subtree updates
meta-security: 93f2146211..7628a3e90b:
Anton Antonov (3):
Parsec-service: Update installation procedure
Parsec-service: Fix arm32 build
meta-parsec: Update Parsec runtime tests
Armin Kuster (20):
fscrypt: add distro_check on pam
meta-security: move perl and python recipes to dynamic layers structure
packagegroup-core-security: remove pkgs
packagegroup-core-security: add perl pkgs grps
packagegroup-core-security: add dynamic python pkgs
arpwatch: add postfix to pkg config
suricata: drop nfnetlink from pkg config
packagegroup-core-security.bb: fix suricata inclusion
layer.conf: fix up layer dependancies.
ima-evm-utils: Update to 1.4
aide: Update 01.17.4
ossec-hids: update to 3.7.0
suricata: update to 5.0.5
samhain: update to 4.4.9
tpm2-pkcs11: tpm2-pkcs11 module missing
tpm2-tools: Add missing rdepends
oeqa/cases/tpm2: fix and enhance test suite
meta-parsec: Add pkg grps
meta-parsec: add build image.
oeqa: add parsec runtime tests
Jeremy A. Puhlman (2):
aide: Add depend on audit when audit is enabled.
lib-perl: prefix man pages to avoid conflicting with base perl
Josh Harley (1):
Add EROFS support to dm-verity-img class
Lei Maohui (1):
layer.conf: Added BBFILES_DYNAMIC for dynamic-layers.
meta-openembedded: 77c2fda04e..a9e6d16e66:
Alejandro Enedino Hernandez Samaniego (1):
cryptsetup: Add luks2 configure options defaults
Alex Kiernan (2):
ulogd2: Add recipe
libcoap: Add recipe
Armin Kuster (13):
meta-python-image: Fix build depends
crda: move to a dynamic-layer for python
cyrus-sasl: move from meta-networking to meta-oe
netplan: move from meta-networking to meta-oe
nvmetcli: move recipe to meta-oe
packagegroup-meta-oe: update pkg group
python3-ldap: move to meta-python
packagegroup-meta-python.bb: update pkg group
firewalld: move to dynamic meta-python layer
packagegroup-meta-networking: update pkg group
meta-networking: drop meta-python layer depends
meta-gnome: fix layer depends.
layer.conf: Post release codename changes
Bartosz Golaszewski (19):
python3-pyfanotify: new package
python3-toolz: new package
python3-cytoolz: new package
python3-decouple: new package
python3-eth-hash: new package
python3-eth-typing: new package
python3-eth-utils: new package
python3-eth-keys: new package
python3-eth-keyfile: new package
python3-hexbytes: new package
python3-rlp: new package
python3-eth-rlp: new package
python3-parsimonious: new package
python3-eth-abi: new package
python3-eth-account: new package
python3-lru-dict: new package
python3-web3: new package
python3-inotify: new package
speedtest-cli: drop the recipe
Changqing Li (1):
zabbix: upgrade 5.2.6 -> 6.0.4
Chase Qi (1):
kernel-selftest: install kselftest runner
Claudius Heine (1):
btrfsmaintenance: add recipe for btrfsmaintenance scripts
Denys Dmytriyenko (2):
devmem2: reinstate previous patches, removed by mistake
devmem2: add support for different page sizes
Diego Sueiro (1):
bats: upgrade 1.6.0 -> 1.6.1
Gianfranco (3):
sdbus-c++-libsystemd: Bump SRCREV to last commit of 250-stable branch
sdbus-c++: Bump version from 1.00 to 1.1.0
libmtp: Add doxygen-native dependency in case documentation build is enabled in PACKAGECONFIG. This fixes a FTBFS due to missing dependency.
Gianfranco Costamagna (1):
vboxguestdrivers: upgrade 6.1.32 -> 6.1.34
Jiaqing Zhao (2):
openldap: Remove libgcrypt dependency
openldap: Upgrade 2.5.9 -> 2.5.12
Joerg Vehlow (1):
jq: Fix typo OE_EXTRACONF -> EXTRA_OECONF
Julien STEPHAN (1):
libcamera: fix packaging
Kai Kang (3):
conntrack-tools: fix postinst script
wxwidgets: enable to use private fonts
python3-wxgtk4: backport patch to fix svg issue
Khem Raj (12):
ufw: Fix packaging errors found with ppc64
libcereal: Enable for glibc/ppc
mimic: Use special rateconv.c license
makedumpfile: Use right TARGET for ppc32
evince: Add dbus to depnedencies on non-x11 builds
evolution-data-server: Do not pass --library-path to gir compiler
python3-wxgtk4: Needs x11 for sip module
zfs: Fix build on musl systems
zfs: Disable on riscv32
zfs: Disable on mips
zfs: Make systemd and sysvinit into packageconfigs
sdbus-c++: Link with libatomic on mips/ppc32
Markus Volk (1):
minidlna: fix obsolete license warning
Martin Jansa (1):
ostree: prevent ostree-native depending on target virtual/kernel to provide kernel-module-overlay
Michael Opdenacker (1):
devmem2: update SRC_URI according to redirect
Mingli Yu (1):
s-nail: Set VAL_MTA
Nicolas Dechesne (1):
imlib2: update SRC_URI
Peter Kjellerstedt (1):
libwebsockets: Avoid absolute paths in *.cmake files in the sysroot
Portia (1):
cpulimit: introduce support for this package
Randy MacLeod (1):
intel-speed-select: Add libnl dependency and extend CFLAGS
Richard Neill (1):
bats: Add patch to fix false-negatives caused by teardown code
Ross Burton (1):
Revert "python3-cbor2: upgrade 5.4.2 -> 5.4.3"
Samuli Piippo (1):
python3-qface: upgrade 2.0.7 -> 2.0.8
Teresa Remmet (1):
meta-networking: Add meta-python to BBFILES_DYNAMIC
Vyacheslav Yurkov (1):
polkit: add udisks2 rule
Windel Bouwman (1):
Add zfs recipe
Xu Huan (17):
python3-astroid: upgrade 2.11.2 -> 2.11.3
python3-bitstruct: upgrade 8.14.0 -> 8.14.1
python3-cachecontrol: upgrade 0.12.10 -> 0.12.11
python3-engineio: upgrade 4.3.1 -> 4.3.2
python3-flask-socketio: upgrade 5.1.1 -> 5.1.2
python3-google-api-python-client: upgrade 2.43.0 -> 2.45.0
python3-graphviz: upgrade 0.19.2 -> 0.20
python3-cbor2: upgrade 5.4.2 -> 5.4.3
python3-click: upgrade 8.1.2 -> 8.1.3
python3-flask-login: upgrade 0.6.0 -> 0.6.1
python3-flask: upgrade 2.1.1 -> 2.1.2
python3-google-api-core: upgrade 2.7.1 -> 2.7.3
python3-google-auth: upgrade 2.6.3 -> 2.6.6
python3-mypy: upgrade 0.942 -> 0.950
python3-pyalsaaudio: upgrade 0.9.0 -> 0.9.2
python3-grpcio-tools: upgrade 1.45.0 -> 1.46.0
python3-pychromecast: upgrade 11.0.0 -> 12.1.1
Yi Zhao (1):
networkmanager: fix parallel build failure
wangmy (41):
python3-sentry-sdk: upgrade 1.5.8 -> 1.5.10
python3-socketio: upgrade 5.5.2 -> 5.6.0
python3-textparser: upgrade 0.23.0 -> 0.24.0
python3-twisted: upgrade 22.2.0 -> 22.4.0
python3-websockets: upgrade 10.2 -> 10.3
fuse3: upgrade 3.10.5 -> 3.11.0
zenity: upgrade 3.42.0 -> 3.42.1
babeld: upgrade 1.11 -> 1.12
cifs-utils: upgrade 6.14 -> 6.15
nbdkit: upgrade 1.31.1 -> 1.31.2
stunnel: upgrade 5.63 -> 5.64
tgt: upgrade 1.0.79 -> 1.0.82
wolfssl: upgrade 5.2.0 -> 5.3.0
ctags: upgrade 5.9.20220417.0 -> 5.9.20220501.0
freerdp: upgrade 2.6.1 -> 2.7.0
fwupd-efi: upgrade 1.2 -> 1.3
htop: upgrade 3.1.2 -> 3.2.0
hwdata: upgrade 0.358 -> 0.359
icewm: upgrade 2.9.6 -> 2.9.7
iwd: upgrade 1.26 -> 1.27
jemalloc: upgrade 5.2.1 -> 5.3.0
libmbim: upgrade 1.26.2 -> 1.26.4
libyang: upgrade 2.0.164 -> 2.0.194
nano: upgrade 6.2 -> 6.3
phoronix-test-suite: upgrade 10.8.2 -> 10.8.3
php: upgrade 8.1.4 -> 8.1.5
pkcs11-helper: upgrade 1.28.0 -> 1.29.0
poppler: upgrade 22.04.0 -> 22.05.0
toybox: upgrade 0.8.6 -> 0.8.7
unixodbc: upgrade 2.3.9 -> 2.3.11
xmlsec1: upgrade 1.2.33 -> 1.2.34
gtk4: upgrade 4.6.3 -> 4.6.4
nbdkit: upgrade 1.31.2 -> 1.31.5
ctags: upgrade 5.9.20220501.0 -> 5.9.20220508.0
openjpeg: upgrade 2.4.0 -> 2.5.0
php: upgrade 8.1.5 -> 8.1.6
postgresql: upgrade 14.2 -> 14.3
phpmyadmin: upgrade 5.1.3 -> 5.2.0
python3-aiohue: upgrade 3.0.11 -> 4.4.1
python3-awesomeversion : add recipe
python3-traitlets: upgrade 5.1.1 -> 5.2.0
zhengrq.fnst (12):
glibmm-2.68: upgrade 2.70.0 -> 2.72.1
gnome-text-editor: upgrade 42.0 -> 42.1
apitrace: upgrade 10.0 -> 11.0
libconfig-general-perl: upgrade 2.63 -> 2.65
gpsd: upgrade 3.23.1 -> 3.24
mbw: upgrade 1.4 -> 1.5
gtk4: upgrade 4.6.2 -> 4.6.3
python3-antlr4-runtime: upgrade 4.9.2 -> 4.10
python3-booleanpy: upgrade 3.8 -> 4.0
python3-pika: upgrade 1.2.0 -> 1.2.1
python3-autobahn: upgrade 22.3.2 -> 22.4.2
python3-bitarray: upgrade 2.4.1 -> 2.5.0
zhengruoqin (7):
python3-imageio: upgrade 2.17.0 -> 2.18.0
python3-langtable: upgrade 0.0.57 -> 0.0.58
python3-paramiko: upgrade 2.10.3 -> 2.10.4
python3-protobuf: upgrade 3.20.0 -> 3.20.1
python3-pylint: upgrade 2.13.5 -> 2.13.7
python3-pymongo: upgrade 4.1.0 -> 4.1.1
python3-regex: upgrade 2022.3.15 -> 2022.4.24
poky: 9e55696042..13d70e57f8:
Alex Kiernan (7):
eudev: Upgrade 3.2.10 -> 3.2.11
eudev: Add PACKAGECONFIG for manpages & selinux
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
openssh: Add openssh-sftp-server to openssh RDEPENDS
eudev: Convert dependencies to PACKAGECONFIG
eudev: Cleanup redundant configuration
eudev: Use PACKAGE_BEFORE_PN/${PN}, clean up spaces
Alexander Kanavin (106):
systemd: upgrade 250.4 -> 250.5
python3-cryptography: upgrade 36.0.2 -> 37.0.1
util-linux: upgrade 2.37.4 -> 2.38
vulkan: upgrade 1.3.204.1 -> 1.3.211.0
libnl: upgrade 3.5.0 -> 3.6.0
libsdl2: upgrade 2.0.20 -> 2.0.22
mesa: upgrade 22.0.0 -> 22.0.2
python3-babel: upgrade 2.9.1 -> 2.10.1
python3-mako: upgrade 1.1.6 -> 1.2.0
python3-pygments: upgrade 2.11.2 -> 2.12.0
at-spi2-core: upgrade 2.44.0 -> 2.44.1
bind: upgrade 9.18.1 -> 9.18.2
cronie: upgrade 1.6.0 -> 1.6.1
diffoscope: upgrade 208 -> 211
dnf: upgrade 4.11.1 -> 4.12.0
ell: upgrade 0.49 -> 0.50
epiphany: upgrade 42.0 -> 42.2
ffmpeg: upgrade 5.0 -> 5.0.1
fribidi: upgrade 1.0.11 -> 1.0.12
harfbuzz: upgrade 4.2.0 -> 4.2.1
libinput: upgrade 1.19.3 -> 1.19.4
libmnl: upgrade 1.0.4 -> 1.0.5
libnotify: upgrade 0.7.9 -> 0.7.11
libpipeline: upgrade 1.5.5 -> 1.5.6
libseccomp: upgrade 2.5.3 -> 2.5.4
libx11: upgrade 1.7.5 -> 1.8
lttng-tools: upgrade 2.13.4 -> 2.13.7
mmc-utils: upgrade to latest revision
neard: upgrade 0.16 -> 0.18
pango: upgrade 1.50.6 -> 1.50.7
parted: upgrade 3.4 -> 3.5
piglit: upgrade to latest revision
python3-cryptography-vectors: upgrade 36.0.2 -> 37.0.1
python3-dtschema: upgrade 2022.1 -> 2022.4
python3-hypothesis: upgrade 6.44.0 -> 6.46.0
python3-jinja2: upgrade 3.1.1 -> 3.1.2
python3-pygobject: upgrade 3.42.0 -> 3.42.1
python3-pytest: upgrade 7.1.1 -> 7.1.2
repo: upgrade 2.23 -> 2.24.1
sqlite3: upgrade 3.38.2 -> 3.38.3
vala: upgrade 0.56.0 -> 0.56.1
vte: upgrade 0.66.2 -> 0.68.0
webkitgtk: upgrade 2.36.0 -> 2.36.1
xorgproto: upgrade 2021.5 -> 2022.1
xwayland: upgrade 22.1.0 -> 22.1.1
sysvinit: update 3.02 -> 3.04
pciutils: update 3.7.0 -> 3.8.0
elfutils: update 0.186 -> 0.187
git: update 2.35.3 -> 2.36.0
libdnf: update 0.66.0 -> 0.67.0
llvm: update 14.0.1 -> 14.0.3
rsync: update 3.2.3 -> 3.2.4
lsof: update 4.94.0 -> 4.95.0
libhandy: update 1.5.0 -> 1.6.2
librsvg: update 2.54.0 -> 2.54.1
xauth: update 1.1.1 -> 1.1.2
gnupg: update 2.3.4 -> 2.3.6
qemu: update 6.2.0 -> 7.0.0
stress-ng: disable apparmor from the correct spot
coreutils: update 9.0 -> 9.1
python3-setuptools: upgrade 59.5.0 -> 62.3.1
go: upgrade 1.18.1 -> 1.18.2
iptables: upgrade 1.8.7 -> 1.8.8
gnu-config: update to latest version
u-boot: upgrade 2022.01 -> 2022.04
python3-pip: update 22.0.4 -> 22.1
libxcb: update 1.14 -> 1.15
xcb-proto: upgrade 1.14.1 -> 1.15
systemtap: update 4.6 -> 4.7
vulkan-samples: update to latest revision
curl: upgrade 7.83.0 -> 7.83.1
diffoscope: upgrade 211 -> 212
git: upgrade 2.36.0 -> 2.36.1
gnutls: upgrade 3.7.4 -> 3.7.5
gst-devtools: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-libav: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-omx: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-bad: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-base: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-good: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-plugins-ugly: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-python: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-rtsp-server: upgrade 1.20.1 -> 1.20.2
gstreamer1.0: upgrade 1.20.1 -> 1.20.2
gstreamer1.0-vaapi: upgrade 1.20.1 -> 1.20.2
libcgroup: upgrade 2.0.1 -> 2.0.2
libnotify: upgrade 0.7.11 -> 0.7.12
librsvg: upgrade 2.54.1 -> 2.54.3
mesa: upgrade 22.0.2 -> 22.0.3
mobile-broadband-provider-info: upgrade 20220315 -> 20220511
piglit: upgrade to latest revision
psmisc: upgrade 23.4 -> 23.5
python3-bcrypt: upgrade 3.2.0 -> 3.2.2
python3-cryptography: upgrade 37.0.1 -> 37.0.2
python3-cryptography-vectors: upgrade 37.0.1 -> 37.0.2
python3-hypothesis: upgrade 6.46.0 -> 6.46.4
python3-jsonschema: upgrade 4.4.0 -> 4.5.1
python3-markdown: upgrade 3.3.6 -> 3.3.7
python3-more-itertools: upgrade 8.12.0 -> 8.13.0
python3-pbr: upgrade 5.8.1 -> 5.9.0
python3-pyparsing: upgrade 3.0.8 -> 3.0.9
repo: upgrade 2.24.1 -> 2.25
sqlite3: upgrade 3.38.3 -> 3.38.5
stress-ng: upgrade 0.14.00 -> 0.14.01
python3-setuptools-rust: update 1.1.2 -> 1.3.0
python3: use built-in distutils for ptest, rather than setuptools' 'fork'
Andrej Valek (1):
kernel: add missing path to search for debug files
Arkadiusz Drabczyk (1):
overview-manual: fix a forgotten link
Aryaman Gupta (1):
e2fsprogs: update upstream status
Bruce Ashfield (23):
linux-yocto/5.15: arm: poky-tiny cleanup and fixes
linux-yocto/5.10: update to v5.10.110
linux-yocto/5.10: base: enable kernel crypto userspace API
linux-yocto/5.15: update to v5.15.33
linux-yocto/5.15: base: enable kernel crypto userspace API
linux-yocto/5.15: kasan: fix BUG: sleeping function called from invalid context
linux-yocto/5.15: fix ppc boot
linux-yocto/5.15: netfilter: conntrack: avoid useless indirection during conntrack destruction
linux-yocto/5.10: update to v5.10.112
linux-yocto/5.15: update to v5.15.35
linux-yocto/5.15: Fix CVE-2022-28796
linux-yocto: enable powerpc debug fragment
linux-yocto/5.15: fix -standard kernel build issue
linux-yocto/5.15: update to v5.15.36
linux-yocto/5.15: fix qemuarm graphical boot
strace: fix ptest failure in landlock
yocto-bsps: update to v5.15.36
yocto-bsps: update to v5.10.113
linux-yocto/5.15: update to v5.15.37
linux-yocto/5.10: update to v5.10.113
linux-yocto/5.15: update to v5.15.38
linux-yocto/5.10: update to v5.10.114
lttng-modules: fix build against 5.18-rc7+
Changqing Li (1):
eudev: create static-nodes in init script
Chanho Park (2):
externalsrc.bbclass: support crate fetcher on externalsrc
cargo_common.bbclass: enable bitbake vendoring for externalsrc
Claudius Heine (3):
classes: rootfs-postcommands: add skip option to overlayfs_qa_check
overlayfs: add docs about skipping QA check & service dependencies
wic: added fspassno parameter to partition
Davide Gardenal (4):
cve-check: add JSON format to summary output
cve-check: fix symlinks where link and output path are equal
rootfs-postcommands: fix symlinks where link and output path are equal
openssl: minor security upgrade 3.0.2 -> 3.0.3
Dmitry Baryshkov (3):
linux-firmware: upgrade 20220411 -> 20220509
linux-firmware: package new Qualcomm firmware
image.bbclass: allow overriding dependency on virtual/kernel:do_deploy
Felix Moessbauer (1):
wic/plugins/rootfs: Fix permissions when splitting rootfs folders across partitions
Gunjan Gupta (2):
bitbake: fetch2/osc: Small fixes for osc fetcher
bitbake: fetch2/osc: Add support to query latest revision
Jacob Kroon (1):
Revert "image.bbclass: allow overriding dependency on virtual/kernel:do_deploy"
Jiaqing Zhao (5):
libxml2: Upgrade 2.9.13 -> 2.9.14
systemd: Drop 0001-test-parse-argument-Include-signal.h.patch
systemd: Remove __compare_fn_t type in musl-specific patch
systemd: Drop 0002-don-t-use-glibc-specific-qsort_r.patch
systemd: Correct path returned in sd_path_lookup()
Jon Mason (1):
qemuarmv5: use arm-versatile-926ejs KMACHINE
Kai Kang (1):
wpa-supplicant: update config for gnutls
Khem Raj (15):
qemu: Add packageconfig for libbpf support
linux-yocto: Enable powerpc-debug fragment for ppc64 LE
musl: Upgrade to tip of trunk
systemd: Fix build regression with latest update
gcc: upgrade 11.3 -> 12.1
libstd-rs: Forward port rust libc patches
gdb: Upgrade to 12.1
bash: build with bash_cv_getcwd_malloc=yes on musl too
ovmf: Fix native build with gcc-12
elfutils: Disable stringop-overflow warning for build host
musl-locales: Switch SRC_URI to new location
systemd: Drop redundant musl patches
systemd: Document future actions needed for set of musl patches
systemd: Drop 0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
systemd: Update patch status
Konrad Weihmann (1):
linux-firmware: replace mkdir by install
Kory Maincent (1):
images_types: isolate the write of UBI configuration
Leon Anavi (1):
image_types/runqemu-addptable2image: Fix a minor typo
Markus Volk (2):
mesa.inc: package 00-radv-defaults.conf
libsdl2: add PACKAGECONFIG for libusb1 and remove obsolete options
Marta Rybczynska (3):
cve-update-db-native: update the CVE database once a day only
cve-update-db-native: let the user to drive the update interval
cve-check: Fix report generation
Martin Jansa (1):
bitbake: osc: fix DeprecationWarning
Michael Halstead (5):
releases: update to include 3.1.16
scripts/autobuilder-worker-prereq-tests: update to use yocto 4.0
scripts/autobuilder-worker-prereq-tests: add additional limit testing
releases: update to include 3.4.4
releases: include 4.0.1
Michael Opdenacker (12):
MAINTAINERS.md: no more need for a prelink-cross maintainer
dev-manual: further gdb usage simplifications
doc/Makefile: fix epub and latexpdf targets
manuals: fix name capitalization issues
doc: standards for project and file names
manuals: improve the width of diagrams
manuals: improve documentation for TEMPLATECONF
overview-manual: remove confusing and unnecessary paragraph about site.conf
manuals: add quoting to references to bitbake.conf
manuals: add missing space in appends
manuals: add documentation for WKS_FILES
migration guides: release notes for 3.4.3 and 3.4.4
Mingli Yu (1):
python3-cryptography: remove --benchmark-disable option
Peter Kjellerstedt (4):
base-passwd: Regenerate the patches
base-passwd: Update to 3.5.52
base-passwd: Update the status for two patches
librsvg: Drop the dependency on libcroco
Quentin Schulz (2):
docs: set_versions.py: remove hardknott from active releases list
docs: set_versions.py: show release name in switchers.js
Raphael Teller (1):
kernel.bbclass: Do not overwrite recipe's custom postinst
Richard Purdie (25):
bitbake: cookerdata: Change emphasis in error message to be clearer to users
cairo: Add missing GPLv3 license checksum entry
libgcrypt: Drop GPLv3 license after upstream changes
base: Avoid circular references to our own scripts
scripts: Make git intercept global
scripts/git: Ensure we don't have circular references
abi_version/sstate: Bump hashequiv and sstate versions due to git changes
vim: Upgrade 8.2.4681 -> 8.2.4912
package: Ensure we track whether PRSERV was active or not
libgcrypt: Fix reproducibility issues in ptest
liberror-perl: Update sstate/equiv versions to clean cache
freetype: Upgrade 2.12.0 -> 2.12.1
bitbake: fetch/git : Use cat as pager
pciutils: Add make-native dependency
sanity: Don't warn about make 4.2.1 for mint
bitbake: build: Add clean_stamp API function to allow removal of task stamps
staging: Fix rare sysroot corruption issue
selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
udev-extraconf/initrdscripts/parted: Rename mount.blacklist -> mount.ignorelist
layer.conf: Don't use indirect help2man-native dependencies
rust-common: Fix sstate signatures between arm hf and non-hf
rust-common: Drop LLVM_TARGET and simplify
rust-common: Fix native signature dependency issues
scripts/patchreview: Add commit to stored json data
scripts/patchreview: Make json output human parsable
Robert Joslyn (1):
powerpc: Remove invalid GLIBC_EXTRA_OECONF
Roland Hieber (1):
bitbake: cache: correctly handle file names containing colons
Ross Burton (4):
oeqa/selftest: add test for git working correctly inside pseudo
Revert "bitbake.conf: mark all directories as safe for git to read"
kernel-yocto.bbclass: say what SRC_URI entry is being dropped
oeqa/selftest/cve_check: add tests for recipe and image reports
Rouven Czerwinski (1):
kbd: fix pam DISTRO_FEATURES check
Samuli Piippo (1):
binutils: Bump to latest 2.38 release branch
Schmidt, Adriaan (1):
bitbake: bitbake-diffsigs: break on first dependent task difference
Simone Weiss (1):
libgcrypt: Add ptest
Steve Sakoman (2):
virgl: skip headless test on alma 8.6
python3: fix reproducibility issue with python3-core
Sundeep KOKKONDA (3):
dev-manual: improvements for gdbserver configuration
rust-common: Ensure sstate signatures have correct dependencues for do_rust_gen_targets
rust-common: Fix for target definitions returning 'NoneType' for arm
Thomas Epperson (1):
dev-manual: fix documentation for bmaptool usage
Thomas Perrot (1):
man-pages: add an alternative link name for crypt_r.3
Tomasz Dziendzielski (1):
bitbake: data: Do not depend on vardepvalueexclude flag
Trevor Woerner (1):
DISTRO_FEATURES: remove uclibc remnants
Zoltán Böszörményi (2):
npm.bbclass: Fix file permissions before opening it for writing
npm.bbclass: Don't create /usr/lib/node symlink
leimaohui (1):
cve-check.bbclass: Added do_populate_sdk[recrdeptask].
wangmy (1):
librepo: upgrade 1.14.2 -> 1.14.3
meta-raspberrypi: c97a9e34ab..62a84833d9:
Andrei Gherzan (1):
Revert "kmod: Enable xz compression"
Khem Raj (3):
rpi-config: Add option to enable One-wire interface
linux-firmware-rpidistro: Create brcmfmac43455-sdio.raspberrypi,4-model-b.bin symlink
linux-raspberrypi: Upgrade to 5.15.38
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: If15534d7da5bfa78ef2224bb09ff1a8eb96a0e10
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass
index 93f667d..dd447e6 100644
--- a/meta-security/classes/dm-verity-img.bbclass
+++ b/meta-security/classes/dm-verity-img.bbclass
@@ -63,7 +63,7 @@
veritysetup --data-block-size=${DM_VERITY_IMAGE_DATA_BLOCK_SIZE} --hash-offset=$SIZE format $OUTPUT $OUTPUT | tail -n +2 | process_verity
}
-VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity"
+VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity erofs.verity erofs-lz4.verity erofs-lz4hc.verity"
IMAGE_TYPES += "${VERITY_TYPES}"
CONVERSIONTYPES += "verity"
CONVERSION_CMD:verity = "verity_setup ${type}"
@@ -90,6 +90,6 @@
# If we're using wic: we'll have to use partition images and not the rootfs
# source plugin so add the appropriate dependency.
if 'wic' in image_fstypes:
- dep = ' %s:do_image_%s' % (pn, verity_type)
+ dep = ' %s:do_image_%s' % (pn, verity_type.replace("-", "_"))
d.appendVarFlag('do_image_wic', 'depends', dep)
}
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 21f03d1..7d57f9c 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -11,7 +11,14 @@
LAYERSERIES_COMPAT_security = "kirkstone"
-LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
+LAYERDEPENDS_security = "core openembedded-layer"
+
+BBFILES_DYNAMIC += " \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bb \
+ perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
+ meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+"
# Sanity check for meta-security layer.
# Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check.
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend b/meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..475a24d
--- /dev/null
+++ b/meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,18 @@
+
+
+PACKAGES += "\
+ packagegroup-security-hardening \
+ "
+RDEPENDS:packagegroup-core-security += "\
+ packagegroup-security-hardening \
+ "
+
+SUMMARY:packagegroup-security-hardening = "Security Hardening tools"
+RDEPENDS:packagegroup-security-hardening = " \
+ bastille \
+ "
+
+RDEPENDS:packagegroup-security-scanners += "\
+ nikto \
+ checksecurity \
+ "
diff --git a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
similarity index 100%
rename from meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
rename to meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
diff --git a/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
similarity index 100%
rename from meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
diff --git a/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/setuid-log-folder.patch
similarity index 100%
rename from meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/setuid-log-folder.patch
diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
similarity index 100%
rename from meta-security/recipes-security/bastille/bastille_3.2.1.bb
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
diff --git a/meta-security/recipes-security/bastille/files/API.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm
similarity index 100%
rename from meta-security/recipes-security/bastille/files/API.pm
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm
diff --git a/meta-security/recipes-security/bastille/files/AccountPermission.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm
similarity index 100%
rename from meta-security/recipes-security/bastille/files/AccountPermission.pm
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm
diff --git a/meta-security/recipes-security/bastille/files/FileContent.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm
similarity index 100%
rename from meta-security/recipes-security/bastille/files/FileContent.pm
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm
diff --git a/meta-security/recipes-security/bastille/files/HPSpecific.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm
similarity index 100%
rename from meta-security/recipes-security/bastille/files/HPSpecific.pm
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm
diff --git a/meta-security/recipes-security/bastille/files/Miscellaneous.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm
similarity index 100%
rename from meta-security/recipes-security/bastille/files/Miscellaneous.pm
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm
diff --git a/meta-security/recipes-security/bastille/files/ServiceAdmin.pm b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm
similarity index 100%
rename from meta-security/recipes-security/bastille/files/ServiceAdmin.pm
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm
diff --git a/meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
diff --git a/meta-security/recipes-security/bastille/files/allow_os_with_assess.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/allow_os_with_assess.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
diff --git a/meta-security/recipes-security/bastille/files/call_output_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/call_output_config.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
diff --git a/meta-security/recipes-security/bastille/files/config b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config
similarity index 100%
rename from meta-security/recipes-security/bastille/files/config
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config
diff --git a/meta-security/recipes-security/bastille/files/do_not_apply_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/do_not_apply_config.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
diff --git a/meta-security/recipes-security/bastille/files/edit_usage_message.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/edit_usage_message.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
diff --git a/meta-security/recipes-security/bastille/files/find_existing_config.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/find_existing_config.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
diff --git a/meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
diff --git a/meta-security/recipes-security/bastille/files/fix_number_of_modules.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/fix_number_of_modules.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
diff --git a/meta-security/recipes-security/bastille/files/fix_version_parse.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/fix_version_parse.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
diff --git a/meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
diff --git a/meta-security/recipes-security/bastille/files/organize_distro_discovery.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/organize_distro_discovery.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
diff --git a/meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
diff --git a/meta-security/recipes-security/bastille/files/set_required_questions.py b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py
similarity index 100%
rename from meta-security/recipes-security/bastille/files/set_required_questions.py
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py
diff --git a/meta-security/recipes-security/bastille/files/simplify_B_place.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/simplify_B_place.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
diff --git a/meta-security/recipes-security/bastille/files/upgrade_options_processing.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
similarity index 100%
rename from meta-security/recipes-security/bastille/files/upgrade_options_processing.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
diff --git a/meta-security/recipes-security/nikto/files/location.patch b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
similarity index 100%
rename from meta-security/recipes-security/nikto/files/location.patch
rename to meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
similarity index 100%
rename from meta-security/recipes-security/nikto/nikto_2.1.6.bb
rename to meta-security/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
diff --git a/meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend b/meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..828931d
--- /dev/null
+++ b/meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,10 @@
+
+
+RDEPENDS:packagegroup-security-utils += "\
+ python3-privacyidea \
+ python3-fail2ban \
+ "
+
+RDEPENDS:packagegroup-meta-security-ptest-packages += "\
+ python3-fail2ban-ptest \
+ "
diff --git a/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
similarity index 100%
rename from meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
rename to meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch
diff --git a/meta-security/recipes-security/fail2ban/files/initd b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd
similarity index 100%
rename from meta-security/recipes-security/fail2ban/files/initd
rename to meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd
diff --git a/meta-security/recipes-security/fail2ban/files/run-ptest b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest
similarity index 100%
rename from meta-security/recipes-security/fail2ban/files/run-ptest
rename to meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
similarity index 100%
rename from meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
rename to meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
diff --git a/meta-security/recipes-security/mfa/python3-privacyidea_3.6.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
similarity index 100%
rename from meta-security/recipes-security/mfa/python3-privacyidea_3.6.2.bb
rename to meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
diff --git a/meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
similarity index 100%
rename from meta-security/recipes-python/python/python3-oauth2client_4.1.3.bb
rename to meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
deleted file mode 100644
index 35c3162..0000000
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/command-line-apply-operation-to-all-paths.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 5834216fb3aa4e5e59ee13e871c70db1b4e13f02 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Fri, 30 Sep 2016 10:22:16 +0200
-Subject: [PATCH] command line: apply operation to all paths
-
-Previously, invocations like "evmctl ima_hash foo bar" silently
-ignored all parameters after the first path name ("foo" in this
-example).
-
-Now evmctl iterates over all specified paths. It aborts with an
-error as soon as the selected operation fails for a path.
-
-Supporting more than one parameter is useful in combination with
-"find" and "xargs" because it is noticably faster than invoking
-evmutil separately for each file, in particular when run under pseudo
-(a fakeroot environment used by the OpenEmbedded build system).
-
-This complements the recursive mode and can be used when more control
-over file selection is needed.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- src/evmctl.c | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index 23cf54c..2072034 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -626,7 +626,7 @@ static int get_file_type(const char *path, const char *search_type)
- static int do_cmd(struct command *cmd, find_cb_t func)
- {
- char *path = g_argv[optind++];
-- int err, dts = REG_MASK; /* only regular files by default */
-+ int err = 0, dts = REG_MASK; /* only regular files by default */
-
- if (!path) {
- log_err("Parameters missing\n");
-@@ -634,15 +634,18 @@ static int do_cmd(struct command *cmd, find_cb_t func)
- return -1;
- }
-
-- if (recursive) {
-- if (search_type) {
-- dts = get_file_type(path, search_type);
-- if (dts < 0)
-- return dts;
-+ while (path && !err) {
-+ if (recursive) {
-+ if (search_type) {
-+ dts = get_file_type(path, search_type);
-+ if (dts < 0)
-+ return dts;
-+ }
-+ err = find(path, dts, func);
-+ } else {
-+ err = func(path);
- }
-- err = find(path, dts, func);
-- } else {
-- err = func(path);
-+ path = g_argv[optind++];
- }
-
- return err;
---
-2.1.4
-
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
deleted file mode 100644
index 75076f5..0000000
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/disable-doc-creation.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 321a602098d11ee712ebd01f51033b5fd369eae9 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Wed, 13 May 2015 03:41:02 -0700
-Subject: [PATCH] Makefile.am: disable man page creation
-
-Depends on asciidoc, which is not available.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
----
- Makefile.am | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index 06ebf59..4ddd52c 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1,5 +1,5 @@
- SUBDIRS = src
--dist_man_MANS = evmctl.1
-+# dist_man_MANS = evmctl.1
-
- doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
- EXTRA_DIST = autogen.sh $(doc_DATA)
-@@ -39,4 +39,21 @@ rmman:
-
- doc: evmctl.1.html rmman evmctl.1
-
-+# requires asciidoc, xslproc, docbook-xsl
-+# FIXME Disabled until docbook-xsl is unavaliable on tizen.org
-+#MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
-+#
-+#evmctl.1.html: README
-+# @asciidoc -o $@ $<
-+#
-+#evmctl.1:
-+# asciidoc -d manpage -b docbook -o evmctl.1.xsl README
-+# xsltproc --nonet -o $@ $(MANPAGE_DOCBOOK_XSL) evmctl.1.xsl
-+# rm -f evmctl.1.xsl
-+#
-+#rmman:
-+# rm -f evmctl.1
-+#
-+#doc: evmctl.1.html rmman evmctl.1
-+
- .PHONY: $(tarname)
---
-1.8.4.5
-
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
deleted file mode 100644
index ffa65df..0000000
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils/evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 2dec9199f8a8a2c84b25a3d3e7e2f41b71e07834 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Wed, 17 Jun 2015 14:28:18 +0200
-Subject: [PATCH 20/20] evmctl.c: do not depend on xattr.h with IMA defines
-
-Compilation on older Linux distros (like Ubuntu 12.04) fails
-because linux/xattr.h does not yet have the IMA defines. Compiling
-there makes sense when only the tools are needed, for example when
-signing an image in cross-compile mode.
-
-To support this, add fallbacks for the two defines which are needed.
-Their value is part of the Linux ABI and thus fixed.
-
-Upstream-status: Submitted [linux-ima-devel@lists.sourceforge.net]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
----
- src/evmctl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/evmctl.c b/src/evmctl.c
-index c54efbb..23cf54c 100644
---- a/src/evmctl.c
-+++ b/src/evmctl.c
-@@ -57,6 +57,18 @@
- #include <termios.h>
- #include <assert.h>
-
-+/*
-+ * linux/xattr.h might be old to have this. Allow compilation on older
-+ * Linux distros (like Ubuntu 12.04) by falling back to our own
-+ * definition.
-+ */
-+#ifndef XATTR_IMA_SUFFIX
-+# define XATTR_IMA_SUFFIX "ima"
-+#endif
-+#ifndef XATTR_NAME_IMA
-+# define XATTR_NAME_IMA XATTR_SECURITY_PREFIX XATTR_IMA_SUFFIX
-+#endif
-+
- #include <openssl/sha.h>
- #include <openssl/pem.h>
- #include <openssl/hmac.h>
---
-2.1.4
-
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
new file mode 100644
index 0000000..4f1d1a3
--- /dev/null
+++ b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_1.4.bb
@@ -0,0 +1,24 @@
+DESCRIPTION = "IMA/EVM control utility"
+LICENSE = "GPL-2.0-with-OpenSSL-exception"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS += "openssl attr keyutils"
+
+DEPENDS:class-native += "openssl-native keyutils-native"
+
+SRC_URI = "https://sourceforge.net/projects/linux-ima/files/${BPN}/${BP}.tar.gz"
+SRC_URI[sha256sum] = "fcf85b31d6292051b3679e5f17ffa7f89b6898957aad0f59aa4e9878884b27d1"
+
+inherit pkgconfig autotools features_check
+
+REQUIRED_DISTRO_FEATURES = "ima"
+REQUIRED_DISTRO_FEATURES:class-native = ""
+
+EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
+
+# blkid is called by evmctl when creating evm checksums.
+# This is less useful when signing files on the build host,
+# so disable it when compiling on the host.
+RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb b/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
deleted file mode 100644
index fc7a2d6..0000000
--- a/meta-security/meta-integrity/recipes-security/ima-evm-utils/ima-evm-utils_git.bb
+++ /dev/null
@@ -1,38 +0,0 @@
-DESCRIPTION = "IMA/EVM control utility"
-LICENSE = "GPL-2.0-with-OpenSSL-exception"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-DEPENDS += "openssl attr keyutils"
-
-DEPENDS:class-native += "openssl-native keyutils-native"
-
-PV = "1.2.1+git${SRCPV}"
-SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e"
-SRC_URI = "git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y"
-
-# Documentation depends on asciidoc, which we do not have, so
-# do not build documentation.
-SRC_URI += "file://disable-doc-creation.patch"
-
-# Workaround for upstream incompatibility with older Linux distros.
-# Relevant for us when compiling ima-evm-utils-native.
-SRC_URI += "file://evmctl.c-do-not-depend-on-xattr.h-with-IMA-defines.patch"
-
-# Required for xargs with more than one path as argument (better for performance).
-SRC_URI += "file://command-line-apply-operation-to-all-paths.patch"
-
-S = "${WORKDIR}/git"
-
-inherit pkgconfig autotools features_check
-
-REQUIRED_DISTRO_FEATURES = "ima"
-REQUIRED_DISTRO_FEATURES:class-native = ""
-
-EXTRA_OECONF:append:class-target = " --with-kernel-headers=${STAGING_KERNEL_BUILDDIR}"
-
-# blkid is called by evmctl when creating evm checksums.
-# This is less useful when signing files on the build host,
-# so disable it when compiling on the host.
-RDEPENDS:${PN}:append:class-target = " util-linux-blkid libcrypto attr libattr keyutils"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-parsec/README.md b/meta-security/meta-parsec/README.md
index 97026ea..f720cd2 100644
--- a/meta-security/meta-parsec/README.md
+++ b/meta-security/meta-parsec/README.md
@@ -88,6 +88,71 @@
2. Run cargo-bitbake inside the repository. It will produce a BB file.
3. Create a new include file with SRC_URI and LIC_FILES_CHKSUM from the BB file.
+Automated Parsec testing with runqemu
+=====================================
+
+ The Yocto build system has the ability to run a series of automated tests for qemu images.
+All the tests are actually commands run on the target system over ssh.
+
+ Meta-parsec includes automated unittests which run end to end Parsec tests.
+The tests are run against:
+- all providers pre-configured in the Parsec config file included in the image.
+- PKCS11 and TPM providers with software backends if softhsm and
+ swtpm packages included in the image.
+
+Meta-parsec also contains a recipe for `security-parsec-image` image with Parsec,
+softhsm and swtpm included.
+
+ Please notice that the account you use to run bitbake should have access to `/dev/kvm`.
+You might need to change permissions or add the account into `kvm` unix group.
+
+1. Testing Parsec with your own image where `parsec-service` and `parsec-tool` are already included.
+
+- Add into your `local.conf`:
+```
+INHERIT += "testimage"
+TEST_SUITES = "ping ssh parsec"
+```
+- Build your image
+```bash
+bitbake <your-image>
+```
+- Run tests
+```bash
+bitbake <your-image> -c testimage
+```
+
+2. Testing Parsec with pre-defined `security-parsec-image` image.
+
+- Add into your `local.conf`:
+```
+DISTRO_FEATURES += " tpm2"
+INHERIT += "testimage"
+TEST_SUITES = "ping ssh parsec"
+```
+- Build security-parsec-image image
+```bash
+bitbake security-parsec-image
+```
+- Run tests
+```bash
+bitbake security-parsec-image -c testimage
+```
+
+Output of a successfull tests run should look similar to:
+```
+RESULTS:
+RESULTS - ping.PingTest.test_ping: PASSED (0.05s)
+RESULTS - ssh.SSHTest.test_ssh: PASSED (0.25s)
+RESULTS - parsec.ParsecTest.test_all_providers: PASSED (1.84s)
+RESULTS - parsec.ParsecTest.test_pkcs11_provider: PASSED (2.91s)
+RESULTS - parsec.ParsecTest.test_tpm_provider: PASSED (3.33s)
+SUMMARY:
+security-parsec-image () - Ran 5 tests in 8.386s
+security-parsec-image - OK - All required tests passed (successes=5, skipped=0, failures=0, errors=0)
+```
+
+
Manual testing with runqemu
===========================
diff --git a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
new file mode 100644
index 0000000..d3d3f2e
--- /dev/null
+++ b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -0,0 +1,138 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2022 Anton Antonov <Anton.Antonov@arm.com>
+#
+import re
+from tempfile import mkstemp
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+class ParsecTest(OERuntimeTestCase):
+ @classmethod
+ def setUpClass(cls):
+ cls.toml_file = '/etc/parsec/config.toml'
+
+ def setUp(self):
+ super(ParsecTest, self).setUp()
+ if 'systemd' in self.tc.td['DISTRO_FEATURES']:
+ self.parsec_status='systemctl status -l parsec'
+ self.parsec_reload='systemctl restart parsec'
+ else:
+ self.parsec_status='pgrep -l parsec'
+ self.parsec_reload='/etc/init.d/parsec reload'
+
+ def copy_subconfig(self, cfg, provider):
+ """ Copy a provider configuration to target and append it to Parsec config """
+
+ tmp_fd, tmp_path = mkstemp()
+ with os.fdopen(tmp_fd, 'w') as f:
+ f.write('\n'.join(cfg))
+
+ (status, output) = self.target.copyTo(tmp_path, "%s-%s" % (self.toml_file, provider))
+ self.assertEqual(status, 0, msg='File could not be copied.\n%s' % output)
+ status, output = self.target.run('cat %s-%s >>%s' % (self.toml_file, provider, self.toml_file))
+ os.remove(tmp_path)
+
+ def check_parsec_providers(self, provider=None, prov_id=None):
+ """ Get Parsec providers list and check for one if defined """
+
+ status, output = self.target.run(self.parsec_status)
+ self.assertEqual(status, 0, msg='Parsec service is not running.\n%s' % output)
+
+ status, output = self.target.run('parsec-tool list-providers')
+ self.assertEqual(status, 0, msg='Cannot get a list of Parsec providers.\n%s' % output)
+ if provider and prov_id:
+ self.assertIn("ID: 0x0%d (%s provider)" % (prov_id, provider),
+ output, msg='%s provider is not configured.' % provider)
+
+ def run_cli_tests(self, prov_id=None):
+ """ Run Parsec CLI end-to-end tests against one or all providers """
+
+ status, output = self.target.run('parsec-cli-tests.sh %s' % ("-%d" % prov_id if prov_id else ""))
+ self.assertEqual(status, 0, msg='Parsec CLI tests failed.\n %s' % output)
+
+ @OEHasPackage(['parsec-service'])
+ @OETestDepends(['ssh.SSHTest.test_ssh'])
+ def test_all_providers(self):
+ """ Test Parsec service with all pre-defined providers """
+
+ self.check_parsec_providers()
+ self.run_cli_tests()
+
+ def configure_tpm_provider(self):
+ """ Create Parsec TPM provider configuration """
+
+ cfg = [
+ '',
+ '[[provider]]',
+ 'name = "tpm-provider"',
+ 'provider_type = "Tpm"',
+ 'key_info_manager = "sqlite-manager"',
+ 'tcti = "swtpm:port=2321"',
+ 'owner_hierarchy_auth = ""',
+ ]
+ self.copy_subconfig(cfg, "TPM")
+
+ cmds = [
+ 'mkdir /tmp/myvtpm',
+ 'swtpm socket -d --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init',
+ 'tpm2_startup -c -T "swtpm:port=2321"',
+ self.parsec_reload,
+ ]
+
+ for cmd in cmds:
+ status, output = self.target.run(cmd)
+ self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
+
+ @OEHasPackage(['parsec-service'])
+ @OEHasPackage(['swtpm'])
+ @skipIfNotFeature('tpm2','Test parsec_tpm_provider requires tpm2 to be in DISTRO_FEATURES')
+ @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
+ def test_tpm_provider(self):
+ """ Configure and test Parsec TPM provider with swtpm as a backend """
+
+ prov_id = 3
+ self.configure_tpm_provider()
+ self.check_parsec_providers("TPM", prov_id)
+ self.run_cli_tests(prov_id)
+
+ def configure_pkcs11_provider(self):
+ """ Create Parsec PKCS11 provider configuration """
+
+ status, output = self.target.run('softhsm2-util --init-token --free --label "Parsec Service" --pin 123456 --so-pin 123456')
+ self.assertEqual(status, 0, msg='Failed to init PKCS11 token.\n%s' % output)
+
+ slot = re.search('The token has been initialized and is reassigned to slot (\d*)', output)
+ if slot is None:
+ self.fail('Failed to get PKCS11 slot serial number.\n%s' % output)
+ self.assertNotEqual(slot.group(1), None, msg='Failed to get PKCS11 slot serial number.\n%s' % output)
+
+ cfg = [
+ '',
+ '[[provider]]',
+ 'name = "pkcs11-provider"',
+ 'provider_type = "Pkcs11"',
+ 'key_info_manager = "sqlite-manager"',
+ 'library_path = "/usr/lib/softhsm/libsofthsm2.so"',
+ 'slot_number = %s' % slot.group(1),
+ 'user_pin = "123456"',
+ 'allow_export = true',
+ ]
+ self.copy_subconfig(cfg, "PKCS11")
+
+ status, output = self.target.run('for d in /var/lib/softhsm/tokens/*; do chown -R parsec $d; done')
+ status, output = self.target.run(self.parsec_reload)
+ self.assertEqual(status, 0, msg='Failed to reload Parsec.\n%s' % output)
+
+ @OEHasPackage(['parsec-service'])
+ @OEHasPackage(['softhsm'])
+ @OETestDepends(['ssh.SSHTest.test_ssh', 'parsec.ParsecTest.test_all_providers'])
+ def test_pkcs11_provider(self):
+ """ Configure and test Parsec PKCS11 provider with softhsm as a backend """
+
+ prov_id = 2
+ self.configure_pkcs11_provider()
+ self.check_parsec_providers("PKCS #11", prov_id)
+ self.run_cli_tests(prov_id)
diff --git a/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb b/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb
new file mode 100644
index 0000000..7add74b
--- /dev/null
+++ b/meta-security/meta-parsec/recipes-core/images/security-parsec-image.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "A small image for testing Parsec service with MbedCrypto, TPM and PKCS11 providers"
+
+inherit core-image
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+ packagegroup-base \
+ packagegroup-core-boot \
+ packagegroup-security-tpm2 \
+ packagegroup-security-parsec \
+ swtpm \
+ softhsm \
+ os-release"
+
+export IMAGE_BASENAME = "security-parsec-image"
+
+IMAGE_ROOTFS_EXTRA_SPACE = "5242880"
diff --git a/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb b/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
new file mode 100644
index 0000000..0af9c3d
--- /dev/null
+++ b/meta-security/meta-parsec/recipes-core/packagegroups/packagegroup-security-parsec.bb
@@ -0,0 +1,16 @@
+DESCRIPTION = "Parsec Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "\
+ packagegroup-security-parsec \
+ "
+
+SUMMARY:packagegroup-security-parsec = "Security Parsec"
+RDEPENDS:packagegroup-security-parsec = "\
+ parsec-tool \
+ parsec-service \
+ "
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
index fe576a2..954bfa3 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/files/parsec-tmpfiles.conf
@@ -1,2 +1,3 @@
#Type Path Mode User Group Age Argument
d /run/parsec 755 parsec parsec - -
+d /var/lib/parsec 700 parsec parsec - -
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
index d1d6c07..84539f9 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.0.0.bb
@@ -15,8 +15,8 @@
have_TPM = "${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', 'TPM', '', d)}"
PACKAGECONFIG:append = " ${@bb.utils.contains('BBFILE_COLLECTIONS', 'tpm-layer', '${have_TPM}', '', d)}"
-PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,libts"
-PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss"
+PACKAGECONFIG[ALL] = "all-providers cryptoki/generate-bindings tss-esapi/generate-bindings,,tpm2-tss libts,tpm2-tss libtss2-tcti-device libts"
+PACKAGECONFIG[TPM] = "tpm-provider tss-esapi/generate-bindings,,tpm2-tss,tpm2-tss libtss2-tcti-device"
PACKAGECONFIG[PKCS11] = "pkcs11-provider cryptoki/generate-bindings,"
PACKAGECONFIG[MBED-CRYPTO] = "mbed-crypto-provider,"
PACKAGECONFIG[CRYPTOAUTHLIB] = "cryptoauthlib-provider,"
@@ -25,6 +25,13 @@
PARSEC_FEATURES = "${@d.getVar('PACKAGECONFIG_CONFARGS',True).strip().replace(' ', ',')}"
CARGO_BUILD_FLAGS += " --features ${PARSEC_FEATURES}"
+export BINDGEN_EXTRA_CLANG_ARGS
+target = "${@d.getVar('TARGET_SYS',True).replace('-', ' ')}"
+BINDGEN_EXTRA_CLANG_ARGS = "${@bb.utils.contains('target', 'arm', \
+ '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include -mfloat-abi=hard', \
+ '--sysroot=${WORKDIR}/recipe-sysroot -I${WORKDIR}/recipe-sysroot/usr/include', \
+ d)}"
+
inherit systemd
SYSTEMD_SERVICE:${PN} = "parsec.service"
@@ -35,7 +42,7 @@
# The file should also be included into SRC_URI then
PARSEC_CONFIG ?= "${S}/config.toml"
-do_install:append () {
+do_install () {
# Binaries
install -d -m 700 -o parsec -g parsec "${D}${libexecdir}/parsec"
install -m 700 -o parsec -g parsec "${WORKDIR}/build/target/${CARGO_TARGET_SUBDIR}/parsec" ${D}${libexecdir}/parsec/parsec
@@ -44,9 +51,6 @@
install -d -m 700 -o parsec -g parsec "${D}${sysconfdir}/parsec"
install -m 400 -o parsec -g parsec "${PARSEC_CONFIG}" ${D}${sysconfdir}/parsec/config.toml
- # Data dir
- install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
-
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${systemd_unitdir}/system
install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system
@@ -58,6 +62,8 @@
if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/init.d
install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
+ # Data dir
+ install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
fi
}
@@ -65,12 +71,12 @@
USERADD_PACKAGES = "${PN}"
USERADD_PARAM:${PN} = "-r -g parsec -s /bin/false -d ${localstatedir}/lib/parsec parsec"
GROUPADD_PARAM:${PN} = "-r parsec"
+GROUPMEMS_PARAM:${PN} = "${@bb.utils.contains('PACKAGECONFIG_CONFARGS', 'tpm-provider', '-a parsec -g tss', '', d)}"
FILES:${PN} += " \
${sysconfdir}/parsec/config.toml \
${libexecdir}/parsec/parsec \
${systemd_unitdir}/system/parsec.service \
- ${localstatedir}/lib/parsec \
${libdir}/tmpfiles.d/parsec-tmpfiles.conf \
${sysconfdir}/init.d/parsec \
"
diff --git a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass
index 2f8b52d..1ab03c8 100644
--- a/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass
+++ b/meta-security/meta-tpm/classes/sanity-meta-tpm.bbclass
@@ -2,7 +2,9 @@
tpm_machinecheck[eventmask] = "bb.event.SanityCheck"
python tpm_machinecheck() {
skip_check = e.data.getVar('SKIP_META_TPM_SANITY_CHECK') == "1"
- if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check:
+ if 'tpm' not in e.data.getVar('DISTRO_FEATURES').split() and \
+ 'tpm2' not in e.data.getVar('DISTRO_FEATURES').split() and \
+ not skip_check:
bb.warn("You have included the meta-tpm layer, but \
'tpm or tpm2' has not been enabled in your DISTRO_FEATURES. Some bbappend files \
and preferred version setting may not take effect. See the meta-tpm README \
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index c6f9d92..c2c95e7 100644
--- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -16,28 +16,45 @@
if expected_endlines:
self.fail('Missing expected line endings:\n %s' % '\n '.join(expected_endlines))
- @OEHasPackage(['tpm2-tss'])
- @OEHasPackage(['tpm2-abrmd'])
@OEHasPackage(['tpm2-tools'])
- @OEHasPackage(['ibmswtpm2'])
+ @OEHasPackage(['tpm2-abrmd'])
+ @OEHasPackage(['swtpm'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
- def test_tpm2_sim(self):
+ def test_tpm2_swtpm_socket(self):
cmds = [
- 'tpm_server &',
- 'tpm2-abrmd --allow-root --tcti=mssim &'
+ 'mkdir /tmp/myvtpm',
+ 'swtpm socket --tpmstate dir=/tmp/myvtpm --tpm2 --ctrl type=tcp,port=2322 --server type=tcp,port=2321 --flags not-need-init &',
+ 'export TPM2TOOLS_TCTI="swtpm:port=2321"',
+ 'tpm2_startup -c'
]
for cmd in cmds:
status, output = self.target.run(cmd)
self.assertEqual(status, 0, msg='\n'.join([cmd, output]))
- @OETestDepends(['tpm2.Tpm2Test.test_tpm2_sim'])
- def test_tpm2(self):
- (status, output) = self.target.run('tpm2_pcrlist')
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ def test_tpm2_pcrread(self):
+ (status, output) = self.target.run('tpm2_pcrread')
expected_endlines = []
- expected_endlines.append('sha1 :')
- expected_endlines.append(' 0 : 0000000000000000000000000000000000000003')
- expected_endlines.append(' 1 : 0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha1:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000')
+ expected_endlines.append(' sha256:')
+ expected_endlines.append(' 0 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+ expected_endlines.append(' 1 : 0x0000000000000000000000000000000000000000000000000000000000000000')
+
self.check_endlines(output, expected_endlines)
+
+ @OEHasPackage(['p11-kit'])
+ @OEHasPackage(['tpm2-pkcs11'])
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_swtpm_socket'])
+ def test_tpm2_pkcs11(self):
+ (status, output) = self.target.run('p11-kit list-modules -v')
+ self.assertEqual(status, 0, msg="Modules missing: %s" % output)
+
+ @OETestDepends(['tpm2.Tpm2Test.test_tpm2_pkcs11'])
+ def test_tpm2_swtpm_reset(self):
+ (status, output) = self.target.run('swtpm_ioctl -i --tcp :2322')
+ self.assertEqual(status, 0, msg="swtpm reset failed: %s" % output)
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index a9174e6..e8812d0 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -27,8 +27,13 @@
do_install:append() {
install -d ${D}${libdir}/pkcs11
install -d ${D}${datadir}/p11-kit
+
+ # remove symlinks
rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
+ #install lib
+ install -m 755 ${B}/src/.libs/libtpm2_pkcs11.so ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
+
cd ${S}/tools
export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
@@ -48,5 +53,5 @@
${datadir}/p11-kit/* \
"
-RDEPENDS:${PN} = "tpm2-tools"
-RDEPENDS:${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
+RDEPENDS:${PN} = "p11-kit tpm2-tools "
+RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index f924038..c20af7e 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -16,3 +16,6 @@
# do not extract the version number from git
sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
}
+
+# need tss-esys
+RDEPENDS:${PN} = "libtss2 tpm2-abrmd"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index fefc66d..9010054 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -10,7 +10,6 @@
packagegroup-security-utils \
packagegroup-security-scanners \
packagegroup-security-audit \
- packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
@@ -20,7 +19,6 @@
packagegroup-security-utils \
packagegroup-security-scanners \
packagegroup-security-audit \
- packagegroup-security-hardening \
packagegroup-security-ids \
packagegroup-security-mac \
${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-meta-security-ptest-packages", "", d)} \
@@ -35,8 +33,6 @@
keyutils \
nmap \
pinentry \
- python3-privacyidea \
- python3-fail2ban \
softhsm \
sshguard \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
@@ -47,8 +43,6 @@
SUMMARY:packagegroup-security-scanners = "Security scanners"
RDEPENDS:packagegroup-security-scanners = "\
isic \
- nikto \
- checksecurity \
${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \
"
RDEPENDS:packagegroup-security-scanners:remove:libc-musl = "clamav clamav-daemon clamav-freshclam"
@@ -59,15 +53,10 @@
redhat-security \
"
-SUMMARY:packagegroup-security-hardening = "Security Hardening tools"
-RDEPENDS:packagegroup-security-hardening = " \
- bastille \
- "
-
SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems"
RDEPENDS:packagegroup-security-ids = " \
samhain-standalone \
- ${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata","", d)} \
+ suricata \
ossec-hids \
aide \
"
@@ -92,7 +81,6 @@
ptest-runner \
samhain-standalone-ptest \
${@bb.utils.contains("BBLAYERS", "meta-rust", "suricata-ptest","", d)} \
- python3-fail2ban-ptest \
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
"
diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.4.bb
similarity index 90%
rename from meta-security/recipes-ids/aide/aide_0.17.3.bb
rename to meta-security/recipes-ids/aide/aide_0.17.4.bb
index b1fb58d..6bc2bfe 100644
--- a/meta-security/recipes-ids/aide/aide_0.17.3.bb
+++ b/meta-security/recipes-ids/aide/aide_0.17.4.bb
@@ -8,7 +8,7 @@
SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
file://aide.conf"
-SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
+SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"
inherit autotools pkgconfig
@@ -20,7 +20,7 @@
PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib "
PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr"
PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl"
-PACKAGECONFIG[audit] = "--with-audit, --without-audit,"
+PACKAGECONFIG[audit] = "--with-audit, --without-audit,audit"
PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
similarity index 98%
rename from meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
rename to meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
index b0759b1..c211f03 100644
--- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -9,7 +9,7 @@
file://0002-Makefile-don-t-set-uid-gid.patch \
"
-SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
+SRCREV = "1ecffb1b884607cb12e619f9ab3c04f530801083"
UPSTREAM_CHECK_COMMITS = "1"
diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc
index df9e215..eb8592d 100644
--- a/meta-security/recipes-ids/samhain/samhain.inc
+++ b/meta-security/recipes-ids/samhain/samhain.inc
@@ -3,7 +3,7 @@
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"
-PV = "4.4.7"
+PV = "4.4.9"
SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://${INITSCRIPT_NAME}.init \
@@ -21,7 +21,7 @@
file://samhain-fix-initializer-element-is-not-constant.patch \
"
-SRC_URI[sha256sum] = "0aa978accb635000c2d9170f307bff8a95836f8ec01615a53dbd9c2af9564d44"
+SRC_URI[sha256sum] = "dd85bf2f90db3ce616a09608e650f3707a4d69aa1e1fe718f8b359ce0aafc198"
UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.39.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.40.bb
similarity index 90%
rename from meta-security/recipes-ids/suricata/libhtp_0.5.39.bb
rename to meta-security/recipes-ids/suricata/libhtp_0.5.40.bb
index 80c9014..08e285e 100644
--- a/meta-security/recipes-ids/suricata/libhtp_0.5.39.bb
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.40.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
-SRCREV = "6b70803c45894da7a591b2305498335e6df4f9a3"
+SRCREV = "1733478f7fd09e936fea2e024f1d228d40741df2"
DEPENDS = "zlib"
diff --git a/meta-security/recipes-ids/suricata/suricata_6.0.4.bb b/meta-security/recipes-ids/suricata/suricata_6.0.5.bb
similarity index 97%
rename from meta-security/recipes-ids/suricata/suricata_6.0.4.bb
rename to meta-security/recipes-ids/suricata/suricata_6.0.5.bb
index 31244f3..913e64e 100644
--- a/meta-security/recipes-ids/suricata/suricata_6.0.4.bb
+++ b/meta-security/recipes-ids/suricata/suricata_6.0.5.bb
@@ -5,7 +5,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz"
-SRC_URI[sha256sum] = "a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d"
+SRC_URI[sha256sum] = "0d4197047c84ba070dfc6b1d9f9ee92f52a71403bfac0e29b2554bb21fe00754"
DEPENDS = "lz4 libhtp"
@@ -121,7 +121,8 @@
B = "${S}"
-PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr "
+# nfnetlink has a dependancy to meta-networking
+PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nss nspr "
PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ,"
diff --git a/meta-security/recipes-perl/perl/lib-perl_0.63.bb b/meta-security/recipes-perl/perl/lib-perl_0.63.bb
index 4c964d5..25d0890 100644
--- a/meta-security/recipes-perl/perl/lib-perl_0.63.bb
+++ b/meta-security/recipes-perl/perl/lib-perl_0.63.bb
@@ -26,3 +26,10 @@
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}
+
+do_install:append() {
+ # Man pages here conflict wtih the main perl documentation
+ for page in ${D}${mandir}/man*/*; do
+ mv $page $(dirname $page)/${BPN}-$(basename $page)
+ done
+}
diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb
index c152b8c..c8d31cf 100644
--- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb
+++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.1.bb
@@ -3,7 +3,7 @@
HOME_PAGE = "http://ee.lbl.gov/"
LIC_FILES_CHKSUM = "file://configure;md5=74ca964ed34fda7b46c6fe3e50bded9d"
-DEPENDS += "libpcap postfix"
+DEPENDS += "libpcap"
SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \
file://arpwatch.conf \
@@ -21,7 +21,11 @@
APRWATCH_FROM ?= "root "
ARPWATH_REPLY ?= "${ARPWATCH_UID}"
-EXTRA_OECONF = " --srcdir=${S} --with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}"
+PACKAGECONFIG ??= ""
+
+PACKACONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg"
+
+EXTRA_OECONF:append = " --srcdir=${S}"
CONFIGUREOPTS = " --build=${BUILD_SYS} \
--host=${HOST_SYS} \
@@ -76,4 +80,4 @@
FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
${sysconfdir} /var/lib/arpwatch"
-RDEPENDS:${PN} = "libpcap postfix postfix-cfg"
+RDEPENDS:${PN} = "libpcap"
diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
index 663d8e2..8147fe6 100644
--- a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
+++ b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
@@ -8,19 +8,19 @@
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-BBCLASSEXTEND = "native nativesdk"
-
# fscrypt depends on go and libpam
DEPENDS += "go-native libpam"
SRCREV = "92b1e9a8670ccd3916a7d24a06cab1e4c9815bc4"
SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https"
+
GO_IMPORT = "import"
-S = "${WORKDIR}/git"
+inherit go goarch features_check
-inherit go
-inherit goarch
+REQUIRED_DISTRO_FEATURES = "pam"
+
+S = "${WORKDIR}/git"
do_compile() {
export GOARCH=${TARGET_GOARCH}
@@ -47,3 +47,5 @@
install -d ${D}/${bindir}
install ${S}/src/${GO_IMPORT}/bin/fscrypt ${D}/${bindir}/fscrypt
}
+
+BBCLASSEXTEND = "native nativesdk"