subtree updates:raspberrypi:arm:security: Jan 27 2023
meta-raspberrypi: 896566aa92..6c57b92708:
Martin Jansa (2):
pi-bluetooth: fix typo in Upstream-Status
gstreamer1.0-omx: fix Upstream-Status format
meta-arm: 5c42f084f7..3d51e1117d:
Abdellatif El Khlifi (1):
arm-bsp/u-boot: Corstone1000: bump to v2022.10
Anton Antonov (1):
arm/kernel: Update ARM-FFA kernel drivers
Daniel Díaz (1):
arm-bsp/firmware-image-juno: Fix deployment of compressed Image
Jon Mason (8):
arm-bsp/juno: move to compressed initramfs image
arm-bsp/juno: Update kernel patches to the latest
arm-bsp/trusted-firmware-m: corstone1000: TFM file clean-ups
arm/trusted-firmware-m: disable fatal warnings
arm-toolchain: update Arm GCC to 12.2
external-arm-toolchain: Enable 12.2.rel1 support
arm-bsp: add u-boot v2022.10 support
arm-bsp: add u-boot v2022.10 support
Peter Hoyes (8):
arm/scp-firmware: Ensure CMAKE_BUILD_TYPE is capitalized
arm/scp-firmware: Disable cppcheck
arm: Add addpylib declaration
arm/lib: Add XAUTHORITY to runfvp environment
classes: Define FVP_ENV_PASSTHROUGH variable dependencies
classes: Prevent passing None to the runfvp environment
classes: Set ARMLMD_LICENSE_FILE in the runfvp environment
arm: Use SRC* variables consistently
Qi Feng (1):
arm-bsp/fvp-baser-aemv8r64: Rebase u-boot patches onto v2022.10
Ross Burton (9):
meta-*: mark layers as compatible with mickledore only
arm-toolchain: remove obsolete oe_import
CI: switch back to master
CI: remove obsolete linux-yocto workarounds
Revert "CI: revert a meta-clang change which breaks pixman (thus, xserver)"
arm-bsp/fvp-base*: no need to remove rng-tools from openssh
CI: pass --update and --force-checkout to kas in pending-updates job
CI: use 'kas dump' instead of manually catting files
CI: remove obsolete install
Rui Miguel Silva (1):
arm-bsp/u-boot: corstone500: bump to 2022.10
Theodore A. Roth (1):
arm/optee-os: Fix FILESEXTRAPATHS
meta-security: f991b20f56..3d9dab6d14:
Chen Qi (1):
openscap: add libpcre DEPEDNS to fix do_configure failure
Markus Volk (1):
bubblewrap: remove recipe
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for mickledore
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I5abd2487fbf395b33b1934ff90bd6d97c7953e6c
diff --git a/meta-arm/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-12.2/0002-gcc-poison-system-directories.patch b/meta-arm/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-12.2/0002-gcc-poison-system-directories.patch
new file mode 100644
index 0000000..5aa635b
--- /dev/null
+++ b/meta-arm/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-12.2/0002-gcc-poison-system-directories.patch
@@ -0,0 +1,239 @@
+From 99f1e61b2957226254a116fde7fd73bf07034012 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 8 Mar 2021 16:04:20 -0800
+Subject: [PATCH] gcc: poison-system-directories
+
+Add /sw/include and /opt/include based on the original
+zecke-no-host-includes.patch patch. The original patch checked for
+/usr/include, /sw/include and /opt/include and then triggered a failure and
+aborted.
+
+Instead, we add the two missing items to the current scan. If the user
+wants this to be a failure, they can add "-Werror=poison-system-directories".
+
+Upstream-Status: Pending
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ gcc/common.opt | 4 ++++
+ gcc/config.in | 10 ++++++++++
+ gcc/configure | 19 +++++++++++++++++++
+ gcc/configure.ac | 16 ++++++++++++++++
+ gcc/doc/invoke.texi | 9 +++++++++
+ gcc/gcc.cc | 15 ++++++++++++---
+ gcc/incpath.cc | 21 +++++++++++++++++++++
+ 7 files changed, 91 insertions(+), 3 deletions(-)
+
+diff --git a/gcc/common.opt b/gcc/common.opt
+index 8a0dafc52..0357868e2 100644
+--- a/gcc/common.opt
++++ b/gcc/common.opt
+@@ -710,6 +710,10 @@ Wreturn-local-addr
+ Common Var(warn_return_local_addr) Init(1) Warning
+ Warn about returning a pointer/reference to a local or temporary variable.
+
++Wpoison-system-directories
++Common Var(flag_poison_system_directories) Init(1) Warning
++Warn for -I and -L options using system directories if cross compiling
++
+ Wshadow
+ Common Var(warn_shadow) Warning
+ Warn when one variable shadows another. Same as -Wshadow=global.
+diff --git a/gcc/config.in b/gcc/config.in
+index 64c27c9cf..a693cb8a8 100644
+--- a/gcc/config.in
++++ b/gcc/config.in
+@@ -230,6 +230,16 @@
+ #endif
+
+
++/* Define to warn for use of native system header directories */
++#ifndef USED_FOR_TARGET
++#undef ENABLE_POISON_SYSTEM_DIRECTORIES
++#endif
++/* Define to warn for use of native system header directories */
++#ifndef USED_FOR_TARGET
++#undef POISON_BY_DEFAULT
++#endif
++
++
+ /* Define if you want all operations on RTL (the basic data structure of the
+ optimizer and back end) to be checked for dynamic type safety at runtime.
+ This is quite expensive. */
+diff --git a/gcc/configure b/gcc/configure
+index 2b83acfb0..8bb97578c 100755
+--- a/gcc/configure
++++ b/gcc/configure
+@@ -1023,6 +1023,7 @@ enable_maintainer_mode
+ enable_link_mutex
+ enable_link_serialization
+ enable_version_specific_runtime_libs
++enable_poison_system_directories
+ enable_plugin
+ enable_host_shared
+ enable_libquadmath_support
+@@ -1785,6 +1786,8 @@ Optional Features:
+ --enable-version-specific-runtime-libs
+ specify that runtime libraries should be installed
+ in a compiler-specific directory
++ --enable-poison-system-directories
++ warn for use of native system header directories
+ --enable-plugin enable plugin support
+ --enable-host-shared build host code as shared libraries
+ --disable-libquadmath-support
+@@ -31996,6 +31999,22 @@ if test "${enable_version_specific_runtime_libs+set}" = set; then :
+ fi
+
+
++# Check whether --enable-poison-system-directories was given.
++if test "${enable_poison_system_directories+set}" = set; then :
++ enableval=$enable_poison_system_directories;
++else
++ enable_poison_system_directories=no
++fi
++
++if test "x${enable_poison_system_directories}" != "xno"; then
++
++$as_echo "#define ENABLE_POISON_SYSTEM_DIRECTORIES 1" >>confdefs.h
++if test "$enable_poison_system_directories" = "error"; then
++$as_echo "#define POISON_BY_DEFAULT 1" >>confdefs.h
++fi
++
++fi
++
+ # Substitute configuration variables
+
+
+diff --git a/gcc/configure.ac b/gcc/configure.ac
+index daf2a708c..6155b83a7 100644
+--- a/gcc/configure.ac
++++ b/gcc/configure.ac
+@@ -7435,6 +7435,22 @@ AC_ARG_ENABLE(version-specific-runtime-libs,
+ [specify that runtime libraries should be
+ installed in a compiler-specific directory])])
+
++AC_ARG_ENABLE([poison-system-directories],
++ AS_HELP_STRING([--enable-poison-system-directories],
++ [warn for use of native system header directories (no/yes/error)]),,
++ [enable_poison_system_directories=no])
++AC_MSG_NOTICE([poisoned directories $enable_poison_system_directories])
++if test "x${enable_poison_system_directories}" != "xno"; then
++ AC_MSG_NOTICE([poisoned directories enabled])
++ AC_DEFINE([ENABLE_POISON_SYSTEM_DIRECTORIES],
++ [1],
++ [Define to warn for use of native system header directories])
++ if test $enable_poison_system_directories = "error"; then
++ AC_MSG_NOTICE([poisoned directories are fatal])
++ AC_DEFINE([POISON_BY_DEFAULT], [1], [Define to make poison warnings errors])
++ fi
++fi
++
+ # Substitute configuration variables
+ AC_SUBST(subdirs)
+ AC_SUBST(srcdir)
+diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
+index ff6c338be..a8ebfa59a 100644
+--- a/gcc/doc/invoke.texi
++++ b/gcc/doc/invoke.texi
+@@ -379,6 +379,7 @@ Objective-C and Objective-C++ Dialects}.
+ -Wpacked -Wno-packed-bitfield-compat -Wpacked-not-aligned -Wpadded @gol
+ -Wparentheses -Wno-pedantic-ms-format @gol
+ -Wpointer-arith -Wno-pointer-compare -Wno-pointer-to-int-cast @gol
++-Wno-poison-system-directories @gol
+ -Wno-pragmas -Wno-prio-ctor-dtor -Wredundant-decls @gol
+ -Wrestrict -Wno-return-local-addr -Wreturn-type @gol
+ -Wno-scalar-storage-order -Wsequence-point @gol
+@@ -8029,6 +8030,14 @@ made up of data only and thus requires no special treatment. But, for
+ most targets, it is made up of code and thus requires the stack to be
+ made executable in order for the program to work properly.
+
++@item -Wno-poison-system-directories
++@opindex Wno-poison-system-directories
++Do not warn for @option{-I} or @option{-L} options using system
++directories such as @file{/usr/include} when cross compiling. This
++option is intended for use in chroot environments when such
++directories contain the correct headers and libraries for the target
++system rather than the host.
++
+ @item -Wfloat-equal
+ @opindex Wfloat-equal
+ @opindex Wno-float-equal
+diff --git a/gcc/gcc.cc b/gcc/gcc.cc
+index beefde7f6..4e6557b3c 100644
+--- a/gcc/gcc.cc
++++ b/gcc/gcc.cc
+@@ -1162,6 +1162,8 @@ proper position among the other output files. */
+ "%{fuse-ld=*:-fuse-ld=%*} " LINK_COMPRESS_DEBUG_SPEC \
+ "%X %{o*} %{e*} %{N} %{n} %{r}\
+ %{s} %{t} %{u*} %{z} %{Z} %{!nostdlib:%{!r:%{!nostartfiles:%S}}} \
++ %{Wno-poison-system-directories:--no-poison-system-directories} \
++ %{Werror=poison-system-directories:--error-poison-system-directories} \
+ %{static|no-pie|static-pie:} %@{L*} %(mfwrap) %(link_libgcc) " \
+ VTABLE_VERIFICATION_SPEC " " SANITIZER_EARLY_SPEC " %o "" \
+ %{fopenacc|fopenmp|%:gt(%{ftree-parallelize-loops=*:%*} 1):\
+@@ -1257,8 +1259,11 @@ static const char *cpp_unique_options =
+ static const char *cpp_options =
+ "%(cpp_unique_options) %1 %{m*} %{std*&ansi&trigraphs} %{W*&pedantic*} %{w}\
+ %{f*} %{g*:%{%:debug-level-gt(0):%{g*}\
+- %{!fno-working-directory:-fworking-directory}}} %{O*}\
+- %{undef} %{save-temps*:-fpch-preprocess}";
++ %{!fno-working-directory:-fworking-directory}}} %{O*}"
++#ifdef POISON_BY_DEFAULT
++ " %{!Wno-error=poison-system-directories:-Werror=poison-system-directories}"
++#endif
++ " %{undef} %{save-temps*:-fpch-preprocess}";
+
+ /* Pass -d* flags, possibly modifying -dumpdir, -dumpbase et al.
+
+@@ -1287,7 +1292,11 @@ static const char *cc1_options =
+ %{coverage:-fprofile-arcs -ftest-coverage}\
+ %{fprofile-arcs|fprofile-generate*|coverage:\
+ %{!fprofile-update=single:\
+- %{pthread:-fprofile-update=prefer-atomic}}}";
++ %{pthread:-fprofile-update=prefer-atomic}}}"
++#ifdef POISON_BY_DEFAULT
++ " %{!Wno-error=poison-system-directories:-Werror=poison-system-directories}"
++#endif
++ ;
+
+ static const char *asm_options =
+ "%{-target-help:%:print-asm-header()} "
+diff --git a/gcc/incpath.cc b/gcc/incpath.cc
+index 622204a38..5ac03c086 100644
+--- a/gcc/incpath.cc
++++ b/gcc/incpath.cc
+@@ -26,6 +26,7 @@
+ #include "intl.h"
+ #include "incpath.h"
+ #include "cppdefault.h"
++#include "diagnostic-core.h"
+
+ /* Microsoft Windows does not natively support inodes.
+ VMS has non-numeric inodes. */
+@@ -399,6 +400,26 @@ merge_include_chains (const char *sysroot, cpp_reader *pfile, int verbose)
+ }
+ fprintf (stderr, _("End of search list.\n"));
+ }
++
++#ifdef ENABLE_POISON_SYSTEM_DIRECTORIES
++ if (flag_poison_system_directories)
++ {
++ struct cpp_dir *p;
++
++ for (p = heads[INC_QUOTE]; p; p = p->next)
++ {
++ if ((!strncmp (p->name, "/usr/include", 12))
++ || (!strncmp (p->name, "/usr/local/include", 18))
++ || (!strncmp (p->name, "/usr/X11R6/include", 18))
++ || (!strncmp (p->name, "/sw/include", 11))
++ || (!strncmp (p->name, "/opt/include", 12)))
++ warning (OPT_Wpoison_system_directories,
++ "include location \"%s\" is unsafe for "
++ "cross-compilation",
++ p->name);
++ }
++ }
++#endif
+ }
+
+ /* Use given -I paths for #include "..." but not #include <...>, and