meta-security: subtree update:547f552c85..066a04425c
Armin Kuster (9):
python3-oauth2client: add recipe
python3-privacyidea: adding initial support for mfa
strongswan: add bbappends for tpm changes
layer.conf: add dynamic-layer for strongswan
strongswan: Add bbappends for ima changes
meta-integrity: add dynamic-layer for strongswan
add gitlab framework and qemu machine
kas: add ima, tpm and tpm2 build configs
drop ci-build: it is hiding errors
Jeremy Puhlman (2):
cryptsetup-tpm-incubator: RPROVIDES cryptsetup and cryptsetup-dev
packagegroup-security-tpm2: Depend on preferred provider for cryptsetup
Zheng Ruoqin (2):
ccs-tools:Fix build error when enable multilib.
bastille: Deleted redundant inherit to fix error when enable multilib.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I023e45c8080c3d423cd25cc656da5c1f527295e5
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index c3372c7..46d0279 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -15,3 +15,7 @@
openembedded-layer \
"
BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
+
+BBFILES_DYNAMIC += " \
+networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappend \
+"
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
new file mode 100644
index 0000000..8250282
--- /dev/null
+++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
@@ -0,0 +1,38 @@
+From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Apr 2020 10:44:19 +0200
+Subject: [PATCH] xfrmi: Only build if libcharon is built
+
+The kernel-netlink plugin is only built if libcharon is.
+
+Closes strongswan/strongswan#167.
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ src/Makefile.am | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+Index: strongswan-5.8.4/src/Makefile.am
+===================================================================
+--- strongswan-5.8.4.orig/src/Makefile.am
++++ strongswan-5.8.4/src/Makefile.am
+@@ -42,6 +42,9 @@ endif
+
+ if USE_LIBCHARON
+ SUBDIRS += libcharon
++if USE_KERNEL_NETLINK
++ SUBDIRS += xfrmi
++endif
+ endif
+
+ if USE_FILE_CONFIG
+@@ -143,7 +146,3 @@ endif
+ if USE_TPM
+ SUBDIRS += tpm_extendpcr
+ endif
+-
+-if USE_KERNEL_NETLINK
+- SUBDIRS += xfrmi
+-endif
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
new file mode 100644
index 0000000..d8604e1
--- /dev/null
+++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
@@ -0,0 +1,12 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+DEPENDS = "libtspi"
+
+SRC_URI_append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
+
+PACKAGECONFIG += "aikgen tpm"
+
+PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
+PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
+
+EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
new file mode 100644
index 0000000..34757bb
--- /dev/null
+++ b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)}
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 8f5c537..a553a63 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -7,6 +7,7 @@
PACKAGES = "${PN}"
+PREFERRED_PROVIDER_cryptsetup ?= "cryptsetup-tpm-incubator"
SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
RDEPENDS_packagegroup-security-tpm2 = " \
tpm2-tools \
@@ -19,5 +20,5 @@
tpm2-abrmd \
tpm2-pkcs11 \
ibmswtpm2 \
- cryptsetup-tpm-incubator \
+ ${PREFERRED_PROVIDER_cryptsetup} \
"
diff --git a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
index b706d15..2617162 100644
--- a/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/cryptsetup-tpm-incubator/cryptsetup-tpm-incubator_0.9.9.bb
@@ -36,7 +36,12 @@
RDEPENDS_${PN} += "lvm2 libdevmapper"
RRECOMMENDS_${PN} += "lvm2-udevrules"
+RPROVIDES_${PN} = "cryptsetup"
RREPLACES_${PN} = "cryptsetup"
RCONFLICTS_${PN} ="cryptsetup"
+RPROVIDES_${PN}-dev = "cryptsetup-dev"
+RREPLACES_${PN}-dev = "cryptsetup-dev"
+RCONFLICTS_${PN}-dev ="cryptsetup-dev"
+
BBCLASSEXTEND = "native nativesdk"