meta-security: subtree update:775870980b..ca9264b1e1

Anton Antonov (4):
      Use libest "main" branch instead of "master".
      Add meta-parsec layer into meta-security.
      Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
      Clearly define clang toolchain in Parsec recipes

Armin Kuster (16):
      packagegroup-core-security: drop clamav-cvd
      clamav: upgrade 104.0
      python3-privacyidea: upgrade 3.5.1 -> 3.5.2
      clamav: fix systemd service install
      swtpm: now need python-cryptography, pull in layer
      swtpm: file pip3 issue
      swtpm: fix check for tscd deamon on host
      python3-suricata-update: update to 1.2.1
      suricata: update to 6.0.2
      layer.conf: add dynamic-layer for rust pkg
      README: cleanup
      .gitlab-ci.yml: reorder to speed up builds
      kas-security-base.yml: tweek build vars
      gitlab-ci: fine tune order
      clamav: remove rest of mirror.dat ref
      lkrg-module: Add Linux Kernel Runtime Guard

Ming Liu (2):
      meta: drop IMA_POLICY from policy recipes
      initramfs-framework-ima: introduce IMA_FORCE

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ifac35a0d7b7e724f1e30dce5f6634d5d4fc9b5b9

3 files changed, 70 insertions, 3 deletions

diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 65788eb0e..1b766cba2 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -13,6 +13,7 @@ LAYERSERIES_COMPAT_tpm-layer = "hardknott"
 LAYERDEPENDS_tpm-layer = " \
     core \
     openembedded-layer \
+    meta-python \
 "
 BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm"
 
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch b/meta-security/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
new file mode 100644
index 000000000..5aee933b9
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/files/oe_configure.patch
@@ -0,0 +1,65 @@
+Don't check for tscd deamon on host.
+
+Upstream-Status: OE Specific
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/configure.ac
+===================================================================
+--- git.orig/configure.ac
++++ git/configure.ac
+@@ -179,15 +179,6 @@ AC_SUBST([LIBTPMS_LIBS])
+ AC_CHECK_LIB(c, clock_gettime, LIBRT_LIBS="", LIBRT_LIBS="-lrt")
+ AC_SUBST([LIBRT_LIBS])
+ 
+-AC_PATH_PROG([TCSD], tcsd)
+-if test "x$TCSD" = "x"; then
+-    have_tcsd=no
+-    AC_MSG_WARN([tcsd could not be found; typically need it for tss user account and tests])
+-else
+-    have_tcsd=yes
+-fi
+-AM_CONDITIONAL([HAVE_TCSD], test "$have_tcsd" != "no")
+-
+ dnl We either need netstat (more common across systems) or 'ss' for test cases
+ AC_PATH_PROG([NETSTAT], [netstat])
+ if test "x$NETSTAT" = "x"; then
+@@ -440,23 +431,6 @@ AC_ARG_WITH([tss-group],
+             [TSS_GROUP="tss"]
+ )
+ 
+-case $have_tcsd in
+-yes)
+-	AC_MSG_CHECKING([whether TSS_USER $TSS_USER is available])
+-	if ! test $(id -u $TSS_USER); then
+-		AC_MSG_ERROR(["$TSS_USER is not available"])
+-	else
+-		AC_MSG_RESULT([yes])
+-	fi
+-	AC_MSG_CHECKING([whether TSS_GROUP $TSS_GROUP is available])
+-	if ! test $(id -g $TSS_GROUP); then
+-		AC_MSG_ERROR(["$TSS_GROUP is not available"])
+-	else
+-		AC_MSG_RESULT([yes])
+-	fi
+-	;;
+-esac
+-
+ AC_SUBST([TSS_USER])
+ AC_SUBST([TSS_GROUP])
+ 
+Index: git/tests/Makefile.am
+===================================================================
+--- git.orig/tests/Makefile.am
++++ git/tests/Makefile.am
+@@ -83,10 +83,6 @@ TESTS += \
+ 	test_tpm2_swtpm_cert \
+ 	test_tpm2_swtpm_cert_ecc \
+ 	test_tpm2_swtpm_setup_create_cert
+-if HAVE_TCSD
+-TESTS += \
+-	test_tpm2_samples_create_tpmca
+-endif
+ endif
+ 
+ EXTRA_DIST=$(TESTS) \
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
index b7ff2ad59..caf99e823 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
@@ -7,18 +7,19 @@ DEPENDS = "libtasn1 coreutils-native expect socat glib-2.0 net-tools-native libt
 
 # configure checks for the tools already during compilation and
 # then swtpm_setup needs them at runtime
-DEPENDS += "tpm-tools-native expect-native socat-native"
+DEPENDS_append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native"
 
 SRCREV = "e59c0c1a7b4c8d652dbb280fd6126895a7057464"
 SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.5 \
            file://ioctl_h.patch \
+           file://oe_configure.patch \
            "
 PE = "1"
 
 S = "${WORKDIR}/git"
 
-inherit autotools pkgconfig python3-dir
 PARALLEL_MAKE = ""
+inherit autotools pkgconfig python3native
 
 TSS_USER="tss"
 TSS_GROUP="tss"
@@ -41,7 +42,7 @@ USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
 
 
 PACKAGES =+ "${PN}-python"
-FILES_${PN}-python = "${nonarch_libdir}/${PYTHON_PN}/dist-packages/* "
+FILES_${PN}-python = "${PYTHON_SITEPACKAGES_DIR}"
 
 PACKAGE_BEFORE_PN = "${PN}-cuse"
 FILES_${PN}-cuse = "${bindir}/swtpm_cuse"