subtree updates
meta-arm: 3fcafa3a94..d6fac49541:
Abdellatif El Khlifi (1):
arm-bsp/u-boot: corstone1000: upgrade NVMXIP support
Denys Dmytriyenko (1):
optee-os: do not explicitly set CFG_MAP_EXT_DT_SECURE=y
Emekcan Aras (8):
arm-bsp/u-boot: corstone1000: Fix EFI multiple protocol install failure
arm-bsp/u-boot: corstone1000: Enable EFI set/get time services
arm-bsp/trusted-services: corstone1000: GetNextVariableName Fix
arm-bsp/optee-os:corstone1000: Drop SPMC non secure interrupt patches
arm-bsp/u-boot: corstone1000: Fix u-boot compilation warnings
arm-bsp/trusted-services: corstone1000: Fix PSA_RAW_KEY agreement test
arm-bsp/trusted-services: corstone1000: Fix Capsule Update
arm-bsp/trusted-firmware-a: corstone1000: Fix Trusted-Firmware-A version for corstone1000
Jon Mason (3):
trusted-firmware-a: update to the latest TF-A LTS
arm-bsp/tc1: update to use the latest tf-a
arm/scp-firmware: update to v2.12.0
Khem Raj (2):
gn: update to latest
gn: Fix build with gcc13
Ross Burton (8):
arm/trusted-firmware-m: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm-bsp/external-system: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm-toolchain/external-arm: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm/scp-firmware: use concerete toolchain
arm-toolchain/gcc-arm-12.2: remove
arm/gn: fix build with GCC <13
CI: always put the build logs in an artifact
CI: print the name of the documentation when building
Sumit Garg (1):
external-arm-toolchain: Enforce absolute path check
meta-openembedded: def4759e95..2638d458a5:
Adrian Zaharia (2):
meta-python: Add stopit
python3-stopit: add missing run-time dependencies
Alex Kiernan (1):
ostree: Upgrade 2023.3 -> 2023.4
Bartosz Golaszewski (55):
python3-pywbemtools: remove build-time dependencies
python3-pywbem: drop unneeded class from RDEPENDS
python3-pywbem: don't use PYTHON_PN
python3-pywbem: order RDEPENDS alphabetically
python3-pywbem: add missing run-time dependencies
python3-padatious: add missing run-time dependencies
python3-pako: add missing run-time dependencies
python3-paramiko: stop using PYTHON_PN
python3-paramiko: add missing run-time dependencies
python3-path: fix coding style
python3-path: add missing run-time dependencies
python3-ecdsa: don't install tests
python3-et-xmlfile: fix coding style
python3-et-xmlfile: add missing run-time dependencies
python3-flask-user: fix coding style
python3-flask-user: add missing run-time dependencies
python3-isort: fix coding style
python3-isort: add missing run-time dependencies
python3-isodate: stop using PYTHON_PN
python3-isodate: add missing run-time dependencies
python-idna-ssl: add missing run-time dependencies
python3-hpack: add missing run-time dependencies
python3-h11: add missing run-time dependencies
python3-gsocketpool: drop unneeded DEPENDS
python3-gsocketpool: stop using PYTHON_PN
python3-gsocketpool: add missing run-time dependencies
python3-flask-mail: stop using PYTHON_PN
python3-flask-mail: add missing run-time dependencies
python3-flask-sijax: stop using PYTHON_PN
python3-flask-sijax: add missing run-time dependencies
python3-flask-script: remove recipe
python3-aioserial: fix coding style
python3-aioserial: add missing run-time dependencies
python3-aspectlib: add missing run-time dependencies
python3-asyncio-throttle: add missing run-time dependencies
python3-attrdict3: add missing run-time dependencies
python3-betamax: add missing run-time dependencies
python3-binwalk: add missing run-time dependencies
python3-can: fix coding style
python3-can: add missing run-time dependencies
python3-click-spinner: add missing run-time dependencies
python3-colorlog: add missing run-time dependencies
python3-colorzero: add missing run-time dependencies
python3-configobj: fix coding style
python3-configobj: add missing run-time dependencies
python3-configshell-fb: add missing run-time dependencies
python3-coverage: fix coding style and RDEPENDS
python3-custom-inherit: add missing run-time dependencies
python3-dateparser: fix coding style
python3-dateparser: add missing run-time dependencies
python3-tzlocal: fix coding style
python3-tzlocal: add missing run-time dependencies
python3-dbus-next: add missing run-time dependencies
python3-defusedxml: add missing run-time dependencies
python3-setuptools-scm-git-archive: add missing run-time dependencies
Beniamin Sandu (5):
lmsensors: do not pull in unneeded perl modules for run-time dependencies
mdns: remove unneeded headers
mbedtls: add support for v3.x
rasdaemon: upgrade to 0.8.0
unbound: add option to build with libevent
Chen Qi (1):
redis: use the files path correctly
Denys Dmytriyenko (1):
grpc: point to the native protobuf compiler binary
Enguerrand de Ribaucourt (4):
cukinia: remove trailing whitespaces
cukinia: upgrade 0.6.1 -> 0.6.2
cukinia: inherit allarch
cukinia: add libgpiod-tools to RRECOMMENDS
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.18 -> 0.0.19
Joe Slater (2):
libgpiod: modify test 'gpioset: toggle (continuous)'
python3-sqlparse: fix CVE-2023-30608
Johannes Kauffmann (3):
open62541: add multithreading PACKAGECONFIG option
open62541: allow disabling subscriptions
ntpd: switch service type from forking to simple
Khem Raj (16):
ply: Demand BFD linker explicitly
crucible: Upgrade to 2023.04.12 release
schroedinger: Fix building tests
fwts: Fix build issues found with lld linker
xfce4-sensors-plugin: Use bfd linker instead of lld
ostree: Fix build errors found with lld linker
spice-gtk: Fix build with lld linker
sblim-sfcb: Fix build with lld linker
libtracefs: Fix build with clang+musl
gosu: Upgrade to 1.16 release
layers: Move READMEs to markdown format
xdg-desktop-portal-wlr: Fix build with older mesa
geary: Fix build with vala >= 0.56.8
libforms: Replace hardcoded dep on mesa with virtual/libgl
syzkaller: Upgrade to latest tip of trunk
ristretto: Upgrade to 0.13.1 release
Markus Volk (1):
gnome-software: upgrade 44.1 -> 44.2
Martin Jansa (5):
asio: fix malformed Upstream-Status
libgpiod: fix malformed Upstream-Status
postfix: fix malformed Upstream-Status
*.patch: add Upstream-Status to all patches
postfix: remove 2nd Upstream-Status
Michael Heimpold (1):
php: drop explicite ARM_INSTRUCTION_SET
Patrick Williams (1):
libplist_2.3.0: compile fix for version
Peter Kjellerstedt (1):
glog: Correct the packaging of /usr/share/glog/cmake/FindUnwind.cmake
Peter Marko (1):
python3-stopit: fix override syntax
Randolph Sapp (1):
opengl-es-cts: 3.2.8.0 -> 3.2.9.3
Remi Peuvergne (2):
zeromq: consider license exception over LGPL-3.0
zeromq: consider license exception over LGPL-3.0
Sandeep Gundlupet Raju (1):
opencv: Revert fix runtime dependencies
Soumya (1):
opencv: Fix for CVE-2023-2617
Wang Mingyu (57):
ctags: upgrade 6.0.20230604.0 -> 6.0.20230611.0
gjs: upgrade 1.76.0 -> 1.76.1
ipcalc: upgrade 1.0.2 -> 1.0.3
libadwaita: upgrade 1.3.2 -> 1.3.3
libjcat: upgrade 0.1.13 -> 0.1.14
libqb: upgrade 2.0.6 -> 2.0.7
mbpoll: upgrade 1.5.0 -> 1.5.2
mpich: upgrade 4.1.1 -> 4.1.2
nautilus: upgrade 44.2 -> 44.2.1
ntp: upgrade 4.2.8p16 -> 4.2.8p17
python3-eth-account: upgrade 0.8.0 -> 0.9.0
python3-eth-hash: upgrade 0.5.1 -> 0.5.2
python3-eth-typing: upgrade 3.3.0 -> 3.4.0
python3-eth-utils: upgrade 2.1.0 -> 2.1.1
python3-platformdirs: upgrade 3.5.1 -> 3.5.3
pcsc-lite: upgrade 1.9.9 -> 2.0.0
php: upgrade 8.2.6 -> 8.2.7
python3-argcomplete: upgrade 3.0.8 -> 3.1.0
python3-autobahn: upgrade 23.1.2 -> 23.6.1
python3-cassandra-driver: upgrade 3.27.0 -> 3.28.0
python3-cmake: upgrade 3.26.3 -> 3.26.4
python3-django: upgrade 4.2.1 -> 4.2.2
python3-hexbytes: upgrade 0.3.0 -> 0.3.1
python3-imageio: upgrade 2.30.0 -> 2.31.0
python3-pykickstart: upgrade 3.47 -> 3.48
python3-pymisp: upgrade 2.4.171 -> 2.4.172
python3-pymodbus: upgrade 3.3.0 -> 3.3.1
python3-sentry-sdk: upgrade 1.25.0 -> 1.25.1
python3-websocket-client: upgrade 1.5.2 -> 1.5.3
python3-zeroconf: upgrade 0.63.0 -> 0.64.1
remmina: upgrade 1.4.30 -> 1.4.31
tio: upgrade 2.5 -> 2.6
libtracefs: upgrade 1.6.4 -> 1.7.0
adw-gtk3: upgrade 4.7 -> 4.8
evince: upgrade 44.1 -> 44.2
gensio: upgrade 2.6.5 -> 2.6.6
redis-plus-plus: upgrade 1.3.8 -> 1.3.9
python3-click-repl: upgrade 0.2.0 -> 0.3.0
python3-platformdirs: upgrade 3.5.3 -> 3.6.0
python3-pytest-mock: upgrade 3.10.0 -> 3.11.1
python3-croniter: upgrade 1.3.15 -> 1.4.1
python3-elementpath: upgrade 4.1.2 -> 4.1.3
python3-google-api-core: upgrade 2.11.0 -> 2.11.1
python3-google-api-python-client: upgrade 2.88.0 -> 2.89.0
python3-googleapis-common-protos: upgrade 1.59.0 -> 1.59.1
python3-google-auth: upgrade 2.19.1 -> 2.20.0
python3-imageio: upgrade 2.31.0 -> 2.31.1
python3-protobuf: upgrade 4.23.2 -> 4.23.3
python3-pyproj: upgrade 3.5.0 -> 3.6.0
python3-rich: upgrade 13.4.1 -> 13.4.2
python3-robotframework: upgrade 6.0.2 -> 6.1
python3-ujson: upgrade 5.7.0 -> 5.8.0
python3-xmlschema: upgrade 2.3.0 -> 2.3.1
python3-xmodem: upgrade 0.4.6 -> 0.4.7
python3-zeroconf: upgrade 0.64.1 -> 0.68.0
strongswan: upgrade 5.9.10 -> 5.9.11
rdfind: upgrade 1.5.0 -> 1.6.0
Xiangyu Chen (1):
meta-oe: add pahole to NON_MULTILIB_RECIPES
Zoltán Böszörményi (3):
mpich: Upgrade to 4.1.1
python3-meson-python: New recipe
python_mesonpy: New class
poky: 00f3d58064..13b646c0e1:
Adrian Freihofer (9):
runqemu-ifup: remove uid parameter
runqemu-ifup: configurable tap names
runqemu-ifup: fix tap index
runqemu-ifup: remove only our taps
runqemu-gen-tapdevs: remove staging dir parameter
runqemu-gen-tapdevs: remove uid parameter
runqemu-gen-tapdevs: configurable tap names
runqemu-gen-tapdevs: remove only our taps
runqemu: configurable tap names
Alberto Planas (2):
bitbake.conf: add unzstd in HOSTTOOLS
rpm2cpio.sh: update to the last 4.x version
Alejandro Hernandez Samaniego (2):
baremetal-helloworld: Update SRCREV to fix entry addresses for ARM architectures
runqemu: Stop passing bindir to the runqemu-ifup call
Alex Kiernan (1):
eudev: Upgrade 3.2.11 -> 3.2.12
Alexander Kanavin (60):
scripts/runqemu: split lock dir creation into a reusable function
scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes
apmd: remove recipe and apm MACHINE_FEATURE
qemu: a pending patch was submitted and accepted upstream
maintainers.inc: unassign Adrian Bunk from wireless-regdb
maintainers.inc: unassign Alistair Francis from opensbi
maintainers.inc: unassign Chase Qi from libc-test
maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items
maintainers.inc: unassign Ricardo Neri from ovmf
grub: submit determinism.patch upstream
apr: upgrade 1.7.3 -> 1.7.4
at-spi2-core: upgrade 2.48.0 -> 2.48.3
btrfs-tools: upgrade 6.3 -> 6.3.1
attr: package /etc/xattr.conf with the library that consumes it
glib-2.0: backport a patch to address ptest fails caused by coreutils 9.2+
diffoscope: upgrade 236 -> 242
dnf: upgrade 4.14.0 -> 4.16.1
ethtool: upgrade 6.2 -> 6.3
gawk: upgrade 5.2.1 -> 5.2.2
strace: upgrade 6.2 -> 6.3
coreutils: upgrade 9.1 -> 9.3
gnupg: upgrade 2.4.0 -> 2.4.2
gobject-introspection: upgrade 1.74.0 -> 1.76.1
kmscube: upgrade to latest revision
libmodulemd: upgrade 2.14.0 -> 2.15.0
libuv: license file was split in two in the 1.45.0 version update
libx11: upgrade 1.8.4 -> 1.8.5
libxslt: upgrade 1.1.37 -> 1.1.38
linux-firmware: upgrade 20230404 -> 20230515
ltp: upgrade 20230127 -> 20230516
mesa: upgrade 23.0.3 -> 23.1.1
meson: upgrade 1.1.0 -> 1.1.1
mmc-utils: upgrade to latest revision
nettle: upgrade 3.8.1 -> 3.9
nghttp2: upgrade 1.52.0 -> 1.53.0
parted: upgrade 3.5 -> 3.6
puzzles: upgrade to latest revision
python3: upgrade 3.11.2 -> 3.11.3
python3-certifi: upgrade 2022.12.7 -> 2023.5.7
python3-docutils: upgrade 0.19 -> 0.20.1
python3-flit-core: upgrade 3.8.0 -> 3.9.0
python3-importlib-metadata: upgrade 6.2.0 -> 6.6.0
python3-pyasn1: upgrade 0.4.8 -> 0.5.0
python3-pyopenssl: upgrade 23.1.1 -> 23.2.0
python3-sphinx: remove BSD-3-Clause from LICENSE
serf: upgrade 1.3.9 -> 1.3.10
shaderc: upgrade 2023.2 -> 2023.4
squashfs-tools: upgrade 4.5.1 -> 4.6.1
vala: upgrade 0.56.6 -> 0.56.8
vulkan: upgrade 1.3.243.0 -> 1.3.250.0
wget: upgrade 1.21.3 -> 1.21.4
wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
xf86-input-libinput: upgrade 1.2.1 -> 1.3.0
xf86-input-mouse: upgrade 1.9.4 -> 1.9.5
zstd: upgrade 1.5.4 -> 1.5.5
gdb: upgrade 13.1 -> 13.2
libxcrypt: upgrade 4.4.33 -> 4.4.34
zstd: fix a reproducibility issue in 1.5.5
sysfsutils: fetch a supported fork from github
sysfsutils: update 2.1.0 -> 2.1.1
Alexandre Belloni (1):
base-passwd: fix patchreview warning
Alexis Lothoré (3):
oeqa/core/runner: add helper to know about expected failures
oeqa/target/ssh: update options for SCP
testimage: implement test artifacts retriever for failing tests
Anuj Mittal (1):
glib-2.0: upgrade 2.76.2 -> 2.76.3
BELOUARGA Mohamed (1):
meta: lib: oe: npm_registry: Add more safe caracters
Bruce Ashfield (4):
linux-yocto/6.1: update to v6.1.33
linux-yocto/6.1: fix intermittent x86 boot hangs
linux-yocto/6.1: update to v6.1.34
linux-yocto/6.1: update to v6.1.35
Charlie Wu (1):
devtool: Fix the wrong variable in srcuri_entry
Chen Qi (7):
sdk.py: error out when moving file fails
sdk.py: fix moving dnf contents
rpm: write macros under libdir
zip: fix configure check by using _Static_assert
zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS
unzip: fix configure check for cross compilation
unzip: remove hardcoded LARGE_FILE_SUPPORT
Denys Dmytriyenko (1):
binutils: move packaging of gprofng static lib into common .inc
Ed Beroset (1):
Add clarification for SRCREV
Fabien Mahot (2):
useradd-example: package typo correction
oeqa/selftest/bbtests: add non-existent prefile/postfile tests
Hannu Lounento (1):
profile-manual: fix blktrace remote usage instructions
Ian Ray (1):
systemd-systemctl: support instance expansion in WantedBy
Jermain Horsman (1):
logrotate: Do not create logrotate.status file
Jose Quaresma (1):
selftest/reproducible: Allow chose the package manager
Jörg Sommer (2):
runqemu-gen-tapdevs: Refactoring
runqemu-ifupdown/get-tapdevs: Add support for ip tuntap
Khem Raj (12):
llvm: Upgrade to 16.0.5
glibc: Pass linker choice via compiler flags
libgcc: Always use BFD linker
efivar: Upgrade to tip of trunk
babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature
parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so
kernel: Add kernel specific STRIP variable
libxml2: Do not use lld linker when building with tests on rv64
llvm: Bump to 16.0.6
go-helloworld: Upgrade to tip of trunk
rpcsvc-proto: Upgrade to 1.4.4
python3-bcrypt: Use BFD linker when building tests
Louis Rannou (3):
rootfs-postcommands: change sysusers.d command
systemd: replace the sysusers.d basic configuration
base-passwd: add the wheel group
Luca Ceresoli (1):
ref-manual: classes: devicetree: fix sentence saying the same thing twice
Markus Volk (2):
gtk4: upgrade 4.10.3 -> 4.10.4
gstreamer1.0-plugins-bad: use oneVPL instead of intel-mediasdk for msdk
Martin Jansa (1):
libstd-rs, rust: use bfd linker instead of gold
Michael Opdenacker (5):
psplash: replace Yocto .h by .png splashscreen
migration-guides: release-notes-4.3: update documentation notes
bitbake: bitbake-user-manual: explicit variables taking a colon separated list
bitbake: bitbake-user-manual: revert change about PREFERRED_PROVIDERS
ref-manual: variables.rst: explicit variables accepting colon separated lists
Mikko Rapeli (4):
useradd-staticids.bbclass: improve error message
selftest reproducible.py: support different build targets
variables.rst: document OEQA_REPRODUCIBLE_TEST_TARGET and OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS
reproducible-builds.rst: document OEQA_REPRODUCIBLE_TEST_TARGET and OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS
Ming Liu (2):
weston-init: introduce xwayland PACKAGECONFIG
meta: introduce KCONFIG_CONFIG_ENABLE_MENUCONFIG
Mingli Yu (2):
qemu: Split the qemu package
u-boot-tools: Use PATH_MAX for path length
Petr Gotthard (1):
lighttpd: upgrade 1.4.69 -> 1.4.71
Quentin Schulz (5):
bitbake: docs: bitbake-user-manual: bitbake-user-manual-hello: add links and highlights for variables
docs: bsp-guide: bsp: fix typo
docs: ref-manual: terms: fix typos in SPDX term
docs: fix unnecessary double white space
docs: ref-manual: terms: fix incorrect note directive
Randolph Sapp (6):
weston-init: make sure the render group exists
weston-init: add weston user to the render group
weston-init: add the weston user to the wayland group
weston-init: fix the mixed indentation
weston-init: guard against systemd configs
weston-init: add profile to point users to global socket
Remi Peuvergne (1):
common-licenses: Add LGPL-3.0-with-zeromq-exception
Richard Purdie (18):
runqemu/qemu-helper: Drop tunctl
runqemu-if*: Rename confusing variable name
oeqa/selftest/oescripts: Fix qemu-helper selftest
oeqa/logparser: Fix ptest No-section exception
strace: Disable failing test
strace: Merge two similar patches
testimage: Only note missing target directories, don't warn
ptest-runner: Pull in sync fix to improve log warnings
scripts/runqemu-ifup: Fix extra parameter issue
scripts/runqemu-ifup: Fix 10 or more tap devices
bitbake: runqueue: Fix handling of virtual files in layername calculation
ptest-runner: Ensure data writes don't race
bitbake.conf: Add layer-<layername> override support
insane: Improve patch-status layer filtering
genericx86: Drop gma500-gfx-check
bitbake: doc: Document FILE_LAYERNAME
migration-guides: add notes on FILE_LAYERNAME
migration-guides: add notes on systemd/usrmerge changes
Ross Burton (15):
nettle: rewrite ptest integration
nettle: inherit lib_package
cve-extra-exclusions: add more ignores for 2023 kernel CVEs
cve-extra-exclusions: remove 2019 blanket ignores
poky-altconfig: enable usrmerge DISTRO_FEATURE
gi-docgen: correct comment
gobject-introspection: remove obsolete DEPENDS
coreutils: fix build when the host has fr_FR.
cve-extra-exclusions: call out an Ubuntu-specific issue explicitly
cve-extra-exclusions: CVE-2023-3141 was backported in Linux 6.1.30
erofs-utils: backport fixes for CVE-2023-33551 and CVE-2023-33552
ghostscript: mostly rewrite recipe
python3-dbusmock: only recommend python3-pygobject
sysfsutils: don't install to base_libdir
base: improve LICENSE_FLAGS_DETAILS output
Sakib Sajal (1):
go: Upgrade 1.20.4 -> 1.20.5
Soumya (1):
perl: fix CVE-2023-31484
Stefano Babic (2):
libubootenv: upgrade 0.3.3 -> 0.3.4
mtd-utils: export headers and libraries for MTD and UBI
Sudip Mukherjee (2):
dpkg: upgrade to v1.21.22
cmake: upgrade to v3.26.4
Tan Wen Yan (1):
linux-yocto/6.1: update genericx86* machines to v6.1.30
Tom Hochstein (1):
weston: Cleanup and fix x11 and xwayland dependencies
Trevor Gamblin (2):
runqemu-gen-tapdevs: fix missing variable quote
glib-networking: use correct error code in ptest
Vincent Davis Jr (4):
spirv-tools: fix INTERFACE_LINK_LIBRARIES cmake prop
vulkan-validation-layers: add new recipe v1.3.243.0
spirv-tools: Use baselib instead of base_libdir
vulkan-validation-layers: cleanup recipe
Xiangyu Chen (1):
dbus: upgrade 1.14.6 -> 1.14.8
nikhil (1):
libwebp: Fix CVE-2023-1999
schitrod=cisco.com@lists.openembedded.org (1):
cups: Fix CVE-2023-32324
meta-security: 180dac9aec..405cca4028:
Ahmed Abdelfattah (1):
swtpm: fix parser error when using USERADDEXTENSION="useradd-staticids"
Armin Kuster (25):
scap-security-guide: update to 0.1.67
scap-security-guide: update to tip
scap-security-guide_git: drop oe version
openscap-daemon: This is now obsolete
oe-scap: Not maintained nor upstreamed
openscap: Fix native build missing depends
openscap: Drop OE specific recipe
lynis: move to main meta-security layer
openscap: move to main meta-security layer
meta-security-compliance: remove layer
openscap: add support for OpenEmbedded nodistro and Poky
scap-security-guide: add OE support
packagegroup-core-security: add compliance pkg group
kas: ci changes do to meta-security-compliance being removed
meta-security-isafw: drop layer isafw project archived
openscap: Update to tip to get OE/Poky support
scap-security-guide: bump the number of test that pass
clamav: drop unused patch
isic: fine tune Upstream-Status
scap-security-guide: Add Poky
arpwatch: Fix typo in COMPATIBLE_HOST:libc-musl = "null"
scap-security-guide: add Upstream-Status
scap-security-guide: Does not build for musl
openscap: update to 1.3.8
packagegroup-core-security: add os-release
Chen Qi (1):
complicance/isafw: remove oeqa addpylib
Kevin Hao (1):
dmverity: Suppress the realpath errors
Martin Jansa (5):
*.patch: add Upstream-Status to all patches
meta-tpm: *.patch: fix malformed Upstream-Status lines
dynamic-layers: *.patch: fix malformed and missing Upstream-Status lines
*.patch: fix malformed Upstream-Status and SOB lines
.patch: remove probably unused patches
Paul Gortmaker (7):
dm-verity: add descriptive strings for "wic list images"
dm-verity: restructure the veritysetup arg parsing
dm-verity: save veritysetup args beside runtime environment
dm-verity: add support for hash storage on separate partition
dm-verity: add wks.in fragment with dynamic build hash data
dm-verity: hook separate hash into initramfs framework
dm-verity: add sample systemd separate hash example and doc
Samantha Jalabert (1):
buck-security: fix missing dependencies to perl modules
meta-raspberrypi: 8e07f0d328..dff85b9a9f:
Khem Raj (1):
linux-raspberrypi-6.1: Update to 6.1.34 release
Martin Jansa (1):
*.patch: add Upstream-Status to all patches
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: If34dfa008a81d778c7bc02627388238f5125d85c
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index d809985..045c860 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -10,11 +10,22 @@
# assure data integrity, the root hash must be stored in a trusted location
# or cryptographically signed and verified.
#
+# Optionally, we can store the hash data on a separate device or partition
+# for improved compartmentalization and ease of use/deployment.
+#
# Usage:
# DM_VERITY_IMAGE = "core-image-full-cmdline" # or other image
# DM_VERITY_IMAGE_TYPE = "ext4" # or ext2, ext3 & btrfs
+# DM_VERITY_SEPARATE_HASH = "1" # optional; store hash on separate dev
# IMAGE_CLASSES += "dm-verity-img"
#
+# Using the GPT UUIDs specified in the standard can also be useful in that
+# they are displayed and translated in cfdisk output.
+#
+# DM_VERITY_ROOT_GUID = <UUID for your architecture and root-fs>
+# DM_VERITY_RHASH_GUID = <UUID for your architecture and verity-hash>
+# https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
# The resulting image can then be used to implement the device mapper block
# integrity checking on the target device.
@@ -28,13 +39,23 @@
# Define the hash block size to use in veritysetup.
DM_VERITY_IMAGE_HASH_BLOCK_SIZE ?= "4096"
+# Should we store the hash data on a separate device/partition?
+DM_VERITY_SEPARATE_HASH ?= "0"
+
+# These are arch specific. We could probably intelligently auto-assign these?
+# Take x86-64 values as defaults. No impact on functionality currently.
+# See SD_GPT_ROOT_X86_64 and SD_GPT_ROOT_X86_64_VERITY in the spec.
+# Note - these are passed directly to sgdisk so hyphens needed.
+DM_VERITY_ROOT_GUID ?= "4f68bce3-e8cd-4db1-96e7-fbcaf984b709"
+DM_VERITY_RHASH_GUID ?= "2c7357ed-ebd2-46d9-aec1-23d437ec2bf5"
+
# Process the output from veritysetup and generate the corresponding .env
# file. The output from veritysetup is not very machine-friendly so we need to
# convert it to some better format. Let's drop the first line (doesn't contain
# any useful info) and feed the rest to a script.
process_verity() {
local ENV="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.env"
- install -d ${STAGING_VERITY_DIR}
+ local WKS_INC="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.wks.in"
rm -f $ENV
# Each line contains a key and a value string delimited by ':'. Read the
@@ -51,6 +72,43 @@
# Add partition size
echo "DATA_SIZE=$SIZE" >> $ENV
+
+ # Add whether we are storing the hash data separately
+ echo "SEPARATE_HASH=${DM_VERITY_SEPARATE_HASH}" >> $ENV
+
+ # Configured for single partition use of veritysetup? OK, we are done.
+ if [ ${DM_VERITY_SEPARATE_HASH} -eq 0 ]; then
+ return
+ fi
+
+ # Craft up the UUIDs that are part of the verity standard for root & hash
+ # while we are here and in shell. Re-read our output to get ROOT_HASH
+ # and then cut it in 1/2 ; HI for data UUID and LO for hash-data UUID.
+ # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/
+
+ ROOT_HASH=$(cat $ENV | grep ^ROOT_HASH | sed 's/ROOT_HASH=//' | tr a-f A-F)
+ ROOT_HI=$(echo "obase=16;ibase=16;$ROOT_HASH/2^80" | /usr/bin/bc)
+ ROOT_LO=$(echo "obase=16;ibase=16;$ROOT_HASH%2^80" | /usr/bin/bc)
+
+ # Hyphenate as per UUID spec and as expected by wic+sgdisk parameters.
+ # Prefix with leading zeros, in case hash chunks weren't using highest bits
+ # "bc" needs upper case, /dev/disk/by-partuuid/ is lower case. <sigh>
+ ROOT_UUID=$(echo 00000000$ROOT_HI | sed 's/.*\(.\{32\}\)$/\1/' | \
+ sed 's/./-&/9;s/./-&/14;s/./-&/19;s/./-&/24' | tr A-F a-f )
+ RHASH_UUID=$(echo 00000000$ROOT_LO | sed 's/.*\(.\{32\}\)$/\1/' | \
+ sed 's/./-&/9;s/./-&/14;s/./-&/19;s/./-&/24' | tr A-F a-f )
+
+ # Emit the values needed for a veritysetup run in the initramfs
+ echo "ROOT_UUID=$ROOT_UUID" >> $ENV
+ echo "RHASH_UUID=$RHASH_UUID" >> $ENV
+
+ # Create wks.in fragment with build specific UUIDs for partitions.
+ # Unfortunately the wks.in does not support line continuations...
+ # First, the unappended filesystem data partition.
+ echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC
+
+ # note: no default mount point for hash data partition
+ echo 'part --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC
}
verity_setup() {
@@ -58,6 +116,12 @@
local INPUT=${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.$TYPE
local SIZE=$(stat --printf="%s" $INPUT)
local OUTPUT=$INPUT.verity
+ local OUTPUT_HASH=$INPUT.verity
+ local HASH_OFFSET=""
+ local SETUP_ARGS=""
+ local SAVED_ARGS="${STAGING_VERITY_DIR}/${IMAGE_BASENAME}.$TYPE.verity.args"
+
+ install -d ${STAGING_VERITY_DIR}
if [ ${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} -ge ${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} ]; then
align=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE}
@@ -66,11 +130,33 @@
fi
SIZE=$(expr \( $SIZE + $align - 1 \) / $align \* $align)
+ # Assume some users may want separate hash vs. appended hash
+ if [ ${DM_VERITY_SEPARATE_HASH} -eq 1 ]; then
+ OUTPUT_HASH=$INPUT.vhash
+ else
+ HASH_OFFSET="--hash-offset="$SIZE
+ fi
+
cp -a $INPUT $OUTPUT
+ SETUP_ARGS=" \
+ --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} \
+ --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} \
+ $HASH_OFFSET format $OUTPUT $OUTPUT_HASH \
+ "
+
+ echo "veritysetup $SETUP_ARGS" > $SAVED_ARGS
+
# Let's drop the first line of output (doesn't contain any useful info)
# and feed the rest to another function.
- veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-block-size=${DM_VERITY_IMAGE_HASH_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
+ veritysetup $SETUP_ARGS | tail -n +2 | process_verity
+}
+
+# make "dateless" symlink for the hash so the wks can find it.
+verity_hash() {
+ cd ${IMGDEPLOYDIR}
+ ln -sf ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash \
+ ${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash
}
VERITY_TYPES = " \
@@ -83,10 +169,12 @@
CONVERSIONTYPES += "verity"
CONVERSION_CMD:verity = "verity_setup ${type}"
CONVERSION_DEPENDS_verity = "cryptsetup-native"
+IMAGE_CMD:vhash = "verity_hash"
python __anonymous() {
verity_image = d.getVar('DM_VERITY_IMAGE')
verity_type = d.getVar('DM_VERITY_IMAGE_TYPE')
+ verity_hash = d.getVar('DM_VERITY_SEPARATE_HASH')
image_fstypes = d.getVar('IMAGE_FSTYPES')
pn = d.getVar('PN')
@@ -101,6 +189,8 @@
bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type')
d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type)
+ if verity_hash == "1":
+ d.appendVar('IMAGE_FSTYPES', ' vhash')
# If we're using wic: we'll have to use partition images and not the rootfs
# source plugin so add the appropriate dependency.