diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-12-17 04:11:34 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-01-09 02:21:44 +0300 |
| commit | 1a4b7ee28bf7413af6513fb45ad0d0736048f866 (patch) | |
| tree | 79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce /meta-phosphor/recipes-core | |
| parent | 5b9ede0403237c7dace972affa65cf64a1aadd0e (diff) | |
| download | openbmc-1a4b7ee28bf7413af6513fb45ad0d0736048f866.tar.xz | |
reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-phosphor/recipes-core')
8 files changed, 51 insertions, 225 deletions
diff --git a/meta-phosphor/recipes-core/busybox/busybox/0001-Stop-watchdog-first-on-startup.patch b/meta-phosphor/recipes-core/busybox/busybox/0001-Stop-watchdog-first-on-startup.patch deleted file mode 100644 index 7128b8108..000000000 --- a/meta-phosphor/recipes-core/busybox/busybox/0001-Stop-watchdog-first-on-startup.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a4c493ae42926ab36fdc805a5da9f0682bb98b45 Mon Sep 17 00:00:00 2001 -From: Matt Spinler <spinler@us.ibm.com> -Date: Tue, 13 Jun 2017 15:26:49 -0500 -Subject: [PATCH] Stop watchdog first on startup - -Some watchdog implementations may do things other than issue -a reboot on a watchdog timeout. In this case, there's the -possibility of restarting this program from the state of -the watchdog device not being properly stopped (done by writing -a 'V' and closing the device). Since it wasn't stopped, the -driver may not be able to restart the watchdog when this program -reopens it and starts pinging it. - -To fix this, the code will always first issue the stop when it -starts up. - -Signed-off-by: Matt Spinler <spinler@us.ibm.com> ---- - miscutils/watchdog.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/miscutils/watchdog.c b/miscutils/watchdog.c -index 07ae64e52..223e3c32d 100644 ---- a/miscutils/watchdog.c -+++ b/miscutils/watchdog.c -@@ -53,6 +53,24 @@ static void watchdog_shutdown(int sig UNUSED_PARAM) - _exit(EXIT_SUCCESS); - } - -+static void watchdog_open(const char* device) -+{ -+ static const char magic_value = 'V'; -+ -+ /* If the watchdog driver can do something other than cause a reboot -+ * on a timeout, then it's possible this program may be starting from -+ * a state when the watchdog hadn't been previously stopped with -+ * the magic write followed by a close. In this case the driver may -+ * not start properly, so always do the proper stop first just in case. -+ */ -+ -+ /* Use known fd # - avoid needing global 'int fd' */ -+ xmove_fd(xopen(device, O_WRONLY), 3); -+ write(3, &magic_value, 1); -+ close(3); -+ xmove_fd(xopen(device, O_WRONLY), 3); -+} -+ - int watchdog_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; - int watchdog_main(int argc, char **argv) - { -@@ -88,8 +106,7 @@ int watchdog_main(int argc, char **argv) - - bb_signals(BB_FATAL_SIGS, watchdog_shutdown); - -- /* Use known fd # - avoid needing global 'int fd' */ -- xmove_fd(xopen(argv[argc - 1], O_WRONLY), 3); -+ watchdog_open(argv[argc - 1]); - - /* WDIOC_SETTIMEOUT takes seconds, not milliseconds */ - htimer_duration = htimer_duration / 1000; --- -2.11.0 - diff --git a/meta-phosphor/recipes-core/busybox/busybox_%.bbappend b/meta-phosphor/recipes-core/busybox/busybox_%.bbappend index cc88bcc40..8907b08e0 100644 --- a/meta-phosphor/recipes-core/busybox/busybox_%.bbappend +++ b/meta-phosphor/recipes-core/busybox/busybox_%.bbappend @@ -2,5 +2,4 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://busybox.cfg" SRC_URI += "file://flash.cfg" SRC_URI += "file://mountpoint.cfg" -SRC_URI += "file://0001-Stop-watchdog-first-on-startup.patch" SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'obmc-ubi-fs', '', 'file://reboot.cfg', d)}" diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch b/meta-phosphor/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch deleted file mode 100644 index e32baec83..000000000 --- a/meta-phosphor/recipes-core/dropbear/dropbear/0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 95eff1ca0beea55259c2cdc7f1bb9f930bf57bc8 Mon Sep 17 00:00:00 2001 -From: CamVan Nguyen <ctnguyen@us.ibm.com> -Date: Tue, 13 Feb 2018 15:37:47 -0600 -Subject: [PATCH 1/1] Only load dropbear default host keys if a key is not - specified - ---- - svr-runopts.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/svr-runopts.c b/svr-runopts.c -index 8f60059..c5c2148 100644 ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -488,17 +488,21 @@ void load_all_hostkeys() { - m_free(hostkey_file); - } - -+ /* Only load default host keys if a host key is not specified by the -+ * user */ -+ if (0 == svr_opts.num_hostkey_files) { - #ifdef DROPBEAR_RSA -- loadhostkey(RSA_PRIV_FILENAME, 0); -+ loadhostkey(RSA_PRIV_FILENAME, 0); - #endif - - #ifdef DROPBEAR_DSS -- loadhostkey(DSS_PRIV_FILENAME, 0); -+ loadhostkey(DSS_PRIV_FILENAME, 0); - #endif - - #ifdef DROPBEAR_ECDSA -- loadhostkey(ECDSA_PRIV_FILENAME, 0); -+ loadhostkey(ECDSA_PRIV_FILENAME, 0); - #endif -+ } - - #ifdef DROPBEAR_DELAY_HOSTKEY - if (svr_opts.delay_hostkey) { --- -1.8.2.2 - diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch b/meta-phosphor/recipes-core/dropbear/dropbear/0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch deleted file mode 100644 index 88d0ac0bb..000000000 --- a/meta-phosphor/recipes-core/dropbear/dropbear/0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch +++ /dev/null @@ -1,91 +0,0 @@ -From b4e094381ec846f4387dc6a3c210c2205a8db58a Mon Sep 17 00:00:00 2001 -From: Jeremy Kerr <jk@ozlabs.org> -Date: Tue, 12 Apr 2016 11:11:40 +0800 -Subject: [PATCH] dropbear: Add -c <command> option to force a specific command - -This change adds a -c option to dropbear, to force the session to use a -specific command, in a similar fashion to OpenSSH's ForceCommand -configuration option. - -This is useful to provide a simple fixed service over ssh, without -requiring an authorized key file for the per-key forced_command option. - -This setting takes precedence over the channel session's provided -command, and the per-key forced_command setting. - -Signed-off-by: Jeremy Kerr <jk@ozlabs.org> ---- - runopts.h | 2 ++ - svr-chansession.c | 12 ++++++++++-- - svr-runopts.c | 5 +++++ - 3 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/runopts.h b/runopts.h -index f7c869d..ffb573e 100644 ---- a/runopts.h -+++ b/runopts.h -@@ -114,6 +114,8 @@ typedef struct svr_runopts { - buffer * banner; - char * pidfile; - -+ char * command; -+ - } svr_runopts; - - extern svr_runopts svr_opts; -diff --git a/svr-chansession.c b/svr-chansession.c -index bfaf7f6..d6c9330 100644 ---- a/svr-chansession.c -+++ b/svr-chansession.c -@@ -671,8 +671,16 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, - } - } - -- /* take public key option 'command' into account */ -- svr_pubkey_set_forced_command(chansess); -+ -+ /* take global command into account */ -+ if (svr_opts.command) { -+ chansess->original_command = chansess->cmd ? : m_strdup(""); -+ chansess->cmd = m_strdup(svr_opts.command); -+ } else { -+ /* take public key option 'command' into account */ -+ svr_pubkey_set_forced_command(chansess); -+ } -+ - - #ifdef LOG_COMMANDS - if (chansess->cmd) { -diff --git a/svr-runopts.c b/svr-runopts.c -index 8f60059..f845300 100644 ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -79,6 +79,7 @@ static void printhelp(const char * progname) { - #ifdef ENABLE_SVR_REMOTETCPFWD - "-k Disable remote port forwarding\n" - "-a Allow connections to forwarded ports from any host\n" -+ "-c command Force executed command\n" - #endif - "-p [address:]port\n" - " Listen on specified tcp port (and optionally address),\n" -@@ -125,6 +126,7 @@ void svr_getopts(int argc, char ** argv) { - /* see printhelp() for options */ - svr_opts.bannerfile = NULL; - svr_opts.banner = NULL; -+ svr_opts.command = NULL; - svr_opts.forkbg = 1; - svr_opts.norootlogin = 0; - svr_opts.noauthpass = 0; -@@ -177,6 +179,9 @@ void svr_getopts(int argc, char ** argv) { - case 'b': - next = &svr_opts.bannerfile; - break; -+ case 'c': -+ next = &svr_opts.command; -+ break; - case 'd': - case 'r': - next = &keyfile; --- -2.5.0 - diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h new file mode 100644 index 000000000..8aec3b3a7 --- /dev/null +++ b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h @@ -0,0 +1,6 @@ +// Disable CBC ciphers for modern security. +#define DROPBEAR_ENABLE_CBC_MODE 0 + +#define DROPBEAR_SHA1_96_HMAC 0 +#define DROPBEAR_SHA2_256_HMAC 1 +#define DROPBEAR_SHA2_512_HMAC 1 diff --git a/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend b/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend index 80714977b..cab454af2 100644 --- a/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend +++ b/meta-phosphor/recipes-core/dropbear/dropbear_%.bbappend @@ -3,5 +3,4 @@ # to yocto 2.5 or later which will pull in the latest dropbear code. FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" SRC_URI += "file://dropbearkey.service \ - file://0001-dropbear-Add-c-command-option-to-force-a-specific-co.patch \ - file://0001-Only-load-dropbear-default-host-keys-if-a-key-is-not.patch" + file://localoptions.h" diff --git a/meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend b/meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend deleted file mode 100644 index 0bcdf6f93..000000000 --- a/meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend +++ /dev/null @@ -1,4 +0,0 @@ -# TODO: Dropbear 2018.76 controls options in a different way. See -# https://github.com/openbmc/openbmc/issues/3186 -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -SRC_URI += "file://options.patch" diff --git a/meta-phosphor/recipes-core/systemd/systemd/0006-core-fix-the-check-if-CONFIG_CGROUP_BPF-is-on.patch b/meta-phosphor/recipes-core/systemd/systemd/0006-core-fix-the-check-if-CONFIG_CGROUP_BPF-is-on.patch index fc3f9e1ee..3645100ab 100644 --- a/meta-phosphor/recipes-core/systemd/systemd/0006-core-fix-the-check-if-CONFIG_CGROUP_BPF-is-on.patch +++ b/meta-phosphor/recipes-core/systemd/systemd/0006-core-fix-the-check-if-CONFIG_CGROUP_BPF-is-on.patch @@ -1,6 +1,6 @@ -From 501fa6c60d303f0d6e747939172281d77247626e Mon Sep 17 00:00:00 2001 -From: Alexander Filippov <a.filippov@yadro.com> -Date: Mon, 17 Sep 2018 13:33:06 +0300 +From 4ea79c18f1e2081d59eaa0f1df479dbc7700779e Mon Sep 17 00:00:00 2001 +From: Ed Tanous <ed.tanous@intel.com> +Date: Sun, 16 Dec 2018 18:27:06 -0800 Subject: [PATCH] core: fix the check if CONFIG_CGROUP_BPF is on Since the commit torvalds/linux@fdb5c4531c1e0e50e609df83f736b6f3a02896e2 @@ -14,16 +14,19 @@ which is still work as expected. Resolves openbmc/linux#159 See also systemd/systemd#7054 -Signed-off-by: Alexander Filippov <a.filippov@yadro.com> +Originally written by: +Alexander Filippov <a.filippov@yadro.com> + +Signed-off-by: Ed Tanous <ed.tanous@intel.com> --- - src/core/bpf-firewall.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) + src/core/bpf-firewall.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c -index f3f40fb0e8..51dc5b9506 100644 +index 8b66ef73d..e68b70d0c 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c -@@ -658,7 +658,7 @@ int bpf_firewall_supported(void) { +@@ -660,7 +660,7 @@ int bpf_firewall_supported(void) { * b) whether the unified hierarchy is being used * c) the BPF implementation in the kernel supports BPF LPM TRIE maps, which we require * d) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require @@ -32,7 +35,7 @@ index f3f40fb0e8..51dc5b9506 100644 * */ -@@ -711,7 +711,7 @@ int bpf_firewall_supported(void) { +@@ -714,7 +714,7 @@ int bpf_firewall_supported(void) { * is turned off at kernel compilation time. This sucks of course: why does it allow us to create a cgroup BPF * program if we can't do a thing with it later? * @@ -41,24 +44,43 @@ index f3f40fb0e8..51dc5b9506 100644 * CONFIG_CGROUP_BPF is turned off, then the call will fail early with EINVAL. If it is turned on the * parameters are validated however, and that'll fail with EBADF then. */ -@@ -721,14 +721,14 @@ int bpf_firewall_supported(void) { +@@ -724,15 +724,15 @@ int bpf_firewall_supported(void) { .attach_bpf_fd = -1, }; -- r = bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)); -+ r = bpf(BPF_PROG_DETACH, &attr, sizeof(attr)); - if (r < 0) { - if (errno == EBADF) /* YAY! */ - return supported = true; +- if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { ++ if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { + if (errno != EBADF) { +- log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_ATTACH, BPF firewalling is not supported: %m"); ++ log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m"); + return supported = BPF_FIREWALL_UNSUPPORTED; + } + + /* YAY! */ + } else { +- log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); ++ log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); + return supported = BPF_FIREWALL_UNSUPPORTED; + } + +@@ -748,7 +748,7 @@ int bpf_firewall_supported(void) { + .attach_flags = BPF_F_ALLOW_MULTI, + }; -- log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_ATTACH, BPF firewalling is not supported: %m"); -+ log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m"); - } else -- log_debug("Wut? kernel accepted our invalid BPF_PROG_ATTACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); -+ log_debug("Wut? kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); +- if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { ++ if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { + if (errno == EBADF) { + log_debug_errno(errno, "Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!"); + return supported = BPF_FIREWALL_SUPPORTED_WITH_MULTI; +@@ -761,7 +761,7 @@ int bpf_firewall_supported(void) { - return supported = false; + return supported = BPF_FIREWALL_SUPPORTED; + } else { +- log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); ++ log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); + return supported = BPF_FIREWALL_UNSUPPORTED; + } } -- -2.14.4 +2.17.1 |