x86_64_msvc/0.36.1 \
+ crate://crates.io/winreg/0.10.1 \
"
diff --git a/meta-security/recipes-security/krill/krill_0.9.6.bb b/meta-security/recipes-security/krill/krill_0.12.3.bb
similarity index 95%
rename from meta-security/recipes-security/krill/krill_0.9.6.bb
rename to meta-security/recipes-security/krill/krill_0.12.3.bb
index fd86c4b..a943c52 100644
--- a/meta-security/recipes-security/krill/krill_0.9.6.bb
+++ b/meta-security/recipes-security/krill/krill_0.12.3.bb
@@ -7,7 +7,7 @@
# SRC_URI += "crate://crates.io/krill/0.9.1"
SRC_URI = "git://github.com/NLnetLabs/krill.git;protocol=https;branch=main"
-SRCREV = "95e6681d5b4024cac7a1892d47fb76abc68f34fb"
+SRCREV = "e92098419c7ad82939e0483bc76df21eff705b80"
SRC_URI += "file://panic_workaround.patch"
include krill.inc
diff --git a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.11.bb
similarity index 88%
rename from meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
rename to meta-security/recipes-security/libmspack/libmspack_1.11.bb
index 1b91f46..59df84b 100644
--- a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
+++ b/meta-security/recipes-security/libmspack/libmspack_1.11.bb
@@ -6,7 +6,7 @@
LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd"
-SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc"
+SRCREV = "305907723a4e7ab2018e58040059ffb5e77db837"
SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https"
inherit autotools
diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in
index 658018b..a1d7738 100644
--- a/meta-security/wic/beaglebone-yocto-verity.wks.in
+++ b/meta-security/wic/beaglebone-yocto-verity.wks.in
@@ -10,6 +10,6 @@
#
# This .wks only works with the dm-verity-img class.
-part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --size 16 --sourceparams="loader=u-boot" --use-uuid
+part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --fixed-size 32 --sourceparams="loader=u-boot" --use-uuid
part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity"
bootloader --append="console=ttyS0,115200"