subtree updates: raspberrypi security arm

meta-arm: eb9c47a4e1..9b6c8c95e4:
  Abdellatif El Khlifi (1):
        CI: append classes to INHERIT in the common fvp.yml

  Adam Johnston (1):
        arm-bsp/linux-yocto: Update N1SDP PCI quirk patch

  Jon Mason (10):
        CI: add yml files for defaults
        CI: add support for dev kernel, rt kernel, and poky-tiny
        arm-bsp/fvp-base: update to u-boot 2023.01
        arm-bsp/fvp-base-arm32: remove support
        ci: add external-toolchain to qemuarm-secureboot
        arm-bsp/optee: remove unused recipes
        arm/optee: optee-os include cleanup
        arm/optee-os: update to 3.20.0
        arm/edk2: update version and relocate edk2-basetools to be with edk2
        arm-bsp/fvp-base: Add edk2 build testing

  Ross Burton (7):
        arm-bsp/linux-arm64-ack: update Upstream-Status tags
        CI: add CI_CLEAN_REPOS variable to allow cleaning the repo reference cache
        arm/scp-firmware: fix up whitespace
        arm/scp-firmware: enable verbose builds
        arm/scp-firmware: remove textrel from INSANE_SKIP
        arm/scp-firmware: improve debug packaging
        CI: mask poky's llvm if we're using clang

  Rui Miguel Silva (1):
        arm-bsp/optee: bump corstone1000 to v3.20

  Satish Kumar (1):
        arm-bsp/corstone1000: new gpt based disk layout and fwu metadata

  Xueliang Zhong (1):
        arm-bsp/n1sdp: update to linux yocto kernel 6.1

meta-security: c06b9a18a6..a397a38ed9:
  Armin Kuster (16):
        openscap: update to 1.3.6
        openscap: update to 1.3.7
        openscap git: add DEFAULT_PREFERENCE
        python3-fail2ban: update to 1.0.2
        python3-privacyidea: update to 3.8.1
        libhtp: update to 0.5.42
        lkrg-modules: update to 0.9.6
        chkrootkit: update to 0.57
        fscrypt: update to 1.1.0
        libmspack: update to 1.11
        firejail: update 0.9.72
        suricata: update to 6.0.10
        apparmor: update to 3.1.3
        krill: update 0.12.3
        cryptmout: update to 6.2.0
        packagegroup-core-security: refactor the inclusion of krill

  Eero Aaltonen (1):
        dm-verity-img.bbclass: fix syntax warning

  Jose Quaresma (3):
        meta-hardening/layer: lower the priority from 10 to 6
        meta-security-compliance/layer: lower the priority from 10 to 6
        meta-tpm/layer: lower the priority from 10 to 6

  Kevin Hao (1):
        dm-verity-img.bbclass: Fix the hash offset alignment issue

  Mikko Rapeli (1):
        ima-evm-utils: disable documentation from build

  Paul Gortmaker (3):
        dm-verity: update beaglebone wic to match meta-yocto
        dm-verity: add basic non-arch/non-BSP yocto specific settings
        dm-verity: document board specifics for Beaglebone Black

  Peter Marko (1):
        tpm2-tss: correct CVE product

meta-raspberrypi: e15b876155..3afdbbf782:
  Carlos Alberto Lopez Perez (1):
        mesa-demos: enable build with userland graphics drivers.

  Khem Raj (6):
        linux-raspberrypi: Add recipes for 6.1 kernel
        psplash: Make psplash wait for the framebuffer to be ready
        rpi-default-versions: Use 6.1 kernel as default
        gstreamer1.0-plugins-bad: Drop gpl packageconfig
        rpidistro-ffmpeg: Pin to use gcc always
        rpidistro-vlc: Fix build with clang16

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ie6e60085306d31972098b87738eb550e5140b92a

10 files changed, 86 insertions, 4 deletions

diff --git a/meta-raspberrypi/conf/machine/include/rpi-default-versions.inc b/meta-raspberrypi/conf/machine/include/rpi-default-versions.inc
index a29fd5efbb..2f76db961b 100644
--- a/meta-raspberrypi/conf/machine/include/rpi-default-versions.inc
+++ b/meta-raspberrypi/conf/machine/include/rpi-default-versions.inc
@@ -1,4 +1,4 @@
 # RaspberryPi BSP default versions
 
-PREFERRED_VERSION_linux-raspberrypi ??= "5.15.%"
+PREFERRED_VERSION_linux-raspberrypi ??= "6.1.%"
 PREFERRED_VERSION_linux-raspberrypi-v7 ??= "${PREFERRED_VERSION_linux-raspberrypi}"
diff --git a/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/files/0008-configure-Disable-incompatible-function-pointer-type.patch b/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/files/0008-configure-Disable-incompatible-function-pointer-type.patch
new file mode 100644
index 0000000000..3dbd08dff5
--- /dev/null
+++ b/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/files/0008-configure-Disable-incompatible-function-pointer-type.patch
@@ -0,0 +1,26 @@
+From 048e4fdd08ac588feb27b03e3ec1824e24f77d62 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 5 Mar 2023 14:13:25 -0800
+Subject: [PATCH 3/3] configure: Disable incompatible-function-pointer-types
+ warning
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.ac | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -105,6 +105,11 @@ AC_SUBST([AM_CFLAGS], [-fcommon])
+ dnl Prevent clang from accepting unknown flags with a mere warning
+ AX_APPEND_COMPILE_FLAGS([-Werror=unknown-warning-option -Werror=invalid-command-line-argument], [CFLAGS])
+ AX_APPEND_COMPILE_FLAGS([-Werror=unknown-warning-option -Werror=invalid-command-line-argument], [CXXFLAGS])
++dnl disable clang from erroring on function pointer protype mismatch, vlc seems to rely on that
++dnl especially in  modules/video_filter/deinterlace/algo_yadif.c how it interpolates 'filter` variable
++dnl between different functions yadif_filter_line_c_16bit() and yadif_filter_line_c()
++AX_APPEND_COMPILE_FLAGS([-Wno-error=incompatible-function-pointer-types -Wno-error=incompatible-function-pointer-types], [CFLAGS])
++AX_APPEND_COMPILE_FLAGS([-Wno-error=incompatible-function-pointer-types -Wno-error=incompatible-function-pointer-types], [CXXFLAGS])
+ 
+ dnl
+ dnl  Check the operating system
diff --git a/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/rpidistro-vlc_3.0.17.bb b/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/rpidistro-vlc_3.0.17.bb
index 2653b28f90..8b8ac4aa5b 100644
--- a/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/rpidistro-vlc_3.0.17.bb
+++ b/meta-raspberrypi/dynamic-layers/multimedia-layer/recipes-multimedia/rpidistro-vlc/rpidistro-vlc_3.0.17.bb
@@ -14,6 +14,7 @@ SRC_URI = "\
     file://0005-mmal_exit_fix.patch \
     file://0006-mmal_chain.patch \
     file://0007-armv6.patch \
+    file://0008-configure-Disable-incompatible-function-pointer-type.patch \
     file://2001-fix-luaL-checkint.patch \
     file://2002-use-vorbisidec.patch \
     file://3001-configure.ac-setup-for-OE-usage.patch \
diff --git a/meta-raspberrypi/recipes-core/psplash/files/framebuf.conf b/meta-raspberrypi/recipes-core/psplash/files/framebuf.conf
new file mode 100644
index 0000000000..44e1dedd64
--- /dev/null
+++ b/meta-raspberrypi/recipes-core/psplash/files/framebuf.conf
@@ -0,0 +1,4 @@
+[Unit]
+Requires=sys-devices-platform-gpu-graphics-fb0.device
+After=sys-devices-platform-gpu-graphics-fb0.device
+
diff --git a/meta-raspberrypi/recipes-core/psplash/psplash_%.bbappend b/meta-raspberrypi/recipes-core/psplash/psplash_%.bbappend
index bf99b2bff7..57cade8ffc 100644
--- a/meta-raspberrypi/recipes-core/psplash/psplash_%.bbappend
+++ b/meta-raspberrypi/recipes-core/psplash/psplash_%.bbappend
@@ -1,2 +1,12 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 SPLASH_IMAGES:rpi = "file://psplash-raspberrypi-img.h;outsuffix=raspberrypi"
+
+SRC_URI:append:rpi = " file://framebuf.conf"
+
+do_install:append:rpi() {
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
+        install -Dm 0644 ${WORKDIR}/framebuf.conf ${D}${systemd_system_unitdir}/psplash-start.service.d/framebuf.conf
+    fi
+}
+
+FILES:${PN}:append:rpi = " ${systemd_system_unitdir}/psplash-start.service.d"
diff --git a/meta-raspberrypi/recipes-graphics/mesa/mesa-demos_%.bbappend b/meta-raspberrypi/recipes-graphics/mesa/mesa-demos_%.bbappend
index abb11ec8ff..efcaf06c84 100644
--- a/meta-raspberrypi/recipes-graphics/mesa/mesa-demos_%.bbappend
+++ b/meta-raspberrypi/recipes-graphics/mesa/mesa-demos_%.bbappend
@@ -1,2 +1,3 @@
-# mesa-demos need libgles1 and userland driver does not have it
-COMPATIBLE_HOST:rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '(.*)', 'null', d)}"
+# mesa-demos userland driver doesn't provide libgles1 and the EGL headers it provides break the mesa-demos build.
+# And enabling the `wayland` option without enabling `egl` is useless.
+PACKAGECONFIG:remove:rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '', 'egl gles1 wayland', d)}"
diff --git a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-v7_6.1.bb b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-v7_6.1.bb
new file mode 100644
index 0000000000..ef77b0b5e8
--- /dev/null
+++ b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi-v7_6.1.bb
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Andrei Gherzan <andrei.gherzan@huawei.com>
+#
+# SPDX-License-Identifier: MIT
+
+require linux-raspberrypi-v7.inc
+require linux-raspberrypi_6.1.bb
diff --git a/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_6.1.bb b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_6.1.bb
new file mode 100644
index 0000000000..c523457e20
--- /dev/null
+++ b/meta-raspberrypi/recipes-kernel/linux/linux-raspberrypi_6.1.bb
@@ -0,0 +1,31 @@
+LINUX_VERSION ?= "6.1.20"
+LINUX_RPI_BRANCH ?= "rpi-6.1.y"
+LINUX_RPI_KMETA_BRANCH ?= "yocto-6.1"
+
+SRCREV_machine = "a1cd5351f431caf7cf472825aff0e1c66bf31de4"
+SRCREV_meta = "1a97a82e62ebf4ef3787768a1f5937e2d2f280ce"
+
+KMETA = "kernel-meta"
+
+SRC_URI = " \
+    git://github.com/raspberrypi/linux.git;name=machine;branch=${LINUX_RPI_BRANCH};protocol=https \
+    git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=${LINUX_RPI_KMETA_BRANCH};destsuffix=${KMETA} \
+    file://powersave.cfg \
+    file://android-drivers.cfg \
+    "
+
+require linux-raspberrypi.inc
+
+KERNEL_DTC_FLAGS += "-@ -H epapr"
+
+RDEPENDS:${KERNEL_PACKAGE_NAME}:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}"
+RDEPENDS:${KERNEL_PACKAGE_NAME}-base:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}-base"
+RDEPENDS:${KERNEL_PACKAGE_NAME}-image:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}-image"
+RDEPENDS:${KERNEL_PACKAGE_NAME}-dev:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}-dev"
+RDEPENDS:${KERNEL_PACKAGE_NAME}-vmlinux:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}-vmlinux"
+RDEPENDS:${KERNEL_PACKAGE_NAME}-modules:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}-modules"
+RDEPENDS:${KERNEL_PACKAGE_NAME}-dbg:raspberrypi-armv7:append = " ${RASPBERRYPI_v7_KERNEL_PACKAGE_NAME}-dbg"
+
+DEPLOYDEP = ""
+DEPLOYDEP:raspberrypi-armv7 = "${RASPBERRYPI_v7_KERNEL}:do_deploy"
+do_deploy[depends] += "${DEPLOYDEP}"
diff --git a/meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_%.bbappend b/meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_%.bbappend
index 2bf628134c..5b3f945dd0 100644
--- a/meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_%.bbappend
+++ b/meta-raspberrypi/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_%.bbappend
@@ -1,2 +1,2 @@
 PACKAGECONFIG:append:rpi = " hls \
-                   ${@bb.utils.contains('LICENSE_FLAGS_ACCEPTED', 'commercial', 'gpl faad', '', d)}"
+                   ${@bb.utils.contains('LICENSE_FLAGS_ACCEPTED', 'commercial', 'faad', '', d)}"
diff --git a/meta-raspberrypi/recipes-multimedia/rpidistro-ffmpeg/rpidistro-ffmpeg_4.3.4.bb b/meta-raspberrypi/recipes-multimedia/rpidistro-ffmpeg/rpidistro-ffmpeg_4.3.4.bb
index 30e7c575e3..a4a7f90edf 100644
--- a/meta-raspberrypi/recipes-multimedia/rpidistro-ffmpeg/rpidistro-ffmpeg_4.3.4.bb
+++ b/meta-raspberrypi/recipes-multimedia/rpidistro-ffmpeg/rpidistro-ffmpeg_4.3.4.bb
@@ -144,6 +144,9 @@ EXTRA_OECONF = " \
 "
 EXTRA_OECONF:append:linux-gnux32 = " --disable-asm"
 
+# Some patches introduce assembly files which needs preprocessing with
+# gcc e.g. src/libavutil/aarch64/rpi_sand_neon.S
+TOOLCHAIN = "gcc"
 # gold crashes on x86, another solution is to --disable-asm but thats more hacky
 # ld.gold: internal error in relocate_section, at ../../gold/i386.cc:3684
 LDFLAGS:append:x86 = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', ' -fuse-ld=bfd ', '', d)}"