diff --git a/meta-security/README b/meta-security/README
index ef80f2b..e238271 100644
--- a/meta-security/README
+++ b/meta-security/README
@@ -48,209 +48,6 @@
     /path/to/meta-openembedded/meta-networking \
     /path/to/layer/meta-security \
 
-Contents and Help
-=================
-
-In this section the contents of the layer is listed, along with a short
-help for each package.
-
-         == bastille ==
-
-        Bastille  is  a  system hardening / lockdown program which enhances the
-        security of a Unix host.  It configures daemons, system settings and
-        firewalls to be more secure.  It can shut off unneeded services
-        like rcp and rlogin, and helps create "chroot jails" that help limit the
-        vulnerability of common Internet services like Web services and DNS.
-
-        usage : The functionality of Bastille which is available is
-                restricted to a purely informational one. The command:
-                bastille -c --os Yocto
-                will cause a series of menus containing security questions
-                about the system to be displayed to the user. For each
-                question, a default response, specified in the configuration
-                file which is installed with Bastille, will be selected.
-                The user may select an alternate response. When the user
-                has completed the sequence of menus Bastille saves the
-                responses to the configuration file.
-
-                The command:
-                bastille -l lists the configuration files that Bastille
-                is able to locate.
-
-                The other functionality which Bastille is intended to provide
-                is actually unavailable. This is not due to errors in poky
-                installation or configuration of the application. The Bastille
-                distribution is no longer supported. Significant modifications
-                would be required to make it possible to make use of the
-                functionality which is currently unavailable.
-
-
-        Additional information about Bastille can be found in the package
-        README file and other documentation.
-
-        Alternatives to Bastille include buck-security and checksecurity,
-        described elsewhere in this file.
-
-
-        == redhat-security ==
-
-        Sometimes you want to check different aspects of a distribution for security problems.
-        This can be anything from file permissions to correctness of code. This is a collection of those tools.
-        Depending on what information the tool has to access, it may need to be run as root.
-
-        - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
-                          to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
-                          It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
-                          In this mode it will only give a summary result for the package. To find which files don't comply,
-                          re-run using just the package name.
-
-		!!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
-						IMAGE_ROOTFS_EXTRA_SPACE = ""  - specifying the extra space of the image
-						IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
-
-        - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
-                                  and GID without also calling setgroups or initgroups.
-
-        - rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
-
-        - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
-                           Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
-
-        - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
-
-        - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
-                              This means that if the program has another vulnerablity such as stack buffer overflow,
-                              any code the attacker places there is executable. Any program found must be fixed.
-
-        - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
-                                Anything found must be investigated since its highly unusual for executables to be hidden.
-
-        - find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
-                              It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
-
-        - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
-                                     Anything found by this test should be reported so that selinux policy can be fixed.
-                                     This test is very hardware specific, so to be effective a lot of people with different hardware
-                                     should run this test each upstream kernel version release.
-
-        - selinux-ls-unconfined.sh :  This script scans the running processes and looks for anything labeled with initrc_t or inetd.
-                                      These both mean that there are daemons that do not have policy and are therefore running unconfined.
-                                      These should be reported as SE Linux policy problems. Because it checks currently running daemons,
-                                      the more you have running, the better the test is.
-
-        - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
-                           instead of obscure ones created by something like mktemp.
-
-        - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
-                            it also looks to see if any of the known good random name generator functions is called by looking
-                            at the symbol table. If not, it will output the string.
-
-        - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
-                             The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
-                             Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
-
-
-                usage : simply invoke the script name in the terminal.
-
-
-        == pax-utils ==
-
-		( This package can be found in oe-core )
-
-        pax-utils is a small set of various PaX aware and related utilities for
-        ELF binaries.
-
-        - scanelf : With this application you can print out information specific to the ELF structure of a binary.
-                    For more help please consult the man pages or the readme file.
-
-        - pspax : is a user-space utility that scans the proc directory and list
-                  ELF types, as well as their respective PaX flags and filenames and
-                  attributes. Depending on build options, it may additionaly display the
-                  process running set of capabilities.
-
-        - scanmacho : is a user-space utility to quickly scan given
-                      Mach-Os, directories, or common system paths for different information. This
-                      may include Mach-O types, their install_names, etc.
-
-        - dumpelf : is a user-space utility to dump all of the internal
-                    ELF structures into the equivalent C structures for fun debugging and/or
-                    reference purposes.
-
-
-                usage : simply invoke the script name in the terminal.
-
-
-        == buck-security ==
-
-        Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
-        system. This enables you to quickly overview the security status of your Linux system.
-
-                usage :	!!! before starting to use this tool please run the following command: !!!
-
-						export GPG_TTY=`tty`
-
-						This command is needed for the usage of the comand --make-checksum, which creates
-						a checksum for the files in the system.
-
-						switch to directory /usr/local/buck-security.
-                        before running the script, you should check the activated checks in conf/buck-security.conf file.
-                        after altering the changes, save the file and simply run :
-
-                        ./buck-security
-
-                        you can choose between different outputs : 1, 2(default) or 3.
-
-                        More detailed usage can be found typing ./buck-security --help
-
-
-        == libseccomp ==
-
-        The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
-        The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
-        function-call based filtering interface that should be familiar to, and easily adopted by application developers.
-
-                usage : More detailed usage can be found in the man pages and README file of the package.
-
-
-
-        == checksecurity ==
-
-        checksecurity is a simple package which will scan your system for several simple security holes.
-        It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
-
-
-                usage : To start checksecurity simply write in the terminal :
-
-                        checksecurity
-
-        More detailed usage can be found in the man pages and README file of the package.
-
-
-        == nikto ==
-
-        Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
-        including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
-        problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
-        HTTP server options, and will attempt to identify installed web servers and software.
-
-                usage : To start nikto simply write in the terminal :
-
-                        nikto
-
-        More detailed usage can be found in the man pages and README file of the package.
-
-
-        == nmap ==
-
-        Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
-        Many systems and network administrators also find it useful for tasks such as network inventory,
-        managing service upgrade schedules, and monitoring host or service uptime.
-
-                usage : To start nikto simply write in the terminal :
-
-                        nmap
-
-        More detailed usage can be found in the man pages and README file of the package.
 
 Maintenance
 -----------
@@ -260,8 +57,8 @@
 When sending single patches, please using something like:
 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
 
-Maintainers:    Saul Wold <sgw@linux.intel.com>
-                Armin Kuster <akuster@mvista.com>
+Maintainers:    Armin Kuster <akuster808@gmail.com>
+                Saul Wold <sgw@linux.intel.com>
 
 
 License
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index efc426e..19e647e 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -7,8 +7,10 @@
 
 BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
-BBFILE_PRIORITY_security = "6"
+BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "sumo"
+LAYERSERIES_COMPAT_security = "thud"
 
 LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
+
+DEFAULT_TEST_SUITES_pn-security-build-image = " ${PTESTTESTSUITE}"
diff --git a/meta-security/docs/overview.txt b/meta-security/docs/overview.txt
new file mode 100644
index 0000000..ed3135a
--- /dev/null
+++ b/meta-security/docs/overview.txt
@@ -0,0 +1,197 @@
+Meta-security Docs
+=============
+
+In this section the contents of the layer is listed, along with a short
+help for each package.
+
+         == bastille ==
+
+        Bastille  is  a  system hardening / lockdown program which enhances the
+        security of a Unix host.  It configures daemons, system settings and
+        firewalls to be more secure.  It can shut off unneeded services
+        like rcp and rlogin, and helps create "chroot jails" that help limit the
+        vulnerability of common Internet services like Web services and DNS.
+
+        usage : The functionality of Bastille which is available is
+                restricted to a purely informational one. The command:
+                bastille -c --os Yocto
+                will cause a series of menus containing security questions
+                about the system to be displayed to the user. For each
+                question, a default response, specified in the configuration
+                file which is installed with Bastille, will be selected.
+                The user may select an alternate response. When the user
+                has completed the sequence of menus Bastille saves the
+                responses to the configuration file.
+
+                The command:
+                bastille -l lists the configuration files that Bastille
+                is able to locate.
+
+                The other functionality which Bastille is intended to provide
+                is actually unavailable. This is not due to errors in poky
+                installation or configuration of the application. The Bastille
+                distribution is no longer supported. Significant modifications
+                would be required to make it possible to make use of the
+                functionality which is currently unavailable.
+
+
+        Additional information about Bastille can be found in the package
+        README file and other documentation.
+
+        Alternatives to Bastille include buck-security and checksecurity,
+        described elsewhere in this file.
+
+
+        == redhat-security ==
+
+        Sometimes you want to check different aspects of a distribution for security problems.
+        This can be anything from file permissions to correctness of code. This is a collection of those tools.
+        Depending on what information the tool has to access, it may need to be run as root.
+
+        - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
+                          to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
+                          It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
+                          In this mode it will only give a summary result for the package. To find which files don't comply,
+                          re-run using just the package name.
+
+		!!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
+						IMAGE_ROOTFS_EXTRA_SPACE = ""  - specifying the extra space of the image
+						IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
+
+        - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
+                                  and GID without also calling setgroups or initgroups.
+
+        - rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
+
+        - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
+                           Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
+
+        - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
+
+        - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
+                              This means that if the program has another vulnerablity such as stack buffer overflow,
+                              any code the attacker places there is executable. Any program found must be fixed.
+
+        - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
+                                Anything found must be investigated since its highly unusual for executables to be hidden.
+
+        - find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
+                              It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
+
+        - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
+                                     Anything found by this test should be reported so that selinux policy can be fixed.
+                                     This test is very hardware specific, so to be effective a lot of people with different hardware
+                                     should run this test each upstream kernel version release.
+
+        - selinux-ls-unconfined.sh :  This script scans the running processes and looks for anything labeled with initrc_t or inetd.
+                                      These both mean that there are daemons that do not have policy and are therefore running unconfined.
+                                      These should be reported as SE Linux policy problems. Because it checks currently running daemons,
+                                      the more you have running, the better the test is.
+
+        - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
+                           instead of obscure ones created by something like mktemp.
+
+        - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
+                            it also looks to see if any of the known good random name generator functions is called by looking
+                            at the symbol table. If not, it will output the string.
+
+        - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
+                             The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
+                             Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
+
+
+                usage : simply invoke the script name in the terminal.
+
+
+        == pax-utils ==
+
+		( This package can be found in oe-core )
+
+        pax-utils is a small set of various PaX aware and related utilities for
+        ELF binaries.
+
+        - scanelf : With this application you can print out information specific to the ELF structure of a binary.
+                    For more help please consult the man pages or the readme file.
+
+        - pspax : is a user-space utility that scans the proc directory and list
+                  ELF types, as well as their respective PaX flags and filenames and
+                  attributes. Depending on build options, it may additionaly display the
+                  process running set of capabilities.
+
+        - scanmacho : is a user-space utility to quickly scan given
+                      Mach-Os, directories, or common system paths for different information. This
+                      may include Mach-O types, their install_names, etc.
+
+        - dumpelf : is a user-space utility to dump all of the internal
+                    ELF structures into the equivalent C structures for fun debugging and/or
+                    reference purposes.
+
+
+                usage : simply invoke the script name in the terminal.
+
+
+        == buck-security ==
+
+        Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
+        system. This enables you to quickly overview the security status of your Linux system.
+
+                usage :	!!! before starting to use this tool please run the following command: !!!
+
+						export GPG_TTY=`tty`
+
+						This command is needed for the usage of the comand --make-checksum, which creates
+						a checksum for the files in the system.
+
+						switch to directory /usr/local/buck-security.
+                        before running the script, you should check the activated checks in conf/buck-security.conf file.
+                        after altering the changes, save the file and simply run :
+
+                        ./buck-security
+
+                        you can choose between different outputs : 1, 2(default) or 3.
+
+                        More detailed usage can be found typing ./buck-security --help
+
+
+        == libseccomp ==
+
+        The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
+        The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
+        function-call based filtering interface that should be familiar to, and easily adopted by application developers.
+
+                usage : More detailed usage can be found in the man pages and README file of the package.
+
+
+
+        == checksecurity ==
+
+        checksecurity is a simple package which will scan your system for several simple security holes.
+        It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
+
+
+                usage : To start checksecurity simply write in the terminal :
+
+                        checksecurity
+
+        More detailed usage can be found in the man pages and README file of the package.
+
+
+        == nikto ==
+
+        Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
+        including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
+        problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
+        HTTP server options, and will attempt to identify installed web servers and software.
+
+                usage : To start nikto simply write in the terminal :
+
+                        nikto
+
+        More detailed usage can be found in the man pages and README file of the package.
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 31716d6..fcc5cd6 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -6,9 +6,9 @@
 
 BBFILE_COLLECTIONS += "scanners-layer"
 BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_scanners-layer = "6"
+BBFILE_PRIORITY_scanners-layer = "10"
 
-LAYERSERIES_COMPAT_scanners-layer = "sumo"
+LAYERSERIES_COMPAT_scanners-layer = "thud"
 
 LAYERDEPENDS_scanners-layer = " \
     core \
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb
similarity index 83%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb
rename to meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb
index 884999c..28a4469 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.6.8.bb
@@ -6,9 +6,12 @@
 LICENSE = "GPL-3.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
-SRCREV= "1be5154b35ce144db4f386856debe8a06b403899"
-SRC_URI = "git://github.com/CISOfy/Lynis.git"
-S = "${WORKDIR}/git"
+SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "91a538055bfb682733ef8e4fe7eb0902"
+SRC_URI[sha256sum] = "2e4c5157a4f2d9bb37d3f0f1f5bea03f92233a2a7d4df6eddf231a784087dfac"
+
+S = "${WORKDIR}/${BPN}"
 
 inherit autotools-brokensep
 
diff --git a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
index e9fd44a..604bacb 100644
--- a/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
+++ b/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
@@ -1,4 +1 @@
-OS_RELEASE_FIELDS += "CPE_NAME"
-
 CPE_NAME="cpe:/o:openembedded:nodistro:0"
-
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
similarity index 86%
rename from meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb
rename to meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
index fb01a11..a6a9373 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
@@ -8,11 +8,9 @@
 
 DEPENDS = "python3-dbus"
 
-SRCREV = "3fd5c75a08223de35a865d026d2a6980ec9c1d74"
+SRCREV = "f25b16afb6ac761fea13132ff406fba4cdfd2b76"
 SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git"
 
-PV = "0.1.6+git${SRCPV}"
-
 inherit setuptools3
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb
similarity index 96%
rename from meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb
rename to meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb
index 7cbb1e2..e2a4fa2 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.17.bb
@@ -11,7 +11,7 @@
 
 DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native"
 
-SRCREV = "240930d42611983c65ecae16dbca3248ce130921"
+SRCREV = "59c234b3e9907480c89dfbd1b466a6bf72a2d2ed"
 SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \
            file://crypto_pkgconfig.patch \
            file://run-ptest \
@@ -46,6 +46,7 @@
 	sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am
 	sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am
 	sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am
+	sed -i 's:python2:python:' ${S}/utils/scap-as-rpm
 }
 
 
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index a2f0cab..1b5f7d5 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -6,9 +6,9 @@
 
 BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
-BBFILE_PRIORITY_tpm-layer = "6"
+BBFILE_PRIORITY_tpm-layer = "10"
 
-LAYERSERIES_COMPAT_tpm-layer = "sumo"
+LAYERSERIES_COMPAT_tpm-layer = "thud"
 
 LAYERDEPENDS_tpm-layer = " \
     core \
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 13b505f..c4c8fb2 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -1,4 +1,4 @@
-DESCRIPTION = "Security packagegroup for Poky"
+DESCRIPTION = "TPM2 packagegroup for Security"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
                     file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
@@ -12,7 +12,7 @@
     tpm2.0-tools \
     trousers \
     libtss2 \
-    libtctidevice \
-    libtctisocket \
-    resourcemgr \
+    libtss2-tcti-device \
+    libtss2-tcti-mssim \
+    tpm2-abrmd \
     "
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
index b29ec6b..a930d7b 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
@@ -1,11 +1,9 @@
 SUMMARY = "LIBPM - Software TPM Library"
 LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
 
-SRCREV = "3388d45082bdc588c6fc0672f44d6d7d0aaa86ff"
-SRC_URI = " \
-	git://github.com/stefanberger/libtpms.git \
-	"
+SRCREV = "4111bd1bcf721e6e7b5f11ed9c2b93083677aa25"
+SRC_URI = "git://github.com/stefanberger/libtpms.git"
 
 S = "${WORKDIR}/git"
 inherit autotools-brokensep pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
index 67071b6..bed8b92 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -8,20 +8,20 @@
 
 Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
 
-diff --git a/create_tpm_key.c b/create_tpm_key.c
-index fee917f..7b94d62 100644
---- a/create_tpm_key.c
-+++ b/create_tpm_key.c
-@@ -46,6 +46,8 @@
- #include <trousers/tss.h>
- #include <trousers/trousers.h>
+Index: git/src/create_tpm_key.c
+===================================================================
+--- git.orig/src/create_tpm_key.c
++++ git/src/create_tpm_key.c
+@@ -48,6 +48,8 @@
+ 
+ #include "ssl_compat.h"
  
 +#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
 +
  #define print_error(a,b) \
  	fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
  		a, b, Trspi_Error_String(b))
-@@ -70,6 +72,7 @@ usage(char *argv0)
+@@ -72,6 +74,7 @@ usage(char *argv0)
  		"\t\t-e|--enc-scheme  encryption scheme to use [PKCSV15] or OAEP\n"
  		"\t\t-q|--sig-scheme  signature scheme to use [DER] or SHA1\n"
  		"\t\t-s|--key-size    key size in bits [2048]\n"
@@ -29,7 +29,7 @@
  		"\t\t-a|--auth        require a password for the key [NO]\n"
  		"\t\t-p|--popup       use TSS GUI popup dialogs to get the password "
  		"for the\n\t\t\t\t key [NO] (implies --auth)\n"
-@@ -147,6 +150,7 @@ int main(int argc, char **argv)
+@@ -154,6 +157,7 @@ int main(int argc, char **argv)
  	int		asn1_len;
  	char		*filename, c, *openssl_key = NULL;
  	int		option_index, auth = 0, popup = 0, wrap = 0;
@@ -37,7 +37,7 @@
  	UINT32		enc_scheme = TSS_ES_RSAESPKCSV15;
  	UINT32		sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
  	UINT32		key_size = 2048;
-@@ -154,12 +158,15 @@ int main(int argc, char **argv)
+@@ -161,12 +165,15 @@ int main(int argc, char **argv)
  
  	while (1) {
  		option_index = 0;
@@ -54,7 +54,7 @@
  			case 'a':
  				initFlags |= TSS_KEY_AUTHORIZATION;
  				auth = 1;
-@@ -293,6 +300,8 @@ int main(int argc, char **argv)
+@@ -300,6 +307,8 @@ int main(int argc, char **argv)
  
  	if (srk_authusage) {
  		char *authdata = calloc(1, 128);
@@ -63,7 +63,7 @@
  
  		if (!authdata) {
  			fprintf(stderr, "malloc failed.\n");
-@@ -309,17 +318,26 @@ int main(int argc, char **argv)
+@@ -316,17 +325,26 @@ int main(int argc, char **argv)
  			exit(result);
  		}
  
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
index f718f2e..2caaaf0 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -9,20 +9,20 @@
 
 Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
 
-diff --git a/e_tpm.c b/e_tpm.c
-index f3e8bcf..7dcb75a 100644
---- a/e_tpm.c
-+++ b/e_tpm.c
+Index: git/src/e_tpm.c
+===================================================================
+--- git.orig/src/e_tpm.c
++++ git/src/e_tpm.c
 @@ -38,6 +38,8 @@
- 
  #include "e_tpm.h"
+ #include "ssl_compat.h"
  
 +#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
 +
  //#define DLOPEN_TSPI
  
  #ifndef OPENSSL_NO_HW
-@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+@@ -262,6 +264,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
  	TSS_RESULT result;
  	UINT32 authusage;
  	BYTE *auth;
@@ -33,7 +33,7 @@
  
  	if (hSRK != NULL_HKEY) {
  		DBGFN("SRK is already loaded.");
-@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+@@ -313,18 +319,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
  		return 0;
  	}
  
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
deleted file mode 100644
index d24a150..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Mon, 19 Jun 2017 14:54:28 +0800
-Subject: [PATCH] Fix not building libtpm.la
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- Makefile.am | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 6695656..634a7e6 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi
- libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
- 
- create_tpm_key_SOURCES=create_tpm_key.c
--create_tpm_key_LDADD=-ltspi
-+create_tpm_key_LDFLAGS=-ltspi
-+
-+LDADD=libtpm.la
--- 
-2.7.5
-
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
index a88148f..cc8772d 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -22,11 +22,11 @@
  e_tpm_err.c |   4 ++
  3 files changed, 164 insertions(+), 1 deletion(-)
 
-diff --git a/e_tpm.c b/e_tpm.c
-index 7dcb75a..11bf74b 100644
---- a/e_tpm.c
-+++ b/e_tpm.c
-@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
+Index: git/src/e_tpm.c
+===================================================================
+--- git.orig/src/e_tpm.c
++++ git/src/e_tpm.c
+@@ -259,6 +259,118 @@ void ENGINE_load_tpm(void)
  	ERR_clear_error();
  }
  
@@ -145,7 +145,7 @@
  int tpm_load_srk(UI_METHOD *ui, void *cb_data)
  {
  	TSS_RESULT result;
-@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+@@ -319,8 +431,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
  		return 0;
  	}
  
@@ -197,7 +197,7 @@
  		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
  			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
  			secretMode = TSS_SECRET_MODE_SHA1;
-@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+@@ -333,6 +487,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb
  			authlen = strlen(auth);
  		}
  	}
@@ -205,11 +205,11 @@
  	else {
  		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
  				"SRK authorization: ", cb_data)) {
-diff --git a/e_tpm.h b/e_tpm.h
-index 6316e0b..56ff202 100644
---- a/e_tpm.h
-+++ b/e_tpm.h
-@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+Index: git/src/e_tpm.h
+===================================================================
+--- git.orig/src/e_tpm.h
++++ git/src/e_tpm.h
+@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int rea
  #define TPM_F_TPM_FILL_RSA_OBJECT		116
  #define TPM_F_TPM_ENGINE_GET_AUTH		117
  #define TPM_F_TPM_CREATE_SRK_POLICY		118
@@ -218,7 +218,7 @@
  
  /* Reason codes. */
  #define TPM_R_ALREADY_LOADED			100
-@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int rea
  #define TPM_R_ID_INVALID			125
  #define TPM_R_UI_METHOD_FAILED			126
  #define TPM_R_UNKNOWN_SECRET_MODE		127
@@ -227,11 +227,11 @@
  
  /* structure pointed to by the RSA object's app_data pointer */
  struct rsa_app_data
-diff --git a/e_tpm_err.c b/e_tpm_err.c
-index 25a5d0f..439e267 100644
---- a/e_tpm_err.c
-+++ b/e_tpm_err.c
-@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
+Index: git/src/e_tpm_err.c
+===================================================================
+--- git.orig/src/e_tpm_err.c
++++ git/src/e_tpm_err.c
+@@ -234,6 +234,8 @@ static ERR_STRING_DATA TPM_str_functs[]
  	{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
  	{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
  	{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
@@ -240,7 +240,7 @@
  	{0, NULL}
  };
  
-@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
+@@ -264,6 +266,8 @@ static ERR_STRING_DATA TPM_str_reasons[]
  	{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
  	{TPM_R_ID_INVALID, "engine id doesn't match"},
  	{TPM_R_UI_METHOD_FAILED, "ui function failed"},
@@ -249,6 +249,3 @@
  	{0, NULL}
  };
  
--- 
-2.9.3
-
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
index 076704d..535472a 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -15,11 +15,11 @@
  create_tpm_key.c |    3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
-diff --git a/create_tpm_key.c b/create_tpm_key.c
-index 7b94d62..f30af90 100644
---- a/create_tpm_key.c
-+++ b/create_tpm_key.c
-@@ -148,7 +148,8 @@ int main(int argc, char **argv)
+Index: git/src/create_tpm_key.c
+===================================================================
+--- git.orig/src/create_tpm_key.c
++++ git/src/create_tpm_key.c
+@@ -155,7 +155,8 @@ int main(int argc, char **argv)
  	ASN1_OCTET_STRING *blob_str;
  	unsigned char	*blob_asn1 = NULL;
  	int		asn1_len;
@@ -29,6 +29,3 @@
  	int		option_index, auth = 0, popup = 0, wrap = 0;
  	int		wellknownkey = 0;
  	UINT32		enc_scheme = TSS_ES_RSAESPKCSV15;
--- 
-1.7.9.5
-
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch
new file mode 100644
index 0000000..2f8eb81
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/openssl11_build_fix.patch
@@ -0,0 +1,34 @@
+Fix compiling for openssl 1.1
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/src/e_tpm.c
+===================================================================
+--- git.orig/src/e_tpm.c
++++ git/src/e_tpm.c
+@@ -265,19 +265,20 @@ static int tpm_decode_base64(unsigned ch
+ 				int *out_len)
+ {
+ 	int total_len, len, ret;
+-	EVP_ENCODE_CTX dctx;
++	EVP_ENCODE_CTX *dctx;
+ 
+-	EVP_DecodeInit(&dctx);
++	dctx = EVP_ENCODE_CTX_new();
++	EVP_DecodeInit(dctx);
+ 
+ 	total_len = 0;
+-	ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
++	ret = EVP_DecodeUpdate(dctx, outdata, &len, indata, in_len);
+ 	if (ret < 0) {
+ 		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+ 		return 1;
+ 	}
+ 
+ 	total_len += len;
+-	ret = EVP_DecodeFinal(&dctx, outdata, &len);
++	ret = EVP_DecodeFinal(dctx, outdata, &len);
+ 	if (ret < 0) {
+ 		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
+ 		return 1;
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
deleted file mode 100644
index 4854f70..0000000
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
+++ /dev/null
@@ -1,78 +0,0 @@
-DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
-HOMEPAGE = "https://sourceforge.net/projects/trousers/"
-SECTION = "security/tpm"
-
-LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
-
-DEPENDS += "openssl trousers"
-
-SRC_URI = "\
-    git://git.code.sf.net/p/trousers/openssl_tpm_engine \
-    file://0001-create-tpm-key-support-well-known-key-option.patch \
-    file://0002-libtpm-support-env-TPM_SRK_PW.patch \
-    file://0003-Fix-not-building-libtpm.la.patch \
-    file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
-    file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
-"
-SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep
-
-# The definitions below are used to decrypt the srk password.
-# It is allowed to define the values in 3 forms: string, hex number and
-# the hybrid, e.g,
-# srk_dec_pw = "incendia"
-# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
-# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
-#
-# Due to the limit of escape character, the hybrid must be written in
-# above style. The actual values defined below in C code style are:
-# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
-# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
-srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
-srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
-
-CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
-
-# Uncomment below line if using the plain srk password for development
-#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
-
-do_configure_prepend() {
-    cd "${S}"
-    cp LICENSE COPYING
-    touch NEWS AUTHORS ChangeLog
-}
-
-do_install_append() {
-    install -m 0755 -d "${D}${libdir}/engines"
-    install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines"
-    install -m 0755 -d "${D}${libdir}/ssl/engines"
-
-    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0"
-    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so"
-    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so"
-    mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so"
-    mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la"
-    rm -rf "${D}${libdir}/openssl"
-}
-
-FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la"
-FILES_${PN}-dbg += "\
-    ${libdir}/ssl/engines/.debug \
-    ${libdir}/engines/.debug \
-    ${prefix}/local/ssl/lib/engines/.debug \
-"
-FILES_${PN} += "\
-    ${libdir}/ssl/engines/libtpm.so* \
-    ${libdir}/engines/libtpm.so* \
-    ${libdir}/libtpm.so* \
-    ${prefix}/local/ssl/lib/engines/libtpm.so* \
-"
-
-RDEPENDS_${PN} += "libcrypto libtspi"
-
-INSANE_SKIP_${PN} = "libdir"
-INSANE_SKIP_${PN}-dbg = "libdir"
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
new file mode 100644
index 0000000..0f98b79
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -0,0 +1,65 @@
+DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
+HOMEPAGE = "https://github.com/mgerstner/openssl_tpm_engine"
+SECTION = "security/tpm"
+
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
+
+DEPENDS += "openssl trousers"
+
+SRC_URI = "\
+    git://github.com/mgerstner/openssl_tpm_engine.git \
+    file://0001-create-tpm-key-support-well-known-key-option.patch \
+    file://0002-libtpm-support-env-TPM_SRK_PW.patch \
+    file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
+    file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
+    file://openssl11_build_fix.patch \
+"
+SRCREV = "b28de5065e6eb9aa5d5afe2276904f7624c2cbaf"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig
+
+# The definitions below are used to decrypt the srk password.
+# It is allowed to define the values in 3 forms: string, hex number and
+# the hybrid, e.g,
+# srk_dec_pw = "incendia"
+# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
+# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
+#
+# Due to the limit of escape character, the hybrid must be written in
+# above style. The actual values defined below in C code style are:
+# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
+# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
+srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
+srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
+
+CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+
+# Uncomment below line if using the plain srk password for development
+#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+
+do_configure_prepend() {
+    cd ${B}
+    cp LICENSE COPYING
+    touch NEWS AUTHORS ChangeLog README
+}
+
+FILES_${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la"
+FILES_${PN}-dbg += "\
+    ${libdir}/ssl/engines-1.1/.debug \
+    ${libdir}/engines-1.1/.debug \
+    ${prefix}/local/ssl/lib/engines-1.1/.debug \
+"
+FILES_${PN} += "\
+    ${libdir}/ssl/engines-1.1/tpm.so* \
+    ${libdir}/engines-1.1/tpm.so* \
+    ${libdir}/libtpm.so* \
+    ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \
+"
+
+RDEPENDS_${PN} += "libcrypto libtspi"
+
+INSANE_SKIP_${PN} = "libdir"
+INSANE_SKIP_${PN}-dbg = "libdir"
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch
new file mode 100644
index 0000000..cf2d437
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/files/fix_openssl11_build.patch
@@ -0,0 +1,45 @@
+Enable building with openssl 1.1
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/src/pcr-extend.c
+===================================================================
+--- git.orig/src/pcr-extend.c
++++ git/src/pcr-extend.c
+@@ -118,7 +118,7 @@ dump_buf (FILE *file, char *buf, size_t
+ static unsigned char*
+ sha1_file (FILE *file, unsigned int *hash_len)
+ {
+-    EVP_MD_CTX ctx = { 0 };
++    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+     unsigned char *buf = NULL, *hash = NULL;
+     size_t num_read = 0;
+ 
+@@ -127,7 +127,7 @@ sha1_file (FILE *file, unsigned int *has
+         perror ("malloc:\n");
+         goto sha1_fail;
+     }
+-    if (EVP_DigestInit (&ctx, EVP_sha1 ()) == 0) {
++    if (EVP_DigestInit (ctx, EVP_sha1 ()) == 0) {
+         ERR_print_errors_fp (stderr);
+         goto sha1_fail;
+     }
+@@ -135,7 +135,7 @@ sha1_file (FILE *file, unsigned int *has
+         num_read = fread (buf, 1, BUF_SIZE, file);
+         if (num_read <= 0)
+             break;
+-        if (EVP_DigestUpdate (&ctx, buf, num_read) == 0) {
++        if (EVP_DigestUpdate (ctx, buf, num_read) == 0) {
+             ERR_print_errors_fp (stderr);
+             goto sha1_fail;
+         }
+@@ -149,7 +149,7 @@ sha1_file (FILE *file, unsigned int *has
+         perror ("calloc of hash buffer:\n");
+         goto sha1_fail;
+     }
+-    if (EVP_DigestFinal (&ctx, hash, hash_len) == 0) {
++    if (EVP_DigestFinal (ctx, hash, hash_len) == 0) {
+         ERR_print_errors_fp (stderr);
+         goto sha1_fail;
+     }
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
index 0cc4f63..f8347b7 100644
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -9,7 +9,8 @@
 PV = "0.1+git${SRCPV}"
 SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
 
-SRC_URI = "git://github.com/flihp/pcr-extend.git "
+SRC_URI = "git://github.com/flihp/pcr-extend.git \
+           file://fix_openssl11_build.patch "
 
 inherit autotools
 
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
index 7476020..3fe1393 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -3,23 +3,21 @@
 LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
 SECTION = "apps"
 
-DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native"
+DEPENDS = "libtasn1 expect socat glib-2.0 net-tools-native libtpm libtpm-native"
 
 # configure checks for the tools already during compilation and
 # then swtpm_setup needs them at runtime
 DEPENDS += "tpm-tools-native expect-native socat-native"
-RDEPENDS_${PN} += "tpm-tools"
 
-SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8"
-SRC_URI = "git://github.com/stefanberger/swtpm.git \
-           file://fix_lib_search_path.patch \
+SRCREV = "94bb9f2d716d09bcc6cd2a2e033018f8592008e7"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=tpm2-preview.v2 \
            file://fix_fcntl_h.patch \
            file://ioctl_h.patch \
            "
 
 S = "${WORKDIR}/git"
 
-inherit autotools-brokensep pkgconfig
+inherit autotools pkgconfig
 PARALLEL_MAKE = ""
 
 TSS_USER="tss"
@@ -36,21 +34,12 @@
 
 export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"
 
-# dup bootstrap 
-do_configure_prepend () {
-	libtoolize --force --copy
-	autoheader
-	aclocal
-	automake --add-missing -c
-	autoconf
-}
-
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
 USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
     --no-create-home  --shell /bin/false ${BPN}"
 
-RDEPENDS_${PN} = "libtpm expect socat bash"
+RDEPENDS_${PN} = "libtpm expect socat bash tpm-tools"
 
 BBCLASSEXTEND = "native nativesdk"
 
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch
new file mode 100644
index 0000000..5018d45
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/04-fix-FTBFS-clang.patch
@@ -0,0 +1,56 @@
+Title: Fix FTBFS with clang due to uninitialized values
+Date: 2015-06-28
+Author: Alexander <sanek23994@gmail.com>
+Bug-Debian: http://bugs.debian.org/753063
+
+Upstream-Status: Backport
+tpm-tools_1.3.9.1-0.1.debian.tar
+
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+
+--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_present.c	2012-05-17 21:49:58.000000000 +0400
++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_present.c	2014-06-29 01:01:11.502081468 +0400
+@@ -165,7 +165,7 @@
+ 
+ 	TSS_BOOL bCmd, bHwd;
+ 	BOOL bRc;
+-	TSS_HPOLICY hTpmPolicy;
++	TSS_HPOLICY hTpmPolicy = 0;
+ 	char *pwd = NULL;
+ 	int pswd_len;
+ 	char rsp[5];
+--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_takeownership.c	2010-09-30 21:28:09.000000000 +0400
++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_takeownership.c	2014-06-29 01:01:51.069373655 +0400
+@@ -67,7 +67,7 @@
+ 	char *szSrkPasswd = NULL;
+ 	int tpm_len, srk_len;
+ 	TSS_HTPM hTpm;
+-	TSS_HKEY hSrk;
++	TSS_HKEY hSrk = 0;
+ 	TSS_FLAG fSrkAttrs;
+ 	TSS_HPOLICY hTpmPolicy, hSrkPolicy;
+ 	int iRc = -1;
+--- tpm-tools-1.3.8/src/tpm_mgmt/tpm_nvwrite.c	2011-08-17 16:20:35.000000000 +0400
++++ tpm-tools-1.3.8-my/src/tpm_mgmt/tpm_nvwrite.c	2014-06-29 01:02:45.836397172 +0400
+@@ -220,7 +220,7 @@
+ 		close(fd);
+ 		fd = -1;
+ 	} else if (fillvalue >= 0) {
+-		if (length < 0) {
++		if (length == 0) {
+ 			logError(_("Requiring size parameter.\n"));
+ 			return -1;
+ 		}
+--- tpm-tools-1.3.8/src/data_mgmt/data_protect.c	2012-05-17 21:49:58.000000000 +0400
++++ tpm-tools-1.3.8-my/src/data_mgmt/data_protect.c	2014-06-29 01:03:49.863254459 +0400
+@@ -432,8 +432,8 @@
+ 
+ 	char *pszPin = NULL;
+ 
+-	CK_RV              rv;
+-	CK_SESSION_HANDLE  hSession;
++	CK_RV              rv = 0;
++	CK_SESSION_HANDLE  hSession = 0;
+ 	CK_OBJECT_HANDLE   hObject;
+ 	CK_MECHANISM       tMechanism = { CKM_AES_ECB, NULL, 0 };
+ 
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch
new file mode 100644
index 0000000..c2a264b
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/05-openssl1.1_fix_data_mgmt.patch
@@ -0,0 +1,110 @@
+Author: Philipp Kern <pkern@debian.org>
+Subject: Fix openssl1.1 support in data_mgmt
+Date: Tue, 31 Jan 2017 22:40:10 +0100
+
+Upstream-Status: Backport
+tpm-tools_1.3.9.1-0.1.debian.tar
+
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+
+---
+ src/data_mgmt/data_import.c |   60 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 39 insertions(+), 21 deletions(-)
+
+--- a/src/data_mgmt/data_import.c
++++ b/src/data_mgmt/data_import.c
+@@ -372,7 +372,7 @@ readX509Cert( const char  *a_pszFile,
+ 		goto out;
+ 	}
+ 
+-	if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) {
++	if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) {
+ 		logError( TOKEN_RSA_KEY_ERROR );
+ 
+ 		X509_free( pX509 );
+@@ -691,8 +691,13 @@ createRsaPubKeyObject( RSA
+ 
+ 	int  rc = -1;
+ 
+-	int  nLen = BN_num_bytes( a_pRsa->n );
+-	int  eLen = BN_num_bytes( a_pRsa->e );
++	const BIGNUM *bn;
++	const BIGNUM *be;
++
++	RSA_get0_key( a_pRsa, &bn, &be, NULL );
++
++	int  nLen = BN_num_bytes( bn );
++	int  eLen = BN_num_bytes( be );
+ 
+ 	CK_RV  rv;
+ 
+@@ -732,8 +737,8 @@ createRsaPubKeyObject( RSA
+ 	}
+ 
+ 	// Get binary representations of the RSA key information
+-	BN_bn2bin( a_pRsa->n, n );
+-	BN_bn2bin( a_pRsa->e, e );
++	BN_bn2bin( bn, n );
++	BN_bn2bin( be, e );
+ 
+ 	// Create the RSA public key object
+ 	rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
+@@ -760,14 +765,27 @@ createRsaPrivKeyObject( RSA
+ 
+ 	int  rc = -1;
+ 
+-	int  nLen = BN_num_bytes( a_pRsa->n );
+-	int  eLen = BN_num_bytes( a_pRsa->e );
+-	int  dLen = BN_num_bytes( a_pRsa->d );
+-	int  pLen = BN_num_bytes( a_pRsa->p );
+-	int  qLen = BN_num_bytes( a_pRsa->q );
+-	int  dmp1Len = BN_num_bytes( a_pRsa->dmp1 );
+-	int  dmq1Len = BN_num_bytes( a_pRsa->dmq1 );
+-	int  iqmpLen = BN_num_bytes( a_pRsa->iqmp );
++	const BIGNUM *bn;
++	const BIGNUM *be;
++	const BIGNUM *bd;
++	const BIGNUM *bp;
++	const BIGNUM *bq;
++	const BIGNUM *bdmp1;
++	const BIGNUM *bdmq1;
++	const BIGNUM *biqmp;
++
++	RSA_get0_key( a_pRsa, &bn, &be, &bd);
++	RSA_get0_factors( a_pRsa, &bp, &bq);
++	RSA_get0_crt_params( a_pRsa, &bdmp1, &bdmq1, &biqmp );
++
++	int  nLen = BN_num_bytes( bn );
++	int  eLen = BN_num_bytes( be );
++	int  dLen = BN_num_bytes( bd );
++	int  pLen = BN_num_bytes( bp );
++	int  qLen = BN_num_bytes( bq );
++	int  dmp1Len = BN_num_bytes( bdmp1 );
++	int  dmq1Len = BN_num_bytes( bdmq1 );
++	int  iqmpLen = BN_num_bytes( biqmp );
+ 
+ 	CK_RV  rv;
+ 
+@@ -821,14 +839,14 @@ createRsaPrivKeyObject( RSA
+ 	}
+ 
+ 	// Get binary representations of the RSA key information
+-	BN_bn2bin( a_pRsa->n, n );
+-	BN_bn2bin( a_pRsa->e, e );
+-	BN_bn2bin( a_pRsa->d, d );
+-	BN_bn2bin( a_pRsa->p, p );
+-	BN_bn2bin( a_pRsa->q, q );
+-	BN_bn2bin( a_pRsa->dmp1, dmp1 );
+-	BN_bn2bin( a_pRsa->dmq1, dmq1 );
+-	BN_bn2bin( a_pRsa->iqmp, iqmp );
++	BN_bn2bin( bn, n );
++	BN_bn2bin( be, e );
++	BN_bn2bin( bd, d );
++	BN_bn2bin( bp, p );
++	BN_bn2bin( bq, q );
++	BN_bn2bin( bdmp1, dmp1 );
++	BN_bn2bin( bdmq1, dmq1 );
++	BN_bn2bin( biqmp, iqmp );
+ 
+ 	// Create the RSA private key object
+ 	rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject );
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch
new file mode 100644
index 0000000..9ae3f72
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/openssl1.1_fix.patch
@@ -0,0 +1,18 @@
+Upstream-Status: Pending
+Update to build with openssl 1.1.x
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/src/cmds/tpm_extendpcr.c
+===================================================================
+--- git.orig/src/cmds/tpm_extendpcr.c
++++ git/src/cmds/tpm_extendpcr.c
+@@ -136,7 +136,7 @@ int main(int argc, char **argv)
+ 
+ 		unsigned char msg[EVP_MAX_MD_SIZE];
+ 		unsigned int msglen;
+-		EVP_MD_CTX ctx;
++		EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ 		EVP_DigestInit(&ctx, EVP_sha1());
+ 		while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
+ 			EVP_DigestUpdate(&ctx, line, lineLen);
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
index ab5e683..40150af 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
@@ -1,8 +1,8 @@
-Index: tpm-tools-1.3.8/include/tpm_tspi.h
+Index: git/include/tpm_tspi.h
 ===================================================================
---- tpm-tools-1.3.8.orig/include/tpm_tspi.h	2011-08-17 08:20:35.000000000 -0400
-+++ tpm-tools-1.3.8/include/tpm_tspi.h	2013-01-05 23:26:31.571598217 -0500
-@@ -117,6 +117,10 @@
+--- git.orig/include/tpm_tspi.h
++++ git/include/tpm_tspi.h
+@@ -117,6 +117,10 @@ TSS_RESULT tpmPcrRead(TSS_HTPM a_hTpm, U
  			UINT32 *a_PcrSize, BYTE **a_PcrValue);
  TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx,
  					UINT32 a_PcrSize, BYTE *a_PcrValue);
@@ -13,11 +13,11 @@
  #ifdef TSS_LIB_IS_12
  TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v);
  TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue);
-Index: tpm-tools-1.3.8/lib/tpm_tspi.c
+Index: git/lib/tpm_tspi.c
 ===================================================================
---- tpm-tools-1.3.8.orig/lib/tpm_tspi.c	2011-08-17 08:20:35.000000000 -0400
-+++ tpm-tools-1.3.8/lib/tpm_tspi.c	2013-01-05 23:27:37.731593490 -0500
-@@ -594,6 +594,20 @@
+--- git.orig/lib/tpm_tspi.c
++++ git/lib/tpm_tspi.c
+@@ -594,6 +594,20 @@ pcrcompositeSetPcrValue(TSS_HPCRS a_hPcr
  	return result;
  }
  
@@ -38,10 +38,10 @@
  #ifdef TSS_LIB_IS_12
  /*
   * These getPasswd functions will wrap calls to the other functions and check to see if the TSS
-Index: tpm-tools-1.3.8/src/cmds/Makefile.am
+Index: git/src/cmds/Makefile.am
 ===================================================================
---- tpm-tools-1.3.8.orig/src/cmds/Makefile.am	2011-08-15 13:52:08.000000000 -0400
-+++ tpm-tools-1.3.8/src/cmds/Makefile.am	2013-01-05 23:30:46.223593698 -0500
+--- git.orig/src/cmds/Makefile.am
++++ git/src/cmds/Makefile.am
 @@ -22,6 +22,7 @@
  #
  
@@ -50,16 +50,16 @@
  			tpm_unsealdata
  
  if TSS_LIB_IS_12
-@@ -33,4 +34,5 @@
- LDADD		=	$(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto
+@@ -33,4 +34,5 @@ endif
+ LDADD		=	$(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto @INTLLIBS@
  
  tpm_sealdata_SOURCES = tpm_sealdata.c
 +tpm_extendpcr_SOURCES = tpm_extendpcr.c
  tpm_unsealdata_SOURCES = tpm_unsealdata.c
-Index: tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c
+Index: git/src/cmds/tpm_extendpcr.c
 ===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c	2013-01-05 23:37:43.403585514 -0500
+--- /dev/null
++++ git/src/cmds/tpm_extendpcr.c
 @@ -0,0 +1,181 @@
 +/*
 + * The Initial Developer of the Original Code is International
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb
similarity index 84%
rename from meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb
rename to meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb
index f670bff..88ef19f 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.1.bb
@@ -12,14 +12,15 @@
 DEPENDS = "libtspi openssl"
 DEPENDS_class-native = "trousers-native"
 
-SRCREV = "5c5126bedf2da97906358adcfb8c43c86e7dd0ee"
+SRCREV = "bdf9f1bc8f63cd6fc370c2deb58d03ac55079e84"
 SRC_URI = " \
 	git://git.code.sf.net/p/trousers/tpm-tools \
 	file://tpm-tools-extendpcr.patch \
+	file://04-fix-FTBFS-clang.patch \
+	file://05-openssl1.1_fix_data_mgmt.patch \
+        file://openssl1.1_fix.patch \
 	"
 
-PV = "1.3.9.1+git${SRCPV}"
-
 inherit autotools-brokensep gettext
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
similarity index 75%
rename from meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb
rename to meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
index a5d6843..6347379 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_2.0.2.bb
@@ -9,14 +9,16 @@
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
 
-DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native"
+DEPENDS = "autoconf-archive dbus glib-2.0 tpm2.0-tss glib-2.0-native \
+            libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
+
 
 SRC_URI = "\
     git://github.com/01org/tpm2-abrmd.git \
     file://tpm2-abrmd-init.sh \
     file://tpm2-abrmd.default \
 "
-SRCREV = "59ce1008e5fa3bd5a143437b0f7390851fd25bd8"
+SRCREV = "d0120ace58d97bc9520c0d558657eaca87ae73b1"
 
 S = "${WORKDIR}/git"
 
@@ -33,11 +35,8 @@
 GROUPADD_PARAM_${PN} = "tss"
 USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
 
-PACKAGECONFIG ?="udev"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
-
+PACKAGECONFIG ?="${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
 PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no"
-PACKAGECONFIG[udev] = "--with-udevrulesdir=${sysconfdir}/udev/rules.d, --without-udevrulesdir"
 
 do_install_append() {
     install -d "${D}${sysconfdir}/init.d"
@@ -47,8 +46,9 @@
     install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd"
 }
 
-FILES_${PN} += "${libdir}/systemd/system-preset"
+FILES_${PN} += "${libdir}/systemd/system-preset \
+		${datadir}/dbus-1"
 
-RDEPENDS_${PN} += "libgcc dbus-glib libtss2 libtctidevice libtctisocket"
+RDEPENDS_${PN} += "tpm2.0-tss"
 
 BBCLASSEXTEND = "native"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb
similarity index 73%
rename from meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb
rename to meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb
index 7ec12fc..3f40eb7 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_3.1.2.bb
@@ -6,13 +6,10 @@
 
 DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive"
 
-# July 10, 2017
-SRCREV = "26c0557040c1cf8107fa3ebbcf2a5b07cc84b881"
+SRCREV = "5e2f1aafc58e60c5050f85147a14914561f28ad9"
 
-SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools"
+SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools;branch=3.X"
 
 S = "${WORKDIR}/tpm2.0-tools"
 
-PV = "2.0.0+git${SRCPV}"
-
 inherit autotools pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb
deleted file mode 100644
index b673c2b..0000000
--- a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb
+++ /dev/null
@@ -1,99 +0,0 @@
-SUMMARY = "Software stack for TPM2."
-DESCRIPTION = "tpm2.0-tss like woah."
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
-SECTION = "tpm"
-
-DEPENDS = "autoconf-archive pkgconfig"
-
-SRCREV = "b1d9ece8c6bea2e3043943b2edfaebcdca330c38"
-
-SRC_URI = " \
-    git://github.com/tpm2-software/tpm2-tss.git;branch=1.x \
-    file://ax_pthread.m4 \
-"
-
-inherit autotools pkgconfig systemd
-
-S = "${WORKDIR}/git"
-
-do_configure_prepend () {
-	mkdir -p ${S}/m4
-	cp ${WORKDIR}/ax_pthread.m4 ${S}/m4
-	# execute the bootstrap script
-	currentdir=$(pwd)
-	cd ${S}
-	ACLOCAL="aclocal --system-acdir=${STAGING_DATADIR}/aclocal" ./bootstrap
-	cd $currentdir
-}
-
-INHERIT += "extrausers"
-EXTRA_USERS_PARAMS = "\
-	useradd -p '' tss; \
-	groupadd tss; \
-	"
-
-SYSTEMD_PACKAGES = "resourcemgr"
-SYSTEMD_SERVICE_resourcemgr = "resourcemgr.service"
-SYSTEMD_AUTO_ENABLE_resourcemgr = "enable"
-
-do_patch[postfuncs] += "${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','fix_systemd_unit','', d)}"
-fix_systemd_unit () {
-    sed -i -e 's;^ExecStart=.*/resourcemgr;ExecStart=${sbindir}/resourcemgr;' ${S}/contrib/resourcemgr.service
-}
-
-do_install_append() {
-    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-        install -d ${D}${systemd_system_unitdir}
-        install -m0644 ${S}/contrib/resourcemgr.service ${D}${systemd_system_unitdir}/resourcemgr.service
-    fi
-}
-
-PROVIDES = "${PACKAGES}"
-PACKAGES = " \
-    ${PN}-dbg \
-    ${PN}-doc \
-    libtss2 \
-    libtss2-dev \
-    libtss2-staticdev \
-    libtctidevice \
-    libtctidevice-dev \
-    libtctidevice-staticdev \
-    libtctisocket \
-    libtctisocket-dev \
-    libtctisocket-staticdev \
-    resourcemgr \
-"
-
-FILES_libtss2 = " \
-	${libdir}/libsapi.so.0.0.0 \
-	${libdir}/libmarshal.so.0.0.0 \
-"
-FILES_libtss2-dev = " \
-    ${includedir}/sapi \
-    ${includedir}/tcti/common.h \
-    ${libdir}/libsapi.so* \
-    ${libdir}/libmarshal.so* \
-    ${libdir}/pkgconfig/sapi.pc \
-"
-FILES_libtss2-staticdev = " \
-    ${libdir}/libsapi.a \
-    ${libdir}/libsapi.la \
-    ${libdir}/libmarshal.a \
-    ${libdir}/libmarshal.la \
-"
-FILES_libtctidevice = "${libdir}/libtcti-device.so.0.0.0"
-FILES_libtctidevice-dev = " \
-    ${includedir}/tcti/tcti_device.h \
-    ${libdir}/libtcti-device.so* \
-    ${libdir}/pkgconfig/tcti-device.pc \
-"
-FILES_libtctidevice-staticdev = "${libdir}/libtcti-device.*a"
-FILES_libtctisocket = "${libdir}/libtcti-socket.so.0.0.0"
-FILES_libtctisocket-dev = " \
-    ${includedir}/tcti/tcti_socket.h \
-    ${libdir}/libtcti-socket.so* \
-    ${libdir}/pkgconfig/tcti-socket.pc \
-"
-FILES_libtctisocket-staticdev = "${libdir}/libtcti-socket.*a"
-FILES_resourcemgr = "${sbindir}/resourcemgr ${systemd_system_unitdir}/resourcemgr.service"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb
new file mode 100644
index 0000000..9d1ff72
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_2.0.1.bb
@@ -0,0 +1,74 @@
+SUMMARY = "Software stack for TPM2."
+DESCRIPTION = "tpm2.0-tss like woah."
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=0b1d631c4218b72f6b05cb58613606f4"
+SECTION = "tpm"
+
+DEPENDS = "autoconf-archive-native libgcrypt"
+
+SRCREV = "dc31e8dca9dbc77d16e419dc514ce8c526cd3351"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-tss.git;branch=2.0.x"
+
+inherit autotools-brokensep pkgconfig systemd
+
+S = "${WORKDIR}/git"
+
+do_configure_prepend () {
+       ./bootstrap
+}
+
+INHERIT += "extrausers"
+EXTRA_USERS_PARAMS = "\
+	useradd -p '' tss; \
+	groupadd tss; \
+	"
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = " \
+    ${PN} \
+    ${PN}-dbg \
+    ${PN}-doc \
+    libtss2-mu \
+    libtss2-mu-dev \
+    libtss2-mu-staticdev \
+    libtss2-tcti-device \
+    libtss2-tcti-device-dev \
+    libtss2-tcti-device-staticdev \
+    libtss2-tcti-mssim \
+    libtss2-tcti-mssim-dev \
+    libtss2-tcti-mssim-staticdev \
+    libtss2 \
+    libtss2-dev \
+    libtss2-staticdev \
+"
+
+FILES_libtss2-tcti-device = "${libdir}/libtss2-tcti-device.so.*"
+FILES_libtss2-tcti-device-dev = " \
+    ${includedir}/tss2/tss2_tcti_device.h \
+    ${libdir}/pkgconfig/tss2-tcti-device.pc \
+    ${libdir}/libtss2-tcti-device.so"
+FILES_libtss2-tcti-device-staticdev = "${libdir}/libtss2-tcti-device.*a"
+
+FILES_libtss2-tcti-mssim = "${libdir}/libtss2-tcti-mssim.so.*"
+FILES_libtss2-tcti-mssim-dev = " \
+    ${includedir}/tss2/tss2_tcti_mssim.h \
+    ${libdir}/pkgconfig/tss2-tcti-mssim.pc \
+    ${libdir}/libtss2-tcti-mssim.so"
+FILES_libtss2-tcti-mssim-staticdev = "${libdir}/libtss2-tcti-mssim.*a"
+
+FILES_libtss2-mu = "${libdir}/libtss2-mu.so.*"
+FILES_libtss2-mu-dev = " \
+    ${includedir}/tss2/tss2_mu.h \
+    ${libdir}/pkgconfig/tss2-mu.pc \
+    ${libdir}/libtss2-mu.so"
+FILES_libtss2-mu-staticdev = "${libdir}/libtss2-mu.*a"
+
+FILES_libtss2 = "${libdir}/libtss2*so.*"
+FILES_libtss2-dev = " \
+    ${includedir} \
+    ${libdir}/pkgconfig \
+    ${libdir}/libtss2*so"
+FILES_libtss2-staticdev = "${libdir}/libtss*a"
+
+FILES_${PN} = "${libdir}/udev"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb
similarity index 100%
rename from meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb
rename to meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator_138.bb
diff --git a/meta-security/recipes-browers/tor/tor_6.5.2.bb b/meta-security/recipes-browers/tor/tor_6.5.2.bb
deleted file mode 100644
index 1e3a812..0000000
--- a/meta-security/recipes-browers/tor/tor_6.5.2.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-SUMMARY = "Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security."
-
-HOMEPAGE = "https://www.torproject.org/"
-
-LICENSE = "GPV-v2"
-
-SRC_URI = "https://github.com/TheTorProject/gettorbrowser/archive/v6.5.2.tar.gz"
diff --git a/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb b/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb
deleted file mode 100644
index a826d1d..0000000
--- a/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb
+++ /dev/null
@@ -1,30 +0,0 @@
-SUMMARY = "The Advanced Forensic Format (AFF) is on-disk format for storing computer forensic information."
-HOMEPAGE = "http://www.afflib.org/"
-LICENSE = " BSD-4-Clause  & CPL-1.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=d1b2c6d0d6908f45d143ef6380727828"
-
-DEPENDS = " zlib ncurses readline openssl libgcrypt"
-
-SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \
-        http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}-1.1.diff.gz;name=dpatch \
-        file://configure_rm_ms_flags.patch \
-        "
-
-SRC_URI[orig.md5sum] = "b7ff4d2945882018eb1536cad182ad01"
-SRC_URI[orig.sha256sum] = "19cacfd558dc00e11975e820e3c4383b52aabbd5ca081d27bb7994a035d2f4ad"
-SRC_URI[dpatch.md5sum] = "171e871024545b487589e6c85290576f"
-SRC_URI[dpatch.sha256sum] = "db632e254ee51a1e4328cd4449d414eff4795053d4e36bfa8e0020fcb4085cdd"
-
-inherit autotools-brokensep pkgconfig
-
-CPPFLAGS = "-I${STAGING_INCDIR}"
-LDFLAGS = "-L${STAGING_LIBDIR}"
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[curl] = "--with-curl=${STAGING_LIBDIR}, --without-curl, curl"
-PACKAGECONFIG[expat] = "--with-expat=${STAGING_LIBDIR}, --without-expat, expat"
-PACKAGECONFIG[fuse] = "--enable-fuse=yes, --enable-fuse=no, fuse"
-PACKAGECONFIG[python] = "--enable-python=yes, --enable-python=no, python"
-
-EXTRA_OECONF += "--enable-s3=no CPPFLAGS=-I${STAGING_INCDIR} LDFLAGS=-L${STAGING_LIBDIR}"
-EXTRA_OEMAKE += "CPPFLAGS='${CPPFLAGS}' LDFLAGS='-L${STAGING_LIBDIR} -I${STAGING_INCDIR}'"
diff --git a/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch b/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch
deleted file mode 100644
index ac33500..0000000
--- a/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-remove ms lib options when cross compiling
-
-Signed-Off-By: Armin Kuster <akuster808@gmail.com>
-
-Index: configure.ac
-===================================================================
---- a.orig/configure.ac
-+++ a/configure.ac
-@@ -47,7 +47,6 @@ if test x"${cross_compiling}" = "xno" ;
-   AC_MSG_NOTICE([ LDFLAGS = ${LDFLAGS} ])
- else
-   AC_MSG_NOTICE([Cross Compiling --- will not update CPPFALGS or LDFLAGS with /usr/local, /opt/local or /sw])
--  LIBS="$LIBS -lws2_32 -lgdi32"
- fi
- 
- if test -r /bin/uname.exe ; then
diff --git a/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch b/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch
deleted file mode 100644
index 0881f25..0000000
--- a/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Upstream Status: pending
-
-Don't use inline with gcc 5.0
-
-fixes:
-undefined reference to `libuna_unicode_character_size_to_utf8'
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: libuna/libuna_inline.h
-===================================================================
---- a/libuna/libuna_inline.h
-+++ b/libuna/libuna_inline.h
-@@ -27,7 +27,7 @@
- #if defined( _MSC_VER )
- #define LIBUNA_INLINE _inline
- 
--#elif defined( __BORLANDC__ ) || defined( __clang__ )
-+#elif defined( __BORLANDC__ ) || defined( __clang__ ) || ( __GNUC__ > 4 )
- #define LIBUNA_INLINE /* inline */
- 
- #else
diff --git a/meta-security/recipes-forensic/libewf/libewf_20140608.bb b/meta-security/recipes-forensic/libewf/libewf_20140608.bb
deleted file mode 100644
index f7dce12..0000000
--- a/meta-security/recipes-forensic/libewf/libewf_20140608.bb
+++ /dev/null
@@ -1,24 +0,0 @@
-SUMMARY = "library with support for Expert Witness Compression Format"
-LICENSE = "LGPLv3+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=58c39b26c0549f8e1bb4122173f474cd"
-
-DEPENDS = "virtual/gettext libtool"
-
-SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/libe/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \
-        file://gcc5_fix.patch \
-        "
-SRC_URI[orig.md5sum] = "fdf615f23937fad8e02b60b9e3e5fb35"
-SRC_URI[orig.sha256sum] = "d14030ce6122727935fbd676d0876808da1e112721f3cb108564a4d9bf73da71"
-
-inherit autotools-brokensep pkgconfig gettext
-
-PACKAGECONFIG ??= "zlib ssl bz2"
-PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib"
-PACKAGECONFIG[bz2] = "--with-bzip2, --without-bzip2, bzip2, bzip2"
-PACKAGECONFIG[ssl] = "--with-openssl, --without-openssl, openssl, openssl"
-PACKAGECONFIG[fuse] = "--with-libfuse, --without-libfuse, fuse"
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
-
-EXTRA_OECONF += "--with-gnu-ld --disable-rpath"
-
-RDEPENDS_${PN} += " util-linux-libuuid"
diff --git a/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch b/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch
deleted file mode 100644
index 03b1fb9..0000000
--- a/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Upstream-Status: Inappropriate [configuration]
-
-Don't use host include or lib paths in *FLAGS
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: configure.ac
-===================================================================
---- a/configure.ac
-+++ b/configure.ac
-@@ -84,12 +84,6 @@ AX_PTHREAD([
-     LDFLAGS="$LDFLAGS $PTHREAD_CFLAGS"
-     CC="$PTHREAD_CC"],[])
- 
--dnl Not all compilers include /usr/local in the include and link path
--if test -d /usr/local/include; then
--    CPPFLAGS="$CPPFLAGS -I/usr/local/include"
--    LDFLAGS="$LDFLAGS -L/usr/local/lib"
--fi
--
- dnl Add enable/disable option
- AC_ARG_ENABLE([java],
-     [AS_HELP_STRING([--disable-java], [Do not build the java bindings or jar file])])
diff --git a/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb b/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb
deleted file mode 100644
index ba335f3..0000000
--- a/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb
+++ /dev/null
@@ -1,31 +0,0 @@
-SUMMARY = "The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate disk images."
-HOMEPAGE = "http://www.sleuthkit.org/sleuthkit/"
-LICENSE = "IPL-1.0 & GPLv2 & CPL-1.0"
-LIC_FILES_CHKSUM = "file://licenses/GNU-COPYING;startline=4;endline=5;md5=475b4784903850b579dc6e6310bd5f08\
-    file://licenses/IBM-LICENSE;startline=1;endline=2;md5=1fc3300388b0d6e6216825dd89c2e3a2\
-    file://licenses/cpl1.0.txt;startline=1;endline=2;md5=9e58c878202c73a4e3ed4be72598fb92"
-
-DEPENDS = "libtool"
-
-SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/s/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \
-            file://fix_host_poison.patch \
-        "
-SRC_URI[orig.md5sum] = "139a12f06952d8a40bbe07884994cf5d"
-SRC_URI[orig.sha256sum] = "67f9d2a31a8884d58698d6122fc1a1bfa9bf238582bde2b49228ec9b899f0327"
-
-inherit autotools-brokensep pkgconfig gettext
-
-PACKAGECONFIG ??= "aff zlib ewf"
-PACKAGECONFIG[aff] = "--with-afflib=${STAGING_DIR_HOST}/usr, --without-afflib, afflib"
-PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr, --without-zlib, zlib"
-PACKAGECONFIG[ewf] = "--with-libewf=${STAGING_DIR_HOST}/usr, --without-libewf, libewf"
-
-#--with-gnu-ld
-EXTRA_OECONF += "--enable-static=no --disable-java LIBS='-L${STAGING_LIBDIR}' LDFLAGS='-L${STAGING_LIBDIR}' CPPFLAGS='-I${STAGING_INCDIR}'"
-
-# Avoid QA Issue: No GNU_HASH in the elf binary
-INSANE_SKIP_${PN} = "ldflags" 
-
-FILES_${PN} += " ${datadir}/tsk"
-
-RDEPENDS_${PN} += " perl"
diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb
similarity index 95%
rename from meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb
rename to meta-security/recipes-security/AppArmor/apparmor_2.12.bb
index fc9b614..e3f8dc9 100644
--- a/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb
+++ b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb
@@ -21,11 +21,11 @@
 	file://functions \
 	file://apparmor \
 	file://apparmor.service \
-        file://run-ptest \
+	file://run-ptest \
 	"
 
-SRC_URI[md5sum] = "899fd834dc5c8ebf2d52b97e4a174af7"
-SRC_URI[sha256sum] = "b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a"
+SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833"
+SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056"
 
 PARALLEL_MAKE = ""
 
@@ -46,7 +46,7 @@
 
 python() {
     if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
-	'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
+            'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
         raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
 }
 
diff --git a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb
similarity index 77%
rename from meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb
rename to meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb
index 4df072e..d739227 100644
--- a/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb
+++ b/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.3.bb
@@ -6,17 +6,14 @@
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8"
 
 DEPENDS = "libnl openssl sqlite3 libpcre libpcap"
-RC = "rc2"
-SRC_URI = "http://download.aircrack-ng.org/${BP}-${RC}.tar.gz \
-            file://fixup_cflags.patch"
 
-SRC_URI[md5sum] = "ebe9d537f06f4d6956213af09c4476da"
-SRC_URI[sha256sum] = "ba5b3eda44254efc5b7c9f776eb756f7cc323ad5d0813c101e92edb483d157e9"
+SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz"
+
+SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623"
+SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca"
 
 inherit autotools-brokensep pkgconfig
 
-S = "${WORKDIR}/${BP}-rc2"
-
 PACKAGECONFIG ?= ""
 CFLAGS += " -I${S}/src/include"
 
diff --git a/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch b/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch
deleted file mode 100644
index e13dd24..0000000
--- a/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Upstream Status: Iinappropriate
-
-Issues do to build env.
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: aircrack-ng-1.2-rc2/src/Makefile
-===================================================================
---- aircrack-ng-1.2-rc2.orig/src/Makefile
-+++ aircrack-ng-1.2-rc2/src/Makefile
-@@ -3,8 +3,6 @@ include $(AC_ROOT)/common.mak
- 
- TEST_DIR	= $(AC_ROOT)/test
- 
--CFLAGS		+= -Iinclude
--
- iCC             = $(shell find /opt/intel/cc/*/bin/icc)
- iCFLAGS         = -w -mcpu=pentiumpro -march=pentiumpro $(COMMON_CFLAGS)
- iOPTFLAGS       = -O3 -ip -ipo -D_FILE_OFFSET_BITS=64
-@@ -102,7 +100,7 @@ endif
- 
- 
- ifeq ($(subst TRUE,true,$(filter TRUE true,$(sqlite) $(SQLITE))),true)
--	LIBSQL		= -L/usr/local/lib -lsqlite3
-+	LIBSQL		= -lsqlite3
- else
- 	LIBSQL		=
- endif
diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
index eee1a38..152c03a 100644
--- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb
+++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
@@ -9,7 +9,7 @@
 RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils"
 FILES_${PN} += "/run/lock/subsys/bastille"
 
-inherit allarch module-base
+inherit module-base
 
 SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \
            file://AccountPermission.pm \
diff --git a/meta-security/recipes-security/clamav/clamav_0.99.3.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
similarity index 98%
rename from meta-security/recipes-security/clamav/clamav_0.99.3.bb
rename to meta-security/recipes-security/clamav/clamav_0.99.4.bb
index 688250d..8c2c2fa 100644
--- a/meta-security/recipes-security/clamav/clamav_0.99.3.bb
+++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
@@ -8,7 +8,7 @@
 
 LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
 
-SRCREV = "224f73461a44e278e9fa50ba59f51ee5e64373e0"
+SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047"
 
 SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \
     file://clamd.conf \
diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index f55b0c3..1f780f9 100644
--- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -29,6 +29,7 @@
     --libdir=${base_libdir} \
     --disable-pywrap \
     --disable-nls \
+    --with-pamdir=${base_libdir}/security \
     "
 
 PACKAGECONFIG ??= "nss \
@@ -43,12 +44,16 @@
     export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
     export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
     export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
+    sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac
 }
 
 do_install_append() {
     chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private
-    mkdir -p ${D}/${libdir}
-    mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
+    # ${base_libdir} is identical to ${libdir} when usrmerge enabled
+    if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
+        mkdir -p ${D}/${libdir}
+        mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}
+    fi
     sed -i -e 's:-I${STAGING_INCDIR}::' \
            -e 's:-L${STAGING_LIBDIR}::' ${D}/${libdir}/pkgconfig/libecryptfs.pc
     sed -i -e "s: ${base_sbindir}/cryptsetup: ${sbindir}/cryptsetup:" ${D}${bindir}/ecryptfs-setup-swap
diff --git a/meta-security/recipes-security/fail2ban/files/run-ptest b/meta-security/recipes-security/fail2ban/files/run-ptest
new file mode 100644
index 0000000..9f6aebe
--- /dev/null
+++ b/meta-security/recipes-security/fail2ban/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+##PYTHON## fail2ban-testcases
diff --git a/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb b/meta-security/recipes-security/fail2ban/python-fail2ban.inc
similarity index 68%
rename from meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb
rename to meta-security/recipes-security/fail2ban/python-fail2ban.inc
index 7e2deba..9245f17 100644
--- a/meta-security/recipes-security/fail2ban/fail2ban_0.10.2.bb
+++ b/meta-security/recipes-security/fail2ban/python-fail2ban.inc
@@ -9,14 +9,15 @@
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
 
-SRCREV ="a45488465e0dd547eb8479c0fa9fd577c1837213"
+SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee"
 SRC_URI = " \
-	git://github.com/fail2ban/fail2ban.git;branch=0.10 \
+	git://github.com/fail2ban/fail2ban.git;branch=0.11 \
 	file://initd \
-	file://fail2ban_setup.py \
+        file://fail2ban_setup.py \
+        file://run-ptest \
 "
 
-inherit update-rc.d setuptools
+inherit update-rc.d ptest
 
 S = "${WORKDIR}/git"
 
@@ -32,10 +33,17 @@
 	install -d ${D}/${sysconfdir}/fail2ban
 	install -d ${D}/${sysconfdir}/init.d
     	install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
+	chown -R root:root ${D}/${bindir}
+}
+
+do_install_ptest_append () {
+        install -d ${D}${PTEST_PATH}
+        sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
+        install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
 }
 
 FILES_${PN} += "/run"
 
 INSANE_SKIP_${PN}_append = "already-stripped"
 
-RDEPENDS_${PN} = "sysklogd iptables sqlite3 python python-pyinotify"
+RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify"
diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb
new file mode 100644
index 0000000..17a7dd8
--- /dev/null
+++ b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb
@@ -0,0 +1,4 @@
+inherit setuptools
+require python-fail2ban.inc
+
+RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban"
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb
new file mode 100644
index 0000000..5c887e8
--- /dev/null
+++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb
@@ -0,0 +1,4 @@
+inherit setuptools3
+require python-fail2ban.inc
+
+RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb
index 4f0b12c..8847a0f 100644
--- a/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb
+++ b/meta-security/recipes-security/fscryptctl/fscryptctl_0.1.0.bb
@@ -9,7 +9,7 @@
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
-SRCREV = "e4c4d0984dee2531897e13c32a18d5e54a2a4aa6"
+SRCREV = "142326810eb19d6794793db6d24d0775a15aa8e5"
 SRC_URI = "git://github.com/google/fscryptctl.git"
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-security/images/security-build-image.bb b/meta-security/recipes-security/images/security-build-image.bb
index 1a7af86..a8757f9 100644
--- a/meta-security/recipes-security/images/security-build-image.bb
+++ b/meta-security/recipes-security/images/security-build-image.bb
@@ -6,9 +6,7 @@
     packagegroup-base \
     packagegroup-core-boot \
     packagegroup-core-security \
-    os-release \
-    ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \
-    ${CORE_IMAGE_EXTRA_INSTALL}"
+    os-release" 
 
 IMAGE_LINGUAS ?= " "
 
diff --git a/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch b/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch
deleted file mode 100644
index af3ef42..0000000
--- a/meta-security/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Remove the hardcoded lib and include dirs
-
-Upstream-Status: Inappropriate [cross compile specific]
-
-written by: Amy Fong <amy.fong@windriver.com>
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-
---- keynote-2.3/configure.in.orig	2010-05-24 04:44:16.000000000 -0700
-+++ keynote-2.3/configure.in	2010-05-24 04:44:55.000000000 -0700
-@@ -21,27 +21,16 @@
- AC_PATH_PROG(ECHO, echo, /bin/echo)
- AC_PATH_PROG(SED, sed, /usr/bin/sed)
- 
--dnl Checks for libraries.
--LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\
-- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib"
--
- AC_CHECK_LIB(m, floor, LIBS="$LIBS -lm")
- AC_CHECK_LIB(rsaref, RSAPrivateDecrypt, LIBS="$LIBS -lrsaref")
- AC_CHECK_LIB(crypto, i2a_ASN1_STRING, LIBS="$LIBS -lcrypto")
- AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue")
- 
--dnl Checks for header files.
--CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\
-- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\
-- -I/usr/local/openssl/include -I/pkg/include"
--
- AC_HEADER_STDC
- AC_HEADER_TIME
- AC_CHECK_HEADERS(fcntl.h limits.h unistd.h regex.h sys/time.h io.h)
- AC_CHECK_HEADERS(ssl/crypto.h openssl/crypto.h crypto.h memory.h)
- 
--dnl Checks for other files
--
- dnl Checks for typedefs, structures, and compiler characteristics.
- AC_C_CONST
- AC_CHECK_TYPE(u_int, unsigned int)
diff --git a/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch b/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch
deleted file mode 100644
index 80d87cf..0000000
--- a/meta-security/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable.
-
-Upstream-Status: Pending
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
-
-diff --git a/Makefile.in b/Makefile.in
-index b216648..42b4827 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -35,6 +35,7 @@ MKDIR = @MKDIR@
- SED = @SED@
- ECHO = @ECHO@
- TR = @TR@
-+LDFLAGS = @LDFLAGS@
- 
- TARFLAGS = -cvzf ${DISTFILE}
- YACCFLAGS2 = -d -p kv -b z
-@@ -83,7 +84,7 @@ $(TARGET): $(OBJS)
- 	$(RANLIB) $(TARGET)
- 
- $(TARGET2): $(TARGET) $(OBJS2)
--	$(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
-+	$(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
- 
- k.tab.c: keynote.y header.h keynote.h assertion.h config.h
- 	$(YACC) $(YACCFLAGS) keynote.y
-@@ -131,7 +132,7 @@ $(SSLCERT) $(SSLKEY):
- 	-keyout $(SSLKEY)
- 
- test-sample: all $(OBJS3)
--	$(CC) $(CFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS)
-+	$(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS)
- 
- test-sig: all $(SSLCERT) $(SSLKEY)
- 	$(SED) -e 's/--.*//' < $(SSLCERT) > $(SSLCERT).1
diff --git a/meta-security/recipes-security/keynote/keynote-2.3/run-ptest b/meta-security/recipes-security/keynote/keynote-2.3/run-ptest
deleted file mode 100644
index 4dc35c9..0000000
--- a/meta-security/recipes-security/keynote/keynote-2.3/run-ptest
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-cd @PTEST_PATH@
-keynote verify -e testsuite/test-env \
-               -r false,maybe,probably,true \
-               -k testsuite/auth1 -k testsuite/auth2 \
-               -k testsuite/auth3 -k testsuite/auth4 \
-               -l testsuite/test-assertion1 \
-               -l testsuite/test-assertion2 \
-               -l testsuite/test-assertion3 \
-               -l testsuite/test-assertion4 \
-               -l testsuite/test-assertion5 \
-               -l testsuite/test-assertion6 \
-               -l testsuite/test-assertion7 \
-               && echo "PASS: keynote-ptest" \
-               || echo "FAIL: keynote-ptest"
diff --git a/meta-security/recipes-security/keynote/keynote_2.3.bb b/meta-security/recipes-security/keynote/keynote_2.3.bb
deleted file mode 100644
index e692485..0000000
--- a/meta-security/recipes-security/keynote/keynote_2.3.bb
+++ /dev/null
@@ -1,40 +0,0 @@
-SUMMARY = "Keynote tool and library"
-DESCRIPTION = "KeyNote is a simple and flexible trust-management \
-  system designed to work well for a variety of large- and small- \
-  scale Internet-based applications. \
-"
-HOMEPAGE = "http://www.cs.columbia.edu/~angelos/keynote.html"
-SECTION = "security"
-
-LICENSE = "ISC"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=3a265095c549c1808686a676f2699c98"
-
-MAIN_ID = "${@d.getVar('PV').split('.')[0]}"
-MINOR_ID = "${@d.getVar('PV').split('.')[1]}"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}-${MAIN_ID}-${MINOR_ID}/${BPN}_${PV}.tar.gz \
-       file://configure-remove-hardcode-path.patch \
-       file://makefile-add-ldflags.patch \
-       file://run-ptest \
-"
-S = "${WORKDIR}/${BPN}-${PV}+dfsg.orig"
-
-inherit autotools-brokensep ptest
-
-SRC_URI[md5sum] = "a14553e6ad921b5c85026ce5bec3afe7"
-SRC_URI[sha256sum] = "38d2acfa1c3630a07adcb5c8fe92d2aef7f0e6d242b8998b2bbb1c6e4c408d46"
-
-DEPENDS = "flex openssl"
-
-EXTRA_OEMAKE += "test-sample -j1"
-
-do_install() {
-    install -D -m 0755 ${S}/keynote ${D}${bindir}/keynote
-    install -D -m 0644 ${S}/libkeynote.a ${D}${libdir}/libkeynote.a
-    install -D -m 0644 ${S}/keynote.h ${D}${includedir}/keynote.h
-}
-
-do_install_ptest() {
-    install -D -m 0755 ${S}/sample-app ${D}${PTEST_PATH}
-    cp -r ${S}/testsuite ${D}${PTEST_PATH}
-    sed -i 's|@PTEST_PATH@|${PTEST_PATH}|' ${D}${PTEST_PATH}/run-ptest
-}
diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb
index 2ead8fa..a4222b9 100644
--- a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb
+++ b/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb
@@ -27,6 +27,8 @@
 
 EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \
     NO_ARLIB=1 \
+    BINDIR=${base_bindir} \
+    SBINDIR=${base_sbindir} \
     LIBDIR=${base_libdir} \
     USRLIBDIR=${base_libdir} \
     BUILDFOR=${SITEINFO_BITS}-bit \
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb
index 8d58163..9c66db6 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb
@@ -35,8 +35,7 @@
     done
 }
 
-FILES_${PN} = "${bindir} ${libdir}/${PN}.so*"
+FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
 FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug"
 
-RDEPENDS_${PN} = "bash"
 RDEPENDS_${PN}-ptest = "bash"
diff --git a/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch b/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch
deleted file mode 100644
index 356b507..0000000
--- a/meta-security/recipes-security/nmap/files/nmap-redefine-the-python-library-dir.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-[PATCH] redefine the python library install dir
-
-Upstream-Status: Pending
-
-If install-lib is not defined, it is always /usr/lib/, but it
-maybe /usr/lib64 for multilib
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- Makefile.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile.in b/Makefile.in
-index 1bb062c..cced2fb 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -311,7 +311,7 @@ build-zenmap: $(ZENMAPDIR)/setup.py $(ZENMAPDIR)/zenmapCore/Version.py
- 
- install-zenmap: $(ZENMAPDIR)/setup.py
- 	$(INSTALL) -d $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
--	cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --force $(if $(DESTDIR),--root "$(DESTDIR)")
-+	cd $(ZENMAPDIR) && $(PYTHON) setup.py --quiet install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --force $(if $(DESTDIR),--root "$(DESTDIR)")
- 	$(INSTALL) -c -m 644 docs/zenmap.1 $(DESTDIR)$(mandir)/man1/
- # Create a symlink from nmapfe to zenmap if nmapfe doesn't exist or is
- # already a link.
-@@ -328,7 +328,7 @@ build-nping: $(NPINGDIR)/Makefile nbase_build nsock_build netutil_build $(NPINGD
- 	@cd $(NPINGDIR) && $(MAKE)
- 
- install-ndiff:
--	cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" $(if $(DESTDIR),--root "$(DESTDIR)")
-+	cd $(NDIFFDIR) && $(PYTHON) setup.py install --prefix "$(prefix)" --install-lib="${PYTHON_SITEPACKAGES_DIR}" $(if $(DESTDIR),--root "$(DESTDIR)")
- 
- NSE_FILES = scripts/script.db scripts/*.nse
- NSE_LIB_LUA_FILES = nselib/*.lua nselib/*.luadoc
--- 
-1.9.1
-
diff --git a/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch b/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch
deleted file mode 100644
index cfe043a..0000000
--- a/meta-security/recipes-security/nmap/files/nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-[PATCH] replace "./shtool mkdir" with coreutils mkdir command
-
-Upstream-Status: Pending
-
-"./shtool mkdir" is used when mkdir has not -p parameter, but mkdir in today
-most release has supportted the -p parameter, not need to use shtool, and it
-can not fix the race if two process are running mkdir to create same dir
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
----
- ncat/Makefile.in        | 4 ++--
- nmap-update/Makefile.in | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ncat/Makefile.in b/ncat/Makefile.in
-index cfd306d..2166e08 100644
---- a/ncat/Makefile.in
-+++ b/ncat/Makefile.in
-@@ -163,11 +163,11 @@ $(NSOCKDIR)/libnsock.a: $(NSOCKDIR)/Makefile
- 
- install: $(TARGET)
- 	@echo Installing Ncat;
--	$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
-+	mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
- 	$(INSTALL) -c -m 755 ncat $(DESTDIR)$(bindir)/ncat
- 	$(STRIP) -x $(DESTDIR)$(bindir)/ncat
- 	if [ -n "$(DATAFILES)" ]; then \
--		$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(pkgdatadir); \
-+		mkdir -p -m 755 $(DESTDIR)$(pkgdatadir); \
- 		$(INSTALL) -c -m 644 $(DATAFILES) $(DESTDIR)$(pkgdatadir)/; \
- 	fi
- 	$(INSTALL) -c -m 644 docs/$(TARGET).1 $(DESTDIR)$(mandir)/man1/$(TARGET).1
-diff --git a/nmap-update/Makefile.in b/nmap-update/Makefile.in
-index 89ff928..93f48d8 100644
---- a/nmap-update/Makefile.in
-+++ b/nmap-update/Makefile.in
-@@ -37,7 +37,7 @@ $(NBASELIB):
- 	cd $(NBASEDIR) && $(MAKE)
- 
- install: nmap-update
--	$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
-+	mkdir -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
- 	$(INSTALL) -c -m 755 nmap-update $(DESTDIR)$(bindir)
- 	$(STRIP) -x $(DESTDIR)$(bindir)/nmap-update
- 	$(INSTALL) -c -m 644 ../docs/nmap-update.1 $(DESTDIR)$(mandir)/man1/
--- 
-1.9.1
-
diff --git a/meta-security/recipes-security/nmap/nmap_7.60.bb b/meta-security/recipes-security/nmap/nmap_7.60.bb
deleted file mode 100644
index a6616eb..0000000
--- a/meta-security/recipes-security/nmap/nmap_7.60.bb
+++ /dev/null
@@ -1,54 +0,0 @@
-SUMMARY = "network auditing tool"
-DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.\nGui support via appending to IMAGE_FEATURES x11-base in local.conf"
-SECTION = "security"
-LICENSE = "GPL-2.0"
-
-LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=700c690f4ca6b1754f3f1db8645e42d9"
-
-SRC_URI = "http://nmap.org/dist/${BP}.tar.bz2 \
-           file://nmap-redefine-the-python-library-dir.patch \
-           file://nmap-replace-shtool-mkdir-with-coreutils-mkdir-command.patch \
-"
-
-SRC_URI[md5sum] = "4e454266559ddf2c4e2109866c62560c"
-SRC_URI[sha256sum] = "a8796ecc4fa6c38aad6139d9515dc8113023a82e9d787e5a5fb5fa1b05516f21"
-
-inherit autotools-brokensep pkgconfig pythonnative distro_features_check
-
-PACKAGECONFIG ?= "ncat nping ndiff pcap"
-PACKAGECONFIG += " ${@bb.utils.contains('IMAGE_FEATURES', 'x11-base', 'zenmap', '', d)}"
-
-PACKAGECONFIG[pcap] = "--with-pcap=linux, --without-pcap, libpcap, libpcap"
-PACKAGECONFIG[pcre] = "--with-libpcre=${STAGING_LIBDIR}/.., --with-libpcre=included, libpre"
-PACKAGECONFIG[ssl] = "--with-openssl=${STAGING_LIBDIR}/.., --without-openssl, openssl, openssl"
-PACKAGECONFIG[ssh2] = "--with-openssh2=${STAGING_LIBDIR}/.., --without-openssh2, libssh2, libssh2"
-PACKAGECONFIG[libz] = "--with-libz=${STAGING_LIBDIR}/.., --without-libz, zlib, zlib"
-
-#disable/enable packages
-PACKAGECONFIG[nping] = ",--without-nping,"
-PACKAGECONFIG[ncat] = ",--without-ncat,"
-PACKAGECONFIG[ndiff] = ",--without-ndiff,python"
-PACKAGECONFIG[update] = ",--without-nmap-update,"
-
-#Add gui
-PACKAGECONFIG[zenmap] = "--with-zenmap, --without-zenmap, gtk+ python-core python-codecs python-io python-logging python-unittest python-xml python-netclient python-doctest python-subprocess python-pygtk, python-core python-codecs python-io python-logging python-netclient python-xml python-unittest python-doctest python-subprocess  python-pygtk gtk+"
-
-EXTRA_OECONF = "--with-libdnet=included --with-liblinear=included --without-subversion --with-liblua=included"
-
-export PYTHON_SITEPACKAGES_DIR
-
-do_configure() {
-    # strip hard coded python2#
-    sed -i -e 's=python2\.*=python=g'  ${S}/configure.ac
-    sed -i -e 's=python2\.*=python=g'  ${S}/configure
-    autoconf
-    oe_runconf
-}
-
-PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'zenmap', '${PN}-zenmap', '', d)}"
-
-FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}"
-FILES_${PN}-zenmap = "${@bb.utils.contains("PACKAGECONFIG", "zenmap", "${bindir}/*zenmap ${bindir}/xnmap ${datadir}/applications/*  ${bindir}/nmapfe ${datadir}/zenmap/* ${PYTHON_SITEPACKAGES_DIR}/radialnet/* ${PYTHON_SITEPACKAGES_DIR}/zenmap*", "", d)}"
-
-RDEPENDS_${PN} = "python"
-RDEPENDS_${PN}-zenmap = "nmap"
diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
index 6682d29..e847847 100644
--- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb
@@ -12,6 +12,7 @@
     packagegroup-security-ids  \
     packagegroup-security-mac  \
     ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \
     "
 
 RDEPENDS_packagegroup-core-security = "\
@@ -20,6 +21,7 @@
     packagegroup-security-ids  \
     packagegroup-security-mac  \
     ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \
     "
 
 SUMMARY_packagegroup-security-utils = "Security utilities"
@@ -27,7 +29,11 @@
     checksec \
     nmap \
     pinentry \
-    scapy \
+    python-scapy \
+    ding-libs \
+    xmlsec1 \
+    keyutils \
+    libseccomp \
     ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \
     "
 
@@ -52,13 +58,28 @@
 SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS_packagegroup-security-ids = " \
     tripwire \
-    samhain-client \
+    samhain-standalone \
     suricata \
     "
 
 SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
 RDEPENDS_packagegroup-security-mac = " \
     ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
     "
+
+SUMMARY_packagegroup-security-ptest = "Security packages with ptests"
+RDEPENDS_packagegroup-security-ptest = " \
+    samhain-standalone-ptest \
+    xmlsec1-ptest \
+    keyutils-ptest \
+    libseccomp-ptest \
+    python-scapy-ptest \
+    suricata-ptest \
+    tripwire-ptest \
+    python3-fail2ban-ptest \
+    ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
+    ptest-runner \
+    "
diff --git a/meta-security/recipes-security/samhain/samhain-client_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb
similarity index 100%
rename from meta-security/recipes-security/samhain/samhain-client_4.2.2.bb
rename to meta-security/recipes-security/samhain/samhain-client_4.3.0.bb
diff --git a/meta-security/recipes-security/samhain/samhain-server_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb
similarity index 100%
rename from meta-security/recipes-security/samhain/samhain-server_4.2.2.bb
rename to meta-security/recipes-security/samhain/samhain-server_4.3.0.bb
diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb b/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb
similarity index 100%
rename from meta-security/recipes-security/samhain/samhain-standalone_4.2.2.bb
rename to meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb
diff --git a/meta-security/recipes-security/samhain/samhain.inc b/meta-security/recipes-security/samhain/samhain.inc
index db96264..944bf0d 100644
--- a/meta-security/recipes-security/samhain/samhain.inc
+++ b/meta-security/recipes-security/samhain/samhain.inc
@@ -19,8 +19,11 @@
            file://samhain.service \
            "
 
-SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f"
-SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7"
+SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e"
+SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d"
+
+UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
+UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
 
 S = "${WORKDIR}/samhain-${PV}"
 
diff --git a/meta-security/recipes-security/scapy/scapy/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/scapy/scapy/run-ptest
rename to meta-security/recipes-security/scapy/files/run-ptest
diff --git a/meta-security/recipes-security/scapy/scapy_2.3.3.bb b/meta-security/recipes-security/scapy/python-scapy.inc
similarity index 66%
rename from meta-security/recipes-security/scapy/scapy_2.3.3.bb
rename to meta-security/recipes-security/scapy/python-scapy.inc
index 1c8685b..5abe7db 100644
--- a/meta-security/recipes-security/scapy/scapy_2.3.3.bb
+++ b/meta-security/recipes-security/scapy/python-scapy.inc
@@ -5,20 +5,16 @@
 
 LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69"
 
-SRC_URI = "https://github.com/secdev/${BPN}/archive/v${PV}.tar.gz;downloadfilename=${BP}.tar.gz \
-           file://run-ptest \
-"
+SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec"
+SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73"
 
-SRC_URI[md5sum] = "336d6832110efcf79ad30c9856ef5842"
-SRC_URI[sha256sum] = "67642cf7b806e02daeddd588577588caebddc3426db7904e7999a0b0334a63b5"
-
-inherit setuptools ptest
+inherit pypi ptest
 
 do_install_ptest() {
     install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH}
     sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest
 }
 
-RDEPENDS_${PN} = "tcpdump python-subprocess python-compression python-netclient  \
-                  python-netserver python-pydoc python-pkgutil python-shell \
-                  python-threading python-numbers python-pycrypto"
+RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient  \
+                  ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \
+                  ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto"
diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb
new file mode 100644
index 0000000..98db1fd
--- /dev/null
+++ b/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb
@@ -0,0 +1,6 @@
+inherit setuptools
+require python-scapy.inc
+
+SRC_URI += "file://run-ptest"
+
+RDEPENDS_${PN} += "${PYTHON_PN}-subprocess"
diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb
new file mode 100644
index 0000000..93ca7be
--- /dev/null
+++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb
@@ -0,0 +1,4 @@
+inherit setuptools3
+require python-scapy.inc
+
+SRC_URI += "file://run-ptest"
diff --git a/meta-security/recipes-security/sssd/sssd_1.16.0.bb b/meta-security/recipes-security/sssd/sssd_1.16.3.bb
similarity index 93%
rename from meta-security/recipes-security/sssd/sssd_1.16.0.bb
rename to meta-security/recipes-security/sssd/sssd_1.16.3.bb
index ff5b618..8f7f805 100644
--- a/meta-security/recipes-security/sssd/sssd_1.16.0.bb
+++ b/meta-security/recipes-security/sssd/sssd_1.16.3.bb
@@ -1,6 +1,6 @@
 SUMMARY = "system security services daemon"
 DESCRIPTION = "SSSD is a system security services daemon"
-HOMEPAGE = "https://fedorahosted.org/sssd/"
+HOMEPAGE = "https://pagure.io/SSSD/sssd/"
 SECTION = "base"
 LICENSE = "GPLv3+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
@@ -11,8 +11,8 @@
 SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
             file://sssd.conf "
 
-SRC_URI[md5sum] = "f721ace2ebfa6744cfea55e3ecd2d82f"
-SRC_URI[sha256sum] = "c581a6e5365cef87fca419c0c9563cf15eadbb682863d648d85ffcded7a3940f"
+SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece"
+SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4"
 
 inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check
 
diff --git a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz
new file mode 100644
index 0000000..aed3754
--- /dev/null
+++ b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz
Binary files differ
diff --git a/meta-security/recipes-security/suricata/files/run-ptest b/meta-security/recipes-security/suricata/files/run-ptest
new file mode 100644
index 0000000..666ba9c
--- /dev/null
+++ b/meta-security/recipes-security/suricata/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+suricata -u
diff --git a/meta-security/recipes-security/suricata/files/suricata.service b/meta-security/recipes-security/suricata/files/suricata.service
new file mode 100644
index 0000000..a99a76e
--- /dev/null
+++ b/meta-security/recipes-security/suricata/files/suricata.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target
+Requires=network.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+
+[Service]
+Type=simple
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+RestrictAddressFamilies=
+ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
+ExecReload=/bin/kill -HUP $MAINPID
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/meta-security/recipes-security/suricata/files/suricata.yaml b/meta-security/recipes-security/suricata/files/suricata.yaml
index 90417b0..8d06a27 100644
--- a/meta-security/recipes-security/suricata/files/suricata.yaml
+++ b/meta-security/recipes-security/suricata/files/suricata.yaml
@@ -787,7 +787,7 @@
       enabled: no
       filename: /var/log/suricata.log
   - syslog:
-      enabled: no
+      enabled: yes
       facility: local5
       format: "[%i] <%d> -- "
 
diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.25.bb b/meta-security/recipes-security/suricata/libhtp_0.5.27.bb
similarity index 100%
rename from meta-security/recipes-security/suricata/libhtp_0.5.25.bb
rename to meta-security/recipes-security/suricata/libhtp_0.5.27.bb
diff --git a/meta-security/recipes-security/suricata/suricata.inc b/meta-security/recipes-security/suricata/suricata.inc
index a2d36eb..1f42121 100644
--- a/meta-security/recipes-security/suricata/suricata.inc
+++ b/meta-security/recipes-security/suricata/suricata.inc
@@ -2,8 +2,8 @@
 SECTION = "security Monitor/Admin"
 LICENSE = "GPLv2"
 
-VER = "4.0.0"
+VER = "4.0.5"
 SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
 
-SRC_URI[md5sum] = "41fb91b4cbc6705b353e4bdd02c3df4b"
-SRC_URI[sha256sum] = "6b8b183a8409829ca92c71854cc1abed45f04ccfb7f14c08211f4edf571fa577"
+SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f"
+SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2"
diff --git a/meta-security/recipes-security/suricata/suricata_4.0.0.bb b/meta-security/recipes-security/suricata/suricata_4.0.0.bb
deleted file mode 100644
index e163486..0000000
--- a/meta-security/recipes-security/suricata/suricata_4.0.0.bb
+++ /dev/null
@@ -1,60 +0,0 @@
-SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
-
-require suricata.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
-
-SRC_URI += " \
-           file://volatiles.03_suricata \
-           file://suricata.yaml \
-           "
-
-inherit autotools-brokensep pkgconfig python-dir 
-
-CFLAGS += "-D_DEFAULT_SOURCE"
-
-CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes "
-
-EXTRA_OECONF += " --disable-debug \
-    --enable-non-bundled-htp \
-    --disable-gccmarch-native \
-    "
-
-PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
-PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
-PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," 
-PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
-PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," 
-PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
-PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," 
-PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
-
-PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
-PACKAGECONFIG[file] = ",,file, file"
-PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," 
-PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," 
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" 
-
-export logdir = "${localstatedir}/log"
-
-do_install_append () {
-    install -d ${D}${sysconfdir}/suricata
-    install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
-    install -m 644 classification.config ${D}${sysconfdir}/suricata
-    install -m 644 reference.config ${D}${sysconfdir}/suricata
-    install -m 644 ${WORKDIR}/suricata.yaml ${D}${sysconfdir}/suricata
-    install -m 0644 ${WORKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata
-}
-
-pkg_postinst_ontarget_${PN} () {
-if [ -e /etc/init.d/populate-volatile.sh ] ; then
-    ${sysconfdir}/init.d/populate-volatile.sh update
-fi
-    ${bindir}/suricata -c ${sysconfdir}/suricata.yaml -i eth0 
-}
-
-PACKAGES += "${PN}-python"
-FILES_${PN} = "${bindir}/suricata ${sysconfdir}/default ${sysconfdir}/suricata ${logdir}/suricata"
-FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
-
-RDEPENDS_${PN}-python = "python"
diff --git a/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/meta-security/recipes-security/suricata/suricata_4.0.5.bb
new file mode 100644
index 0000000..6c0a109
--- /dev/null
+++ b/meta-security/recipes-security/suricata/suricata_4.0.5.bb
@@ -0,0 +1,96 @@
+SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
+
+require suricata.inc
+
+LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+
+SRC_URI += "file://emerging.rules.tar.gz;name=rules"
+
+SRC_URI += " \
+           file://volatiles.03_suricata \
+           file://suricata.yaml \
+           file://suricata.service \
+           file://run-ptest \
+           "
+
+SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33"
+SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798"
+
+inherit autotools-brokensep pkgconfig python-dir systemd ptest
+
+CFLAGS += "-D_DEFAULT_SOURCE"
+
+CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \
+                        ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no "
+
+EXTRA_OECONF += " --disable-debug \
+    --enable-non-bundled-htp \
+    --disable-gccmarch-native \
+    "
+
+PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
+PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
+
+PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
+PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," 
+PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
+PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," 
+PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
+PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," 
+PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
+PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
+
+PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
+PACKAGECONFIG[file] = ",,file, file"
+PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," 
+PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," 
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" 
+PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," 
+
+export logdir = "${localstatedir}/log"
+
+do_install_append () {
+
+    install -d ${D}${sysconfdir}/suricata
+
+    oe_runmake install-conf DESTDIR=${D}
+
+    # mimic move of downloaded rules to e_sysconfrulesdir
+    cp -rf  ${WORKDIR}/rules ${D}${sysconfdir}/suricata
+
+    oe_runmake install-rules DESTDIR=${D}
+
+    install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
+    install -m 0644 ${WORKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata
+
+    install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
+
+    install -d ${D}${systemd_unitdir}/system
+    sed  -e s:/etc:${sysconfdir}:g \
+         -e s:/var/run:/run:g \
+         -e s:/var:${localstatedir}:g \
+         -e s:/usr/bin:${bindir}:g \
+         -e s:/bin/kill:${base_bindir}/kill:g \
+         -e s:/usr/lib:${libdir}:g \
+         ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+
+    # Remove /var/run as it is created on startup
+    rm -rf ${D}${localstatedir}/run
+
+}
+
+pkg_postinst_ontarget_${PN} () {
+if [ -e /etc/init.d/populate-volatile.sh ] ; then
+    ${sysconfdir}/init.d/populate-volatile.sh update
+fi
+}
+
+SYSTEMD_PACKAGES = "${PN}"
+
+PACKAGES =+ "${PN}-socketcontrol"
+FILES_${PN} += "${systemd_unitdir}"
+FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
+
+CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
+
+RDEPENDS_${PN}-python = "python"
diff --git a/meta-security/recipes-security/tripwire/files/run-ptest b/meta-security/recipes-security/tripwire/files/run-ptest
new file mode 100644
index 0000000..aedfddc
--- /dev/null
+++ b/meta-security/recipes-security/tripwire/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./twtest.pl
diff --git a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb
index 465960f..59d1f35 100644
--- a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb
+++ b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb
@@ -16,11 +16,12 @@
 	file://twcfg.txt \
 	file://twinstall.sh \
 	file://twpol-yocto.txt \
+	file://run-ptest \
        "
 
 S = "${WORKDIR}/git"
 
-inherit autotools-brokensep update-rc.d
+inherit autotools-brokensep update-rc.d ptest
 
 INITSCRIPT_NAME = "tripwire"
 INITSCRIPT_PARAMS = "start 40 S ."
@@ -58,9 +59,15 @@
     install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN}
 }
 
+do_install_ptest_append () {
+	install -d ${D}${PTEST_PATH}/tests
+	cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH}
+}
 
 FILES_${PN} += "${libdir} ${docdir}/${PN}/*"
 FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug"
 FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a"
+FILES_${PN}-ptest += "${PTEST_PATH}/tests "
 
 RDEPENDS_${PN} += " perl nano msmtp cronie"
+RDEPENDS_${PN}-ptest = " perl lib-perl"
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
index fcc63b3..1cec47f 100644
--- a/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
+++ b/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
@@ -1,4 +1,4 @@
-From 47379747e34f952d31af028c672940ca7859ae3c Mon Sep 17 00:00:00 2001
+From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001
 From: Yulong Pei <Yulong.pei@windriver.com>
 Date: Wed, 21 Jul 2010 22:33:43 +0800
 Subject: [PATCH] change finding path of nss and nspr
@@ -7,66 +7,61 @@
 
 Signed-off-by: Yulong Pei <Yulong.pei@windriver.com>
 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
-
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- configure.ac | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
+ configure.ac | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 3278200..6edec7d 100644
+index 951b3eb..1fdeb0f 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -644,7 +644,7 @@ if test "z$NSS_FOUND" = "zno" ; then
+@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4"
+ NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss"
+ NSPR_PACKAGE=mozilla-nspr
+ NSS_PACKAGE=mozilla-nss
+-NSPR_INCLUDE_MARKER="nspr/nspr.h"
++NSPR_INCLUDE_MARKER="nspr.h"
+ NSPR_LIB_MARKER="libnspr4$shrext"
+ NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+-NSS_INCLUDE_MARKER="nss/nss.h"
++NSS_INCLUDE_MARKER="nss3/nss.h"
+ NSS_LIB_MARKER="libnss3$shrext"
+ NSS_LIBS_LIST="-lnss3 -lsmime3"
  
-     if test "z$with_nspr" != "z" ; then
- 	NSPR_PREFIX="$with_nspr"
--	NSPR_CFLAGS="-I$with_nspr/include -I$with_nspr/include/nspr"
-+	NSPR_CFLAGS="-I$with_nspr/usr/include -I$with_nspr/usr/include/nspr4"
- 	if test "z$with_gnu_ld" = "zyes" ; then
- 	    NSPR_LIBS="-Wl,-rpath-link -Wl,$with_nspr/lib -L$with_nspr/lib $NSPR_LIBS_LIST"
- 	else
-@@ -652,7 +652,7 @@ if test "z$NSS_FOUND" = "zno" ; then
- 	fi
- 	NSPR_INCLUDES_FOUND="yes"
- 	NSPR_LIBS_FOUND="yes"
--	NSPR_PRINIT_H="$with_nspr/include/prinit.h"
-+	NSPR_PRINIT_H="$with_nspr/usr/include/nspr4/prinit.h"
+@@ -898,24 +898,24 @@ fi
+ dnl Priority 1: User specifies the path to installation
+ if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then
+     AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder)
+-    if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then
+-        NSPR_INCLUDE_PATH="$with_nspr/include"
+-        NSPR_LIB_PATH="$with_nspr/lib"
++    if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then
++        NSPR_INCLUDE_PATH="$with_nspr/usr/include"
++        NSPR_LIB_PATH="$with_nspr/${libdir}"
+         NSPR_FOUND="yes"
+         AC_MSG_RESULT([yes])
      else
- 	for dir in $ac_nss_inc_dir ; do
-     	    if test -f $dir/nspr/prinit.h ; then
-@@ -690,7 +690,7 @@ if test "z$NSS_FOUND" = "zno" ; then
- 	OLD_CPPFLAGS=$CPPFLAGS
- 	CPPFLAGS="$NSPR_CFLAGS"
- 	AC_EGREP_CPP(yes,[
--    	    #include <prinit.h>
-+	    #include <nspr4/prinit.h>
-             #if PR_VMAJOR >= 4
-                yes
-             #endif
-@@ -715,7 +715,7 @@ if test "z$NSS_FOUND" = "zno" ; then
-     NSS_NSS_H=""
+-        AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?])
++        AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?])
+     fi
+ fi
+ if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then
+     AC_MSG_CHECKING(for nss library installation in "$with_nss" folder)
+-    if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then
+-        NSS_INCLUDE_PATH="$with_nss/include"
+-        NSS_LIB_PATH="$with_nss/lib"
++    if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then
++        NSS_INCLUDE_PATH="$with_nss/usr/include/nss3"
++        NSS_LIB_PATH="$with_nss/${libdir}"
+         NSS_FOUND="yes"
+         AC_MSG_RESULT([yes])
+     else
+-        AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?])
++        AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?])
+     fi
+ fi
  
-     if test "z$with_nss" != "z" ; then
--	NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include -I$with_nss/include/nss"
-+	NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/usr/include -I$with_nss/usr/include/nss3 -I$with_nspr/usr/include/nspr4"
- 	if test "z$with_gnu_ld" = "zyes" ; then
- 	    NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib -L$with_nss/lib $NSS_LIBS_LIST"
-         else
-@@ -723,7 +723,7 @@ if test "z$NSS_FOUND" = "zno" ; then
-         fi
- 	NSS_INCLUDES_FOUND="yes"
- 	NSS_LIBS_FOUND="yes"
--	NSS_NSS_H="$with_nss/include/nss.h"
-+	NSS_NSS_H="$with_nss/usr/include/nss3/nss.h"
-     else
- 	for dir in $ac_nss_inc_dir ; do
- 	    if test -f $dir/nss/nss.h ; then
-@@ -761,7 +761,7 @@ if test "z$NSS_FOUND" = "zno" ; then
-        OLD_CPPFLAGS=$CPPFLAGS
-        CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
-        AC_EGREP_CPP(yes,[
--          #include <nss.h>
-+	  #include <nss3/nss.h>
-           #if NSS_VMAJOR >= 3 && NSS_VMINOR >= 2
-              yes
-           #endif
+-- 
+2.7.4
+
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch b/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch
deleted file mode 100644
index 5f967bb..0000000
--- a/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 1d8ae4b32bd76c19ec238f30eb9b1ee582cbe990 Mon Sep 17 00:00:00 2001
-From: Jackie Huang <jackie.huang@windriver.com>
-Date: Fri, 2 Mar 2018 01:10:58 -0800
-Subject: [PATCH] xmlsec1: fix a typo in examples/verify3.c
-
-Upstream-Status: Submitted [https://github.com/lsh123/xmlsec/pull/153]
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-
----
- examples/verify3.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/examples/verify3.c b/examples/verify3.c
-index 2d26ae7..68f52ab 100644
---- a/examples/verify3.c
-+++ b/examples/verify3.c
-@@ -1,4 +1,4 @@
--4/** 
-+/**
-  * XML Security Library example: Verifying a file signed with X509 certificate
-  *
-  * Verifies a file signed with X509 certificate. 
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb
similarity index 89%
rename from meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb
rename to meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb
index 341ca08..2dbbf33 100644
--- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.25.bb
+++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb
@@ -17,12 +17,11 @@
     file://change-finding-path-of-nss.patch \
     file://makefile-ptest.patch \
     file://xmlsec1-examples-allow-build-in-separate-dir.patch \
-    file://xmlsec1-fix-a-typo-in-examples-verify3.c.patch \
     file://run-ptest \
     "
 
-SRC_URI[md5sum] = "dbbef1efc69e61bc4629650205a05b41"
-SRC_URI[sha256sum] = "967ca83edf25ccb5b48a3c4a09ad3405a63365576503bf34290a42de1b92fcd2"
+SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878"
+SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50"
 
 inherit autotools-brokensep ptest pkgconfig